@webdecoy/fcaptcha 1.0.1 → 1.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@webdecoy/fcaptcha",
-  "version": "1.0.1",
+  "version": "1.0.4",
   "description": "Open source CAPTCHA with PoW, bot detection, and Vision AI protection",
   "main": "index.js",
   "exports": {

package/server.js

@@ -42,13 +42,11 @@ const powChallengeStore = {
     };
 
     // Sign the challenge
-    const sig = crypto.createHmac('sha256', SECRET_KEY)
+    challengeData.sig = crypto.createHmac('sha256', SECRET_KEY)
       .update(JSON.stringify(challengeData))
       .digest('hex')
       .slice(0, 16);
 
-    challengeData.sig = sig;
-
     // Store challenge
     this.challenges.set(challengeId, {
       ...challengeData,
@@ -173,6 +171,35 @@ const fingerprintStore = {
   }
 };
 
+// Token Store - prevents token replay attacks
+const tokenStore = {
+  usedTokens: new Set(),
+
+  // Mark a token as used (returns false if already used)
+  markUsed(tokenSig) {
+    if (this.usedTokens.has(tokenSig)) {
+      return false; // Already used
+    }
+    this.usedTokens.add(tokenSig);
+
+    // Cleanup old tokens periodically (tokens expire after 5 min anyway)
+    if (Math.random() < 0.1) this._cleanup();
+    return true;
+  },
+
+  isUsed(tokenSig) {
+    return this.usedTokens.has(tokenSig);
+  },
+
+  _cleanup() {
+    // In production with Redis, use TTL instead
+    // For in-memory, just clear if too large (tokens expire in 5 min)
+    if (this.usedTokens.size > 50000) {
+      this.usedTokens.clear();
+    }
+  }
+};
+
 // =============================================================================
 // Detection Patterns
 // =============================================================================
@@ -187,7 +214,8 @@ const WEIGHTS = {
   vision_ai: 0.15,
   headless: 0.15,
   automation: 0.10,
-  behavioral: 0.20,
+  cdp: 0.12,
+  behavioral: 0.18,
   fingerprint: 0.10,
   rate_limit: 0.05,
   datacenter: 0.10,
@@ -383,6 +411,46 @@ function detectAutomation(signals) {
   return detections;
 }
 
+function detectCDP(signals) {
+  const detections = [];
+  const env = signals.environmental || {};
+  const cdp = env.cdp || {};
+
+  if (cdp.detected) {
+    const signalList = cdp.signals || [];
+    const signalCount = signalList.length;
+
+    // High-confidence signals
+    const highConfSignals = ['chromedriver_cdc', 'puppeteer_eval', 'cdp_script_injection'];
+    const hasHighConf = signalList.some(s => highConfSignals.includes(s));
+
+    if (hasHighConf) {
+      detections.push({
+        category: 'cdp',
+        score: 0.9,
+        confidence: 0.95,
+        reason: `CDP automation detected: ${signalList.join(', ')}`
+      });
+    } else if (signalCount >= 2) {
+      detections.push({
+        category: 'cdp',
+        score: 0.8,
+        confidence: 0.85,
+        reason: `Multiple CDP indicators: ${signalList.join(', ')}`
+      });
+    } else if (signalCount === 1) {
+      detections.push({
+        category: 'cdp',
+        score: 0.6,
+        confidence: 0.7,
+        reason: `CDP indicator: ${signalList.join(', ')}`
+      });
+    }
+  }
+
+  return detections;
+}
+
 function detectBehavioral(signals) {
   const detections = [];
   const b = signals.behavioral || {};
@@ -585,13 +653,12 @@ function generateToken(ip, siteKey, score) {
   };
 
   const payload = JSON.stringify(data, Object.keys(data).sort());
-  const sig = crypto.createHmac('sha256', SECRET_KEY).update(payload).digest('hex').slice(0, 16);
-  data.sig = sig;
+  data.sig = crypto.createHmac('sha256', SECRET_KEY).update(payload).digest('hex').slice(0, 16);
 
   return Buffer.from(JSON.stringify(data)).toString('base64url');
 }
 
-function verifyToken(token) {
+function verifyToken(token, ip = null) {
   try {
     const decoded = JSON.parse(Buffer.from(token, 'base64url').toString());
 
@@ -610,11 +677,28 @@ function verifyToken(token) {
       return { valid: false, reason: 'invalid_signature' };
     }
 
+    // Check for token replay (single-use tokens)
+    if (tokenStore.isUsed(sig)) {
+      return { valid: false, reason: 'token_already_used' };
+    }
+
+    // Verify IP matches (if provided)
+    if (ip) {
+      const expectedIpHash = crypto.createHash('sha256').update(ip).digest('hex').slice(0, 8);
+      if (decoded.ip_hash !== expectedIpHash) {
+        return { valid: false, reason: 'ip_mismatch' };
+      }
+    }
+
+    // Mark token as used (prevents replay)
+    tokenStore.markUsed(sig);
+
     return {
       valid: true,
       site_key: decoded.site_key,
       timestamp: decoded.timestamp,
-      score: decoded.score
+      score: decoded.score,
+      ip_hash: decoded.ip_hash
     };
   } catch (e) {
     return { valid: false, reason: e.message };
@@ -626,6 +710,7 @@ function runVerification(signals, ip, siteKey, userAgent, headers = {}, ja3Hash
     ...detectVisionAI(signals),
     ...detectHeadless(signals, userAgent),
     ...detectAutomation(signals),
+    ...detectCDP(signals),
     ...detectBehavioral(signals),
     ...detectFingerprint(signals, ip, siteKey),
     ...detectRateAbuse(ip, siteKey)
@@ -777,7 +862,19 @@ app.post('/api/score', (req, res) => {
 
 app.post('/api/token/verify', (req, res) => {
   const { token } = req.body;
-  res.json(verifyToken(token));
+
+  // Extract client IP for verification
+  let ip = req.headers['x-real-ip'] || '';
+  if (!ip) {
+    const forwarded = req.headers['x-forwarded-for'];
+    if (forwarded) {
+      ip = forwarded.split(',')[0].trim();
+    } else {
+      ip = req.socket.remoteAddress;
+    }
+  }
+
+  res.json(verifyToken(token, ip));
 });
 
 // PoW Challenge endpoint - client fetches this on page load