altcha 3.0.0-beta.2 → 3.0.0-beta.3

package/dist/plugins/obfuscation.plugin.js

@@ -14,6 +14,42 @@ class BasePlugin {
   async onVerify(value) {
   }
 }
+function getDigest(algorithm) {
+  switch (algorithm) {
+    case "PBKDF2/SHA-512":
+      return "SHA-512";
+    case "PBKDF2/SHA-384":
+      return "SHA-384";
+    case "PBKDF2/SHA-256":
+    default:
+      return "SHA-256";
+  }
+}
+async function deriveKey(parameters, salt, password) {
+  const { algorithm, cost, keyLength = 32 } = parameters;
+  const passwordKey = await crypto.subtle.importKey(
+    "raw",
+    password,
+    { name: "PBKDF2" },
+    false,
+    ["deriveKey"]
+  );
+  const derivedKey = await crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations: cost,
+      hash: getDigest(algorithm)
+    },
+    passwordKey,
+    { name: "AES-GCM", length: keyLength * 8 },
+    true,
+    ["encrypt"]
+  );
+  return {
+    derivedKey: new Uint8Array(await crypto.subtle.exportKey("raw", derivedKey))
+  };
+}
 function bufferStartsWith(buffer, prefix) {
   if (prefix.length > buffer.length) {
     return false;
@@ -94,7 +130,7 @@ async function solveChallenge(options) {
     counterMode = "uint32",
     counterStart = 0,
     counterStep = 1,
-    deriveKey,
+    deriveKey: deriveKey2,
     timeout = 9e4
   } = options;
   const { nonce, keyPrefix, salt } = challenge.parameters;
@@ -110,7 +146,7 @@ async function solveChallenge(options) {
     if (controller?.signal.aborted || timeout && counter % 10 === 0 && performance.now() - start > timeout) {
       return null;
     }
-    const { derivedKey } = await deriveKey(
+    const { derivedKey } = await deriveKey2(
       challenge.parameters,
       saltBuf,
       password.setCounter(counter)
@@ -138,7 +174,8 @@ async function solveChallengeWorkers(options) {
     controller = new AbortController(),
     createWorker,
     onOutOfMemory = (c) => c > 1 ? Math.floor(c / 2) : 0,
-    counterMode
+    counterMode,
+    timeout = 9e4
   } = options;
   const workersConcurrency = Math.min(16, Math.max(1, concurrency));
   const workersInstances = [];
@@ -179,6 +216,7 @@ async function solveChallengeWorkers(options) {
             counterMode,
             counterStart: i,
             counterStep: workersConcurrency,
+            timeout,
             type: "work"
           });
         });
@@ -211,7 +249,11 @@ async function solveChallengeWorkers(options) {
   return solution || null;
 }
 async function deobfuscate(obfuscatedData, options = {}) {
-  const { concurrency = navigator.hardwareConcurrency, deriveKey: deriveKey2 } = options;
+  let {
+    concurrency = Math.max(1, Math.min(4, navigator.hardwareConcurrency)),
+    createWorker,
+    deriveKey: deriveKey$1 = deriveKey
+  } = options;
   let challenge = null;
   try {
     challenge = JSON.parse(atob(obfuscatedData));
@@ -223,21 +265,20 @@ async function deobfuscate(obfuscatedData, options = {}) {
   }
   const cipher = challenge.cipher;
   let solution = null;
-  if (deriveKey2) {
-    solution = await solveChallenge({
-      challenge,
-      deriveKey: deriveKey2
-    });
-  } else {
-    const createWorker = globalThis.$altcha.algorithms.get(challenge.parameters.algorithm);
-    if (!createWorker) {
-      throw new Error(`Unsupported algorithm ${challenge.parameters.algorithm}.`);
-    }
+  if (!createWorker && "$altcha" in globalThis) {
+    createWorker = globalThis.$altcha.algorithms.get(challenge.parameters.algorithm);
+  }
+  if (createWorker) {
     solution = await solveChallengeWorkers({
       challenge,
       concurrency,
       createWorker
     });
+  } else {
+    solution = await solveChallenge({
+      challenge,
+      deriveKey: deriveKey$1
+    });
   }
   if (!solution) {
     throw new Error("Unable to find solution.");

