altcha 3.0.0-beta.2 → 3.0.0-beta.4

package/dist/plugins/obfuscation.plugin.umd.cjs

@@ -2,6 +2,114 @@
   typeof define === "function" && define.amd ? define(factory) : factory();
 })((function() {
   "use strict";
+  const noop = () => {
+  };
+  function safe_not_equal(a, b) {
+    return a != a ? b == b : a !== b || a !== null && typeof a === "object" || typeof a === "function";
+  }
+  function subscribe_to_store(store2, run, invalidate) {
+    if (store2 == null) {
+      run(void 0);
+      return noop;
+    }
+    const unsub = untrack(
+      () => store2.subscribe(
+        run,
+        // @ts-expect-error
+        invalidate
+      )
+    );
+    return unsub.unsubscribe ? () => unsub.unsubscribe() : unsub;
+  }
+  const subscriber_queue = [];
+  function writable(value, start = noop) {
+    let stop = null;
+    const subscribers = /* @__PURE__ */ new Set();
+    function set(new_value) {
+      if (safe_not_equal(value, new_value)) {
+        value = new_value;
+        if (stop) {
+          const run_queue = !subscriber_queue.length;
+          for (const subscriber of subscribers) {
+            subscriber[1]();
+            subscriber_queue.push(subscriber, value);
+          }
+          if (run_queue) {
+            for (let i = 0; i < subscriber_queue.length; i += 2) {
+              subscriber_queue[i][0](subscriber_queue[i + 1]);
+            }
+            subscriber_queue.length = 0;
+          }
+        }
+      }
+    }
+    function update(fn) {
+      set(fn(
+        /** @type {T} */
+        value
+      ));
+    }
+    function subscribe(run, invalidate = noop) {
+      const subscriber = [run, invalidate];
+      subscribers.add(subscriber);
+      if (subscribers.size === 1) {
+        stop = start(set, update) || noop;
+      }
+      run(
+        /** @type {T} */
+        value
+      );
+      return () => {
+        subscribers.delete(subscriber);
+        if (subscribers.size === 0 && stop) {
+          stop();
+          stop = null;
+        }
+      };
+    }
+    return { set, update, subscribe };
+  }
+  function get(store2) {
+    let value;
+    subscribe_to_store(store2, (_) => value = _)();
+    return value;
+  }
+  let untracking = false;
+  function untrack(fn) {
+    var previous_untracking = untracking;
+    try {
+      untracking = true;
+      return fn();
+    } finally {
+      untracking = previous_untracking;
+    }
+  }
+  function store(defaultValue) {
+    const scope = {
+      get: (name) => {
+        return get(scope.store)[name];
+      },
+      set: (name, value) => {
+        if (typeof name === "string") {
+          Object.assign(get(scope.store), {
+            [name]: value
+          });
+        } else {
+          Object.assign(get(scope.store), name);
+        }
+        scope.store.set(get(scope.store));
+      },
+      store: writable(defaultValue)
+    };
+    return scope;
+  }
+  globalThis.$altcha = globalThis.$altcha || {
+    algorithms: /* @__PURE__ */ new Map(),
+    defaults: store({}),
+    i18n: store({}),
+    instances: /* @__PURE__ */ new Set(),
+    plugins: /* @__PURE__ */ new Set()
+  };
   class BasePlugin {
     constructor(host) {
       this.host = host;
@@ -18,6 +126,42 @@
     async onVerify(value) {
     }
   }
+  function getDigest(algorithm) {
+    switch (algorithm) {
+      case "PBKDF2/SHA-512":
+        return "SHA-512";
+      case "PBKDF2/SHA-384":
+        return "SHA-384";
+      case "PBKDF2/SHA-256":
+      default:
+        return "SHA-256";
+    }
+  }
+  async function deriveKey(parameters, salt, password) {
+    const { algorithm, cost, keyLength = 32 } = parameters;
+    const passwordKey = await crypto.subtle.importKey(
+      "raw",
+      password,
+      { name: "PBKDF2" },
+      false,
+      ["deriveKey"]
+    );
+    const derivedKey = await crypto.subtle.deriveKey(
+      {
+        name: "PBKDF2",
+        salt,
+        iterations: cost,
+        hash: getDigest(algorithm)
+      },
+      passwordKey,
+      { name: "AES-GCM", length: keyLength * 8 },
+      true,
+      ["encrypt"]
+    );
+    return {
+      derivedKey: new Uint8Array(await crypto.subtle.exportKey("raw", derivedKey))