package/dist/plugins/obfuscation.plugin.min.js

@@ -1 +1 @@
-class e{constructor(e){this.host=e}static register(e){"$altcha"in globalThis&&!globalThis.$altcha.plugins.has(e)&&globalThis.$altcha.plugins.add(e)}async onFetchChallenge(e){}async onRequestServerVerification(e,t){}async onVerify(e){}}function t(e,t){if(t.length>e.length)return!1;for(let r=0;r<t.length;r++)if(e[r]!==t[r])return!1;return!0}function r(e){return Array.from(new Uint8Array(e)).map(e=>e.toString(16).padStart(2,"0")).join("")}function n(e){if(e.length%2!=0)throw new Error(`Hex string must have an even length. Got: ${e}`);const t=new ArrayBuffer(e.length/2),r=new DataView(t);for(let t=0;t<e.length;t+=2){const n=e.substring(t,t+2),a=parseInt(n,16);r.setUint8(t/2,a)}return new Uint8Array(t)}async function a(e){await new Promise(t=>setTimeout(t,e))}function o(e){return Math.floor(10*(performance.now()-e))/10}var i=(e=>(e.CODE="code",e.ERROR="error",e.VERIFIED="verified",e.VERIFYING="verifying",e.UNVERIFIED="unverified",e.EXPIRED="expired",e))(i||{});class s{constructor(e,t="uint32"){this.nonce=e,this.mode=t,this.buffer=new Uint8Array(this.nonce.length+this.COUNTER_BYTES),this.buffer.set(this.nonce,0),this.dataView=new DataView(this.buffer.buffer)}COUNTER_BYTES=4;buffer;dataView;encoder=new TextEncoder;setCounter(e){return"string"===this.mode?function(e,t){const r=new Uint8Array(e.length+t.length);return r.set(e,0),r.set(t,e.length),r}(this.nonce,this.encoder.encode(e.toString())):(this.dataView.setUint32(this.nonce.length,e,!1),this.buffer)}}async function c(e){const{challenge:t,concurrency:r=navigator.hardwareConcurrency,controller:n=new AbortController,createWorker:a,onOutOfMemory:o=e=>e>1?Math.floor(e/2):0,counterMode:i}=e,s=Math.min(16,Math.max(1,r)),l=[],h=()=>{for(const e of l)e.terminate()};for(let e=0;e<s;e++)l.push(await a(t.parameters.algorithm));let u=null;try{u=await Promise.race(l.map((e,r)=>(n.signal.addEventListener("abort",()=>{e.postMessage({type:"abort"})}),new Promise((n,a)=>{e.addEventListener("error",e=>{a(e)}),e.addEventListener("message",t=>{if(t.data){for(const t of l)t!==e&&t.postMessage({type:"abort"});if(t.data.error)return a(new Error(t.data.error))}n(t.data)}),e.postMessage({challenge:t,counterMode:i,counterStart:r,counterStep:s,type:"work"})}))))}catch(r){if(r instanceof Error&&!!r?.message?.includes("Out of memory")&&o){h();const r=o(s);if(r)return c({...e,challenge:t,controller:n,concurrency:r,createWorker:a})}throw r}finally{h()}return n.signal.aborted?null:u||null}async function l(e,i={}){const{concurrency:l=navigator.hardwareConcurrency,deriveKey:h}=i;let u=null;try{u=JSON.parse(atob(e))}catch{throw new Error("Unable to parse obfuscated data.")}if(!u||"object"!=typeof u||!("parameters"in u)||!("cipher"in u))throw new Error("Invalid obfuscated data format.");const f=u.cipher;let g=null;if(h)g=await async function(e){const{challenge:i,controller:c,counterMode:l="uint32",counterStart:h=0,counterStep:u=1,deriveKey:f,timeout:g=9e4}=e,{nonce:d,keyPrefix:w,salt:m}=i.parameters,y=n(d),p=n(m),E=w.length%2==0?n(w):null,b=new s(y,l),T=performance.now();let v=h,S="",C=T;for(;;){if(c?.signal.aborted||g&&v%10==0&&performance.now()-T>g)return null;const{derivedKey:e}=await f(i.parameters,p,b.setCounter(v));if(v%10==0&&performance.now()-C>200&&(await a(0),C=performance.now()),E?t(e,E):r(e).startsWith(w)){S=r(e);break}v+=u}return{counter:v,derivedKey:S,time:o(T)}}({challenge:u,deriveKey:h});else{const e=globalThis.$altcha.algorithms.get(u.parameters.algorithm);if(!e)throw new Error(`Unsupported algorithm ${u.parameters.algorithm}.`);g=await c({challenge:u,concurrency:l,createWorker:e})}if(!g)throw new Error("Unable to find solution.");const d=await crypto.subtle.importKey("raw",n(g.derivedKey),{name:"AES-GCM"},!1,["decrypt"]),w=await crypto.subtle.decrypt({name:"AES-GCM",iv:n(f.iv)},d,n(f.data));return(new TextDecoder).decode(w)}e.register(class extends e{elTrigger=null;activate(){this.elTrigger=this.host.querySelector("button"),this.elTrigger&&(this.elTrigger.addEventListener("click",this.onTriggerClick.bind(this)),this.host.configure({floatingAnchor:this.elTrigger}))}destroy(){}async onVerify(e){const{minDuration:t=500}=e,r=performance.now(),n=this.host.getAttribute("data-obfuscated");if(n){this.host.reset(i.VERIFYING);try{const e=await l(n);await this.#e(Math.max(0,t-(performance.now()-r))),this.#t(e)}catch(e){this.host.setState(i.ERROR,String(e))}finally{this.host.setState(i.VERIFIED)}return null}}onTriggerClick(e){e.preventDefault(),this.host.show(),this.host.verify().then(()=>{this.host.hide()})}#t(e){let t;if(e.match(/^(mailto|tel|sms|https?):/)){const[r]=e.slice(e.indexOf(":")+1).replace(/^\/\//,"").split("?");t=document.createElement("a"),t.href=e,t.innerText=r}else t=document.createTextNode(e);this.elTrigger&&t&&(this.elTrigger.after(t),this.elTrigger.parentElement?.removeChild(this.elTrigger))}async#e(e){await new Promise(t=>setTimeout(t,e))}});
+class e{constructor(e){this.host=e}static register(e){"$altcha"in globalThis&&!globalThis.$altcha.plugins.has(e)&&globalThis.$altcha.plugins.add(e)}async onFetchChallenge(e){}async onRequestServerVerification(e,t){}async onVerify(e){}}function t(e){switch(e){case"PBKDF2/SHA-512":return"SHA-512";case"PBKDF2/SHA-384":return"SHA-384";default:return"SHA-256"}}async function r(e,r,n){const{algorithm:a,cost:o,keyLength:i=32}=e,s=await crypto.subtle.importKey("raw",n,{name:"PBKDF2"},!1,["deriveKey"]),c=await crypto.subtle.deriveKey({name:"PBKDF2",salt:r,iterations:o,hash:t(a)},s,{name:"AES-GCM",length:8*i},!0,["encrypt"]);return{derivedKey:new Uint8Array(await crypto.subtle.exportKey("raw",c))}}function n(e,t){if(t.length>e.length)return!1;for(let r=0;r<t.length;r++)if(e[r]!==t[r])return!1;return!0}function a(e){return Array.from(new Uint8Array(e)).map(e=>e.toString(16).padStart(2,"0")).join("")}function o(e){if(e.length%2!=0)throw new Error(`Hex string must have an even length. Got: ${e}`);const t=new ArrayBuffer(e.length/2),r=new DataView(t);for(let t=0;t<e.length;t+=2){const n=e.substring(t,t+2),a=parseInt(n,16);r.setUint8(t/2,a)}return new Uint8Array(t)}async function i(e){await new Promise(t=>setTimeout(t,e))}function s(e){return Math.floor(10*(performance.now()-e))/10}var c=(e=>(e.CODE="code",e.ERROR="error",e.VERIFIED="verified",e.VERIFYING="verifying",e.UNVERIFIED="unverified",e.EXPIRED="expired",e))(c||{});class l{constructor(e,t="uint32"){this.nonce=e,this.mode=t,this.buffer=new Uint8Array(this.nonce.length+this.COUNTER_BYTES),this.buffer.set(this.nonce,0),this.dataView=new DataView(this.buffer.buffer)}COUNTER_BYTES=4;buffer;dataView;encoder=new TextEncoder;setCounter(e){return"string"===this.mode?function(e,t){const r=new Uint8Array(e.length+t.length);return r.set(e,0),r.set(t,e.length),r}(this.nonce,this.encoder.encode(e.toString())):(this.dataView.setUint32(this.nonce.length,e,!1),this.buffer)}}async function h(e){const{challenge:t,concurrency:r=navigator.hardwareConcurrency,controller:n=new AbortController,createWorker:a,onOutOfMemory:o=e=>e>1?Math.floor(e/2):0,counterMode:i,timeout:s=9e4}=e,c=Math.min(16,Math.max(1,r)),l=[],u=()=>{for(const e of l)e.terminate()};for(let e=0;e<c;e++)l.push(await a(t.parameters.algorithm));let f=null;try{f=await Promise.race(l.map((e,r)=>(n.signal.addEventListener("abort",()=>{e.postMessage({type:"abort"})}),new Promise((n,a)=>{e.addEventListener("error",e=>{a(e)}),e.addEventListener("message",t=>{if(t.data){for(const t of l)t!==e&&t.postMessage({type:"abort"});if(t.data.error)return a(new Error(t.data.error))}n(t.data)}),e.postMessage({challenge:t,counterMode:i,counterStart:r,counterStep:c,timeout:s,type:"work"})}))))}catch(r){if(r instanceof Error&&!!r?.message?.includes("Out of memory")&&o){u();const r=o(c);if(r)return h({...e,challenge:t,controller:n,concurrency:r,createWorker:a})}throw r}finally{u()}return n.signal.aborted?null:f||null}async function u(e,t={}){let{concurrency:c=Math.max(1,Math.min(4,navigator.hardwareConcurrency)),createWorker:u,deriveKey:f=r}=t,g=null;try{g=JSON.parse(atob(e))}catch{throw new Error("Unable to parse obfuscated data.")}if(!g||"object"!=typeof g||!("parameters"in g)||!("cipher"in g))throw new Error("Invalid obfuscated data format.");const d=g.cipher;let w=null;if(!u&&"$altcha"in globalThis&&(u=globalThis.$altcha.algorithms.get(g.parameters.algorithm)),w=u?await h({challenge:g,concurrency:c,createWorker:u}):await async function(e){const{challenge:t,controller:r,counterMode:c="uint32",counterStart:h=0,counterStep:u=1,deriveKey:f,timeout:g=9e4}=e,{nonce:d,keyPrefix:w,salt:y}=t.parameters,m=o(d),p=o(y),b=w.length%2==0?o(w):null,E=new l(m,c),v=performance.now();let T=h,S="",A=v;for(;;){if(r?.signal.aborted||g&&T%10==0&&performance.now()-v>g)return null;const{derivedKey:e}=await f(t.parameters,p,E.setCounter(T));if(T%10==0&&performance.now()-A>200&&(await i(0),A=performance.now()),b?n(e,b):a(e).startsWith(w)){S=a(e);break}T+=u}return{counter:T,derivedKey:S,time:s(v)}}({challenge:g,deriveKey:f}),!w)throw new Error("Unable to find solution.");const y=await crypto.subtle.importKey("raw",o(w.derivedKey),{name:"AES-GCM"},!1,["decrypt"]),m=await crypto.subtle.decrypt({name:"AES-GCM",iv:o(d.iv)},y,o(d.data));return(new TextDecoder).decode(m)}e.register(class extends e{elTrigger=null;activate(){this.elTrigger=this.host.querySelector("button"),this.elTrigger&&(this.elTrigger.addEventListener("click",this.onTriggerClick.bind(this)),this.host.configure({floatingAnchor:this.elTrigger}))}destroy(){}async onVerify(e){const{minDuration:t=500}=e,r=performance.now(),n=this.host.getAttribute("data-obfuscated");if(n){this.host.reset(c.VERIFYING);try{const e=await u(n);await this.#e(Math.max(0,t-(performance.now()-r))),this.#t(e)}catch(e){this.host.setState(c.ERROR,String(e))}finally{this.host.setState(c.VERIFIED)}return null}}onTriggerClick(e){e.preventDefault(),this.host.show(),this.host.verify().then(()=>{this.host.hide()})}#t(e){let t;if(e.match(/^(mailto|tel|sms|https?):/)){const[r]=e.slice(e.indexOf(":")+1).replace(/^\/\//,"").split("?");t=document.createElement("a"),t.href=e,t.innerText=r}else t=document.createTextNode(e);this.elTrigger&&t&&(this.elTrigger.after(t),this.elTrigger.parentElement?.removeChild(this.elTrigger))}async#e(e){await new Promise(t=>setTimeout(t,e))}});