+    };
+  }
   function bufferStartsWith(buffer, prefix) {
     if (prefix.length > buffer.length) {
       return false;
@@ -54,9 +198,45 @@
   async function delay(ms) {
     await new Promise((resolve) => setTimeout(resolve, ms));
   }
+  async function hmac(algorithm, data, keyStr) {
+    const key = await crypto.subtle.importKey(
+      "raw",
+      new TextEncoder().encode(keyStr),
+      {
+        name: "HMAC",
+        hash: { name: algorithm }
+      },
+      false,
+      ["sign", "verify"]
+    );
+    const signature = await crypto.subtle.sign(
+      "HMAC",
+      key,
+      typeof data === "string" ? new TextEncoder().encode(data) : data
+    );
+    return new Uint8Array(signature);
+  }
+  function sortKeys(obj) {
+    if (typeof obj !== "object" || obj === null || Array.isArray(obj)) {
+      return obj;
+    }
+    return Object.keys(obj).sort().reduce((acc, key) => {
+      const value = obj[key];
+      if (value !== void 0) {
+        acc[key] = sortKeys(value);
+      }
+      return acc;
+    }, {});
+  }
   function timeDuration(start) {
     return Math.floor((performance.now() - start) * 10) / 10;
   }
+  var HmacAlgorithm = /* @__PURE__ */ ((HmacAlgorithm2) => {
+    HmacAlgorithm2["SHA_256"] = "SHA-256";
+    HmacAlgorithm2["SHA_384"] = "SHA-384";
+    HmacAlgorithm2["SHA_512"] = "SHA-512";
+    return HmacAlgorithm2;
+  })(HmacAlgorithm || {});
   var State = /* @__PURE__ */ ((State2) => {
     State2["CODE"] = "code";
     State2["ERROR"] = "error";
@@ -91,6 +271,62 @@
       return this.buffer;
     }
   }
+  async function createChallenge(options) {
+    const {
+      algorithm,
+      counter,
+      counterMode = "uint32",
+      cost,
+      deriveKey: deriveKey2,
+      data,
+      expiresAt,
+      hmacAlgorithm = HmacAlgorithm.SHA_256,
+      hmacKeySignatureSecret,
+      hmacSignatureSecret,
+      keyLength = 32,
+      keyPrefix = "00",
+      keyPrefixLength = keyLength / 2,
+      memoryCost,
+      parallelism
+    } = options;
+    const parameters = {
+      algorithm,
+      nonce: bufferToHex(crypto.getRandomValues(new Uint8Array(16))),
+      salt: bufferToHex(crypto.getRandomValues(new Uint8Array(16))),
+      cost,
+      keyLength,
+      memoryCost,
+      parallelism,
+      keyPrefix,
+      expiresAt: expiresAt instanceof Date ? Math.floor(expiresAt.getTime() / 1e3) : expiresAt,
+      data
+    };
+    let deriveKeyResult = null;
+    if (counter !== void 0) {
+      const nonceBuf = hexToBuffer(parameters.nonce);
+      deriveKeyResult = await deriveKey2(
+        parameters,
+        hexToBuffer(parameters.salt),
+        new PasswordBuffer(nonceBuf, counterMode).setCounter(counter)
+      );
+      if (deriveKeyResult.parameters) {
+        Object.assign(parameters, deriveKeyResult.parameters);
+      }
+      parameters.keyPrefix = bufferToHex(deriveKeyResult.derivedKey.slice(0, keyPrefixLength));
+    }
+    if (!hmacSignatureSecret) {
+      return {
+        parameters: sortKeys(parameters)
+      };
+    }
+    return signChallenge(
+      hmacAlgorithm,
+      parameters,
+      deriveKeyResult?.derivedKey,
+      hmacSignatureSecret,
+      hmacKeySignatureSecret
+    );
+  }
   async function solveChallenge(options) {
     const {
       challenge,
@@ -98,7 +334,7 @@
       counterMode = "uint32",
       counterStart = 0,
       counterStep = 1,
-      deriveKey,
+      deriveKey: deriveKey2,
       timeout = 9e4
     } = options;
     const { nonce, keyPrefix, salt } = challenge.parameters;
@@ -114,7 +350,7 @@
       if (controller?.signal.aborted || timeout && counter % 10 === 0 && performance.now() - start > timeout) {
         return null;
       }
-      const { derivedKey } = await deriveKey(
+      const { derivedKey } = await deriveKey2(
         challenge.parameters,
         saltBuf,
         password.setCounter(counter)
@@ -142,7 +378,8 @@
       controller = new AbortController(),
       createWorker,
       onOutOfMemory = (c) => c > 1 ? Math.floor(c / 2) : 0,
-      counterMode
+      counterMode,
+      timeout = 9e4
     } = options;