package/dist/plugins/obfuscation.plugin.umd.cjs

@@ -18,6 +18,42 @@
     async onVerify(value) {
     }
   }
+  function getDigest(algorithm) {
+    switch (algorithm) {
+      case "PBKDF2/SHA-512":
+        return "SHA-512";
+      case "PBKDF2/SHA-384":
+        return "SHA-384";
+      case "PBKDF2/SHA-256":
+      default:
+        return "SHA-256";
+    }
+  }
+  async function deriveKey(parameters, salt, password) {
+    const { algorithm, cost, keyLength = 32 } = parameters;
+    const passwordKey = await crypto.subtle.importKey(
+      "raw",
+      password,
+      { name: "PBKDF2" },
+      false,
+      ["deriveKey"]
+    );
+    const derivedKey = await crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt,
+        iterations: cost,
+        hash: getDigest(algorithm)
+      },
+      passwordKey,
+      { name: "AES-GCM", length: keyLength * 8 },
+      true,
+      ["encrypt"]
+    );
+    return {
+      derivedKey: new Uint8Array(await crypto.subtle.exportKey("raw", derivedKey))
+    };
+  }
   function bufferStartsWith(buffer, prefix) {
     if (prefix.length > buffer.length) {
       return false;
@@ -98,7 +134,7 @@
       counterMode = "uint32",
       counterStart = 0,
       counterStep = 1,
-      deriveKey,
+      deriveKey: deriveKey2,
       timeout = 9e4
     } = options;
     const { nonce, keyPrefix, salt } = challenge.parameters;
@@ -114,7 +150,7 @@
       if (controller?.signal.aborted || timeout && counter % 10 === 0 && performance.now() - start > timeout) {
         return null;
       }
-      const { derivedKey } = await deriveKey(
+      const { derivedKey } = await deriveKey2(
         challenge.parameters,
         saltBuf,
         password.setCounter(counter)
@@ -142,7 +178,8 @@
       controller = new AbortController(),
       createWorker,
       onOutOfMemory = (c) => c > 1 ? Math.floor(c / 2) : 0,
-      counterMode
+      counterMode,
+      timeout = 9e4
     } = options;
     const workersConcurrency = Math.min(16, Math.max(1, concurrency));
     const workersInstances = [];
@@ -183,6 +220,7 @@
               counterMode,
               counterStart: i,
               counterStep: workersConcurrency,
+              timeout,
               type: "work"
             });
           });
@@ -215,7 +253,11 @@
     return solution || null;
   }
   async function deobfuscate(obfuscatedData, options = {}) {
-    const { concurrency = navigator.hardwareConcurrency, deriveKey: deriveKey2 } = options;
+    let {
+      concurrency = Math.max(1, Math.min(4, navigator.hardwareConcurrency)),
+      createWorker,
+      deriveKey: deriveKey$1 = deriveKey
+    } = options;
     let challenge = null;
     try {
       challenge = JSON.parse(atob(obfuscatedData));
@@ -227,21 +269,20 @@
     }
     const cipher = challenge.cipher;
     let solution = null;
-    if (deriveKey2) {
-      solution = await solveChallenge({
-        challenge,
-        deriveKey: deriveKey2
-      });
-    } else {
-      const createWorker = globalThis.$altcha.algorithms.get(challenge.parameters.algorithm);
-      if (!createWorker) {
-        throw new Error(`Unsupported algorithm ${challenge.parameters.algorithm}.`);
-      }
+    if (!createWorker && "$altcha" in globalThis) {
+      createWorker = globalThis.$altcha.algorithms.get(challenge.parameters.algorithm);
+    }
+    if (createWorker) {
       solution = await solveChallengeWorkers({
         challenge,
         concurrency,
         createWorker
       });
+    } else {
+      solution = await solveChallenge({
+        challenge,
+        deriveKey: deriveKey$1
+      });
     }
     if (!solution) {
       throw new Error("Unable to find solution.");

package/dist/plugins/obfuscation.plugin.umd.min.cjs

@@ -1 +1 @@
-!function(e){"function"==typeof define&&define.amd?define(e):e()}(function(){"use strict";class e{constructor(e){this.host=e}static register(e){"$altcha"in globalThis&&!globalThis.$altcha.plugins.has(e)&&globalThis.$altcha.plugins.add(e)}async onFetchChallenge(e){}async onRequestServerVerification(e,t){}async onVerify(e){}}function t(e,t){if(t.length>e.length)return!1;for(let r=0;r<t.length;r++)if(e[r]!==t[r])return!1;return!0}function r(e){return Array.from(new Uint8Array(e)).map(e=>e.toString(16).padStart(2,"0")).join("")}function n(e){if(e.length%2!=0)throw new Error(`Hex string must have an even length. Got: ${e}`);const t=new ArrayBuffer(e.length/2),r=new DataView(t);for(let t=0;t<e.length;t+=2){const n=e.substring(t,t+2),a=parseInt(n,16);r.setUint8(t/2,a)}return new Uint8Array(t)}async function a(e){await new Promise(t=>setTimeout(t,e))}function o(e){return Math.floor(10*(performance.now()-e))/10}var i=(e=>(e.CODE="code",e.ERROR="error",e.VERIFIED="verified",e.VERIFYING="verifying",e.UNVERIFIED="unverified",e.EXPIRED="expired",e))(i||{});class s{constructor(e,t="uint32"){this.nonce=e,this.mode=t,this.buffer=new Uint8Array(this.nonce.length+this.COUNTER_BYTES),this.buffer.set(this.nonce,0),this.dataView=new DataView(this.buffer.buffer)}COUNTER_BYTES=4;buffer;dataView;encoder=new TextEncoder;setCounter(e){return"string"===this.mode?function(e,t){const r=new Uint8Array(e.length+t.length);return r.set(e,0),r.set(t,e.length),r}(this.nonce,this.encoder.encode(e.toString())):(this.dataView.setUint32(this.nonce.length,e,!1),this.buffer)}}async function c(e){const{challenge:t,concurrency:r=navigator.hardwareConcurrency,controller:n=new AbortController,createWorker:a,onOutOfMemory:o=e=>e>1?Math.floor(e/2):0,counterMode:i}=e,s=Math.min(16,Math.max(1,r)),l=[],h=()=>{for(const e of l)e.terminate()};for(let e=0;e<s;e++)l.push(await a(t.parameters.algorithm));let u=null;try{u=await Promise.race(l.map((e,r)=>(n.signal.addEventListener("abort",()=>{e.postMessage({type:"abort"})}),new Promise((n,a)=>{e.addEventListener("error",e=>{a(e)}),e.addEventListener("message",t=>{if(t.data){for(const t of l)t!==e&&t.postMessage({type:"abort"});if(t.data.error)return a(new Error(t.data.error))}n(t.data)}),e.postMessage({challenge:t,counterMode:i,counterStart:r,counterStep:s,type:"work"})}))))}catch(r){if(r instanceof Error&&!!r?.message?.includes("Out of memory")&&o){h();const r=o(s);if(r)return c({...e,challenge:t,controller:n,concurrency:r,createWorker:a})}throw r}finally{h()}return n.signal.aborted?null:u||null}async function l(e,i={}){const{concurrency:l=navigator.hardwareConcurrency,deriveKey:h}=i;let u=null;try{u=JSON.parse(atob(e))}catch{throw new Error("Unable to parse obfuscated data.")}if(!u||"object"!=typeof u||!("parameters"in u)||!("cipher"in u))throw new Error("Invalid obfuscated data format.");const f=u.cipher;let g=null;if(h)g=await async function(e){const{challenge:i,controller:c,counterMode:l="uint32",counterStart:h=0,counterStep:u=1,deriveKey:f,timeout:g=9e4}=e,{nonce:d,keyPrefix:w,salt:m}=i.parameters,y=n(d),p=n(m),E=w.length%2==0?n(w):null,b=new s(y,l),T=performance.now();let v=h,S="",C=T;for(;;){if(c?.signal.aborted||g&&v%10==0&&performance.now()-T>g)return null;const{derivedKey:e}=await f(i.parameters,p,b.setCounter(v));if(v%10==0&&performance.now()-C>200&&(await a(0),C=performance.now()),E?t(e,E):r(e).startsWith(w)){S=r(e);break}v+=u}return{counter:v,derivedKey:S,time:o(T)}}({challenge:u,deriveKey:h});else{const e=globalThis.$altcha.algorithms.get(u.parameters.algorithm);if(!e)throw new Error(`Unsupported algorithm ${u.parameters.algorithm}.`);g=await c({challenge:u,concurrency:l,createWorker:e})}if(!g)throw new Error("Unable to find solution.");const d=await crypto.subtle.importKey("raw",n(g.derivedKey),{name:"AES-GCM"},!1,["decrypt"]),w=await crypto.subtle.decrypt({name:"AES-GCM",iv:n(f.iv)},d,n(f.data));return(new TextDecoder).decode(w)}e.register(class extends e{elTrigger=null;activate(){this.elTrigger=this.host.querySelector("button"),this.elTrigger&&(this.elTrigger.addEventListener("click",this.onTriggerClick.bind(this)),this.host.configure({floatingAnchor:this.elTrigger}))}destroy(){}async onVerify(e){const{minDuration:t=500}=e,r=performance.now(),n=this.host.getAttribute("data-obfuscated");if(n){this.host.reset(i.VERIFYING);try{const e=await l(n);await this.#e(Math.max(0,t-(performance.now()-r))),this.#t(e)}catch(e){this.host.setState(i.ERROR,String(e))}finally{this.host.setState(i.VERIFIED)}return null}}onTriggerClick(e){e.preventDefault(),this.host.show(),this.host.verify().then(()=>{this.host.hide()})}#t(e){let t;if(e.match(/^(mailto|tel|sms|https?):/)){const[r]=e.slice(e.indexOf(":")+1).replace(/^\/\//,"").split("?");t=document.createElement("a"),t.href=e,t.innerText=r}else t=document.createTextNode(e);this.elTrigger&&t&&(this.elTrigger.after(t),this.elTrigger.parentElement?.removeChild(this.elTrigger))}async#e(e){await new Promise(t=>setTimeout(t,e))}})});
+!function(e){"function"==typeof define&&define.amd?define(e):e()}(function(){"use strict";class e{constructor(e){this.host=e}static register(e){"$altcha"in globalThis&&!globalThis.$altcha.plugins.has(e)&&globalThis.$altcha.plugins.add(e)}async onFetchChallenge(e){}async onRequestServerVerification(e,t){}async onVerify(e){}}function t(e){switch(e){case"PBKDF2/SHA-512":return"SHA-512";case"PBKDF2/SHA-384":return"SHA-384";default:return"SHA-256"}}async function r(e,r,n){const{algorithm:a,cost:i,keyLength:o=32}=e,s=await crypto.subtle.importKey("raw",n,{name:"PBKDF2"},!1,["deriveKey"]),c=await crypto.subtle.deriveKey({name:"PBKDF2",salt:r,iterations:i,hash:t(a)},s,{name:"AES-GCM",length:8*o},!0,["encrypt"]);return{derivedKey:new Uint8Array(await crypto.subtle.exportKey("raw",c))}}function n(e,t){if(t.length>e.length)return!1;for(let r=0;r<t.length;r++)if(e[r]!==t[r])return!1;return!0}function a(e){return Array.from(new Uint8Array(e)).map(e=>e.toString(16).padStart(2,"0")).join("")}function i(e){if(e.length%2!=0)throw new Error(`Hex string must have an even length. Got: ${e}`);const t=new ArrayBuffer(e.length/2),r=new DataView(t);for(let t=0;t<e.length;t+=2){const n=e.substring(t,t+2),a=parseInt(n,16);r.setUint8(t/2,a)}return new Uint8Array(t)}async function o(e){await new Promise(t=>setTimeout(t,e))}function s(e){return Math.floor(10*(performance.now()-e))/10}var c=(e=>(e.CODE="code",e.ERROR="error",e.VERIFIED="verified",e.VERIFYING="verifying",e.UNVERIFIED="unverified",e.EXPIRED="expired",e))(c||{});class l{constructor(e,t="uint32"){this.nonce=e,this.mode=t,this.buffer=new Uint8Array(this.nonce.length+this.COUNTER_BYTES),this.buffer.set(this.nonce,0),this.dataView=new DataView(this.buffer.buffer)}COUNTER_BYTES=4;buffer;dataView;encoder=new TextEncoder;setCounter(e){return"string"===this.mode?function(e,t){const r=new Uint8Array(e.length+t.length);return r.set(e,0),r.set(t,e.length),r}(this.nonce,this.encoder.encode(e.toString())):(this.dataView.setUint32(this.nonce.length,e,!1),this.buffer)}}async function h(e){const{challenge:t,concurrency:r=navigator.hardwareConcurrency,controller:n=new AbortController,createWorker:a,onOutOfMemory:i=e=>e>1?Math.floor(e/2):0,counterMode:o,timeout:s=9e4}=e,c=Math.min(16,Math.max(1,r)),l=[],u=()=>{for(const e of l)e.terminate()};for(let e=0;e<c;e++)l.push(await a(t.parameters.algorithm));let f=null;try{f=await Promise.race(l.map((e,r)=>(n.signal.addEventListener("abort",()=>{e.postMessage({type:"abort"})}),new Promise((n,a)=>{e.addEventListener("error",e=>{a(e)}),e.addEventListener("message",t=>{if(t.data){for(const t of l)t!==e&&t.postMessage({type:"abort"});if(t.data.error)return a(new Error(t.data.error))}n(t.data)}),e.postMessage({challenge:t,counterMode:o,counterStart:r,counterStep:c,timeout:s,type:"work"})}))))}catch(r){if(r instanceof Error&&!!r?.message?.includes("Out of memory")&&i){u();const r=i(c);if(r)return h({...e,challenge:t,controller:n,concurrency:r,createWorker:a})}throw r}finally{u()}return n.signal.aborted?null:f||null}async function u(e,t={}){let{concurrency:c=Math.max(1,Math.min(4,navigator.hardwareConcurrency)),createWorker:u,deriveKey:f=r}=t,d=null;try{d=JSON.parse(atob(e))}catch{throw new Error("Unable to parse obfuscated data.")}if(!d||"object"!=typeof d||!("parameters"in d)||!("cipher"in d))throw new Error("Invalid obfuscated data format.");const g=d.cipher;let y=null;if(!u&&"$altcha"in globalThis&&(u=globalThis.$altcha.algorithms.get(d.parameters.algorithm)),y=u?await h({challenge:d,concurrency:c,createWorker:u}):await async function(e){const{challenge:t,controller:r,counterMode:c="uint32",counterStart:h=0,counterStep:u=1,deriveKey:f,timeout:d=9e4}=e,{nonce:g,keyPrefix:y,salt:w}=t.parameters,m=i(g),p=i(w),b=y.length%2==0?i(y):null,E=new l(m,c),v=performance.now();let T=h,S="",A=v;for(;;){if(r?.signal.aborted||d&&T%10==0&&performance.now()-v>d)return null;const{derivedKey:e}=await f(t.parameters,p,E.setCounter(T));if(T%10==0&&performance.now()-A>200&&(await o(0),A=performance.now()),b?n(e,b):a(e).startsWith(y)){S=a(e);break}T+=u}return{counter:T,derivedKey:S,time:s(v)}}({challenge:d,deriveKey:f}),!y)throw new Error("Unable to find solution.");const w=await crypto.subtle.importKey("raw",i(y.derivedKey),{name:"AES-GCM"},!1,["decrypt"]),m=await crypto.subtle.decrypt({name:"AES-GCM",iv:i(g.iv)},w,i(g.data));return(new TextDecoder).decode(m)}e.register(class extends e{elTrigger=null;activate(){this.elTrigger=this.host.querySelector("button"),this.elTrigger&&(this.elTrigger.addEventListener("click",this.onTriggerClick.bind(this)),this.host.configure({floatingAnchor:this.elTrigger}))}destroy(){}async onVerify(e){const{minDuration:t=500}=e,r=performance.now(),n=this.host.getAttribute("data-obfuscated");if(n){this.host.reset(c.VERIFYING);try{const e=await u(n);await this.#e(Math.max(0,t-(performance.now()-r))),this.#t(e)}catch(e){this.host.setState(c.ERROR,String(e))}finally{this.host.setState(c.VERIFIED)}return null}}onTriggerClick(e){e.preventDefault(),this.host.show(),this.host.verify().then(()=>{this.host.hide()})}#t(e){let t;if(e.match(/^(mailto|tel|sms|https?):/)){const[r]=e.slice(e.indexOf(":")+1).replace(/^\/\//,"").split("?");t=document.createElement("a"),t.href=e,t.innerText=r}else t=document.createTextNode(e);this.elTrigger&&t&&(this.elTrigger.after(t),this.elTrigger.parentElement?.removeChild(this.elTrigger))}async#e(e){await new Promise(t=>setTimeout(t,e))}})});

package/dist/types/generic.d.ts

@@ -4,15 +4,18 @@ export {};
 export declare class AltchaWidgetElement extends HTMLElement {
     auto?: Configuration['auto'];
     challenge?: string;
+    configuration?: string;
     display?: Configuration['display'];
     language?: string;
     name?: string;
+    theme?: string;
     type?: Configuration['type'];
+    workers?: number;
     configure: (config: Partial<Configuration>) => Promise<void>;
     getConfiguration: () => Configuration;
     getState: () => State;
     hide: () => void;
-    reset: (newState: State) => void;
+    reset: (newState?: State, err?: string | null) => void;
     setState: (newState: State, err?: string | null) => void;
     show: () => void;
     updateUI: () => void;

package/dist/types/index.d.ts

@@ -46,11 +46,6 @@ export interface Configuration {
      * Enables verbose logging in the browser console for debugging.
      */
     debug: boolean;
-    /**
-     * The minimum verification time in milliseconds (adds an artificial delay if the PoW is faster).
-     * @default 500
-     */
-    minDuration: number;
     /**
      * Prevents the code-challenge modal from stealing focus when opened.
      */
@@ -89,10 +84,19 @@ export interface Configuration {
      * Hides the ALTCHA logo icon.
      */
     hideLogo: boolean;
+    /**
+     * Enables the collection of pointer and scroll events for ALTCHA HIS mechanism (defaults to true).
+     */
+    humanInteractionSignature: boolean;
     /**
      * The ISO alpha-2 language code for localization (requires corresponding i18n file).
      */
     language: string;
+    /**
+     * The minimum verification time in milliseconds (adds an artificial delay if the PoW is faster).
+     * @default 500
+     */
+    minDuration: number;
     /**
      * Forces the widget into a failed state with a mock error for UI testing.
      */
@@ -106,6 +110,10 @@ export interface Configuration {
      * CSS selector for an element to be mirrored inside the overlay modal.
      */
     overlayContent: string | null;
+    /**
+     * Configures the placement (top / bottom) for popovers. Defaults to 'auto'.
+     */
+    popoverPlacement: 'auto' | 'bottom' | 'top';
     /**
      * Automatically attempts to restart verification with fewer workers if the browser runs out of memory (Argon2 and Scrypt only).
      */
@@ -126,6 +134,10 @@ export interface Configuration {
      * Mocks a successful verification. Useful for testing environments without network access.
      */
     test: boolean;
+    /**
+     * PoW verification timeout in milliseconds. Defaults to 90_000 ms.
+     */
+    timeout: number;
     /**
      * The visual style of the interaction element.
      */
@@ -384,7 +396,7 @@ export interface WidgetMethods {
     getConfiguration: () => Configuration;
     getState: () => State;
     hide: () => void;
-    reset: (newState: State) => void;
+    reset: (newState?: State, err?: string | null) => void;
     setState: (newState: State, err?: string | null) => void;
     show: () => void;
     updateUI: () => void;

package/dist/workers/argon2id.js

@@ -112,7 +112,7 @@
     const { deriveKey: deriveKey2 } = options;
     let controller = void 0;
     self.onmessage = async (message) => {
-      const { challenge, counterMode, counterStart, counterStep, type } = message.data;
+      const { challenge, counterMode, counterStart, counterStep, timeout, type } = message.data;
       if (type === "abort") {
         controller?.abort();
       } else if (type === "work") {
@@ -125,7 +125,8 @@
             counterStart,
             counterStep,
             deriveKey: deriveKey2,
-            counterMode
+            counterMode,
+            timeout
           });
         } catch (err) {
           return self.postMessage({ error: err });

package/dist/workers/pbkdf2.js

@@ -112,7 +112,7 @@
     const { deriveKey: deriveKey2 } = options;
     let controller = void 0;
     self.onmessage = async (message) => {
-      const { challenge, counterMode, counterStart, counterStep, type } = message.data;
+      const { challenge, counterMode, counterStart, counterStep, timeout, type } = message.data;
       if (type === "abort") {
         controller?.abort();
       } else if (type === "work") {
@@ -125,7 +125,8 @@
             counterStart,
             counterStep,
             deriveKey: deriveKey2,
-            counterMode
+            counterMode,
+            timeout
           });
         } catch (err) {
           return self.postMessage({ error: err });

package/dist/workers/scrypt.js

@@ -112,7 +112,7 @@
     const { deriveKey: deriveKey2 } = options;
     let controller = void 0;
     self.onmessage = async (message) => {
-      const { challenge, counterMode, counterStart, counterStep, type } = message.data;
+      const { challenge, counterMode, counterStart, counterStep, timeout, type } = message.data;
       if (type === "abort") {
         controller?.abort();
       } else if (type === "work") {
@@ -125,7 +125,8 @@
             counterStart,
             counterStep,
             deriveKey: deriveKey2,
-            counterMode
+            counterMode,
+            timeout
           });
         } catch (err) {
           return self.postMessage({ error: err });

package/dist/workers/sha.js

@@ -112,7 +112,7 @@
     const { deriveKey: deriveKey2 } = options;
     let controller = void 0;
     self.onmessage = async (message) => {
-      const { challenge, counterMode, counterStart, counterStep, type } = message.data;
+      const { challenge, counterMode, counterStart, counterStep, timeout, type } = message.data;
       if (type === "abort") {
         controller?.abort();
       } else if (type === "work") {
@@ -125,7 +125,8 @@
             counterStart,
             counterStep,
             deriveKey: deriveKey2,
-            counterMode
+            counterMode,
+            timeout
           });
         } catch (err) {
           return self.postMessage({ error: err });

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "altcha",
 	"description": "Privacy-first CAPTCHA widget, compliant with global regulations (GDPR/HIPAA/CCPA/LGDP/DPDPA/PIPL) and WCAG accessible. No tracking, self-verifying.",
-	"version": "3.0.0-beta.2",
+	"version": "3.0.0-beta.3",
 	"license": "MIT",
 	"author": {
 		"name": "Daniel Regeci",
@@ -50,7 +50,7 @@
 			"require": "./dist/external/altcha.css"
 		},
 		"./external": {
-			"types": "./dist/external/index.d.ts",
+			"types": "./dist/types/generic.d.ts",
 			"import": "./dist/external/altcha.js",
 			"require": "./dist/external/altcha.umd.cjs"
 		},

package/dist/external/index.d.ts

@@ -1 +0,0 @@
-declare module 'altcha/external'; export {};