     const workersConcurrency = Math.min(16, Math.max(1, concurrency));
     const workersInstances = [];
@@ -183,6 +420,7 @@
               counterMode,
               counterStart: i,
               counterStep: workersConcurrency,
+              timeout,
               type: "work"
             });
           });
@@ -214,8 +452,24 @@
     }
     return solution || null;
   }
+  async function signChallenge(algorithm, parameters, derivedKey, hmacSignatureSecret, hmacKeySignatureSecret) {
+    if (derivedKey && hmacKeySignatureSecret) {
+      parameters.keySignature = bufferToHex(
+        await hmac(algorithm, derivedKey, hmacKeySignatureSecret)
+      );
+    }
+    parameters = sortKeys(parameters);
+    return {
+      parameters,
+      signature: bufferToHex(await hmac(algorithm, JSON.stringify(parameters), hmacSignatureSecret))
+    };
+  }
   async function deobfuscate(obfuscatedData, options = {}) {
-    const { concurrency = navigator.hardwareConcurrency, deriveKey: deriveKey2 } = options;
+    let {
+      concurrency = Math.max(1, Math.min(4, navigator.hardwareConcurrency)),
+      createWorker,
+      deriveKey: deriveKey$1 = deriveKey
+    } = options;
     let challenge = null;
     try {
       challenge = JSON.parse(atob(obfuscatedData));
@@ -227,21 +481,20 @@
     }
     const cipher = challenge.cipher;
     let solution = null;
-    if (deriveKey2) {
-      solution = await solveChallenge({
-        challenge,
-        deriveKey: deriveKey2
-      });
-    } else {
-      const createWorker = globalThis.$altcha.algorithms.get(challenge.parameters.algorithm);
-      if (!createWorker) {
-        throw new Error(`Unsupported algorithm ${challenge.parameters.algorithm}.`);
-      }
+    if (!createWorker && "$altcha" in globalThis) {
+      createWorker = globalThis.$altcha.algorithms.get(challenge.parameters.algorithm);
+    }
+    if (createWorker) {
       solution = await solveChallengeWorkers({
         challenge,
         concurrency,
         createWorker
       });
+    } else {
+      solution = await solveChallenge({
+        challenge,
+        deriveKey: deriveKey$1
+      });
     }
     if (!solution) {
       throw new Error("Unable to find solution.");
@@ -263,7 +516,48 @@
     );
     return new TextDecoder().decode(result);
   }
+  async function obfuscate(str, options = {}) {
+    const { deriveKey: deriveKey$1 = deriveKey } = options;
+    const counterMin = options?.counterMin || 20;
+    const counterMax = options?.counterMax || 200;
+    const { parameters } = await createChallenge({
+      algorithm: "PBKDF2/SHA-256",
+      cost: 5e3,
+      deriveKey: deriveKey$1,
+      counter: Math.floor(Math.random() * (counterMax - counterMin + 1)) + counterMin,
+      keyPrefixLength: 32,
+      ...options
+    });
+    const key = await crypto.subtle.importKey(
+      "raw",
+      hexToBuffer(parameters.keyPrefix),
+      { name: "AES-GCM" },
+      false,
+      ["encrypt"]
+    );
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const data = await crypto.subtle.encrypt(
+      { name: "AES-GCM", iv },
+      key,
+      new TextEncoder().encode(str)
+    );
+    return btoa(
+      JSON.stringify({
+        parameters: {
+          ...parameters,
+          // Return only half the derived key
+          keyPrefix: parameters.keyPrefix.slice(0, parameters.keyLength || 32)
+        },
+        cipher: {
+          iv: bufferToHex(iv),
+          data: bufferToHex(data)
+        }
+      })
+    );
+  }
   class ObfuscationPlugin extends BasePlugin {
+    static deobfuscate = deobfuscate;
+    static obfuscate = obfuscate;
     elTrigger = null;
     activate() {
       this.elTrigger = this.host.querySelector("button");

package/dist/plugins/obfuscation.plugin.umd.min.cjs

@@ -1 +1 @@
-!function(e){"function"==typeof define&&define.amd?define(e):e()}(function(){"use strict";class e{constructor(e){this.host=e}static register(e){"$altcha"in globalThis&&!globalThis.$altcha.plugins.has(e)&&globalThis.$altcha.plugins.add(e)}async onFetchChallenge(e){}async onRequestServerVerification(e,t){}async onVerify(e){}}function t(e,t){if(t.length>e.length)return!1;for(let r=0;r<t.length;r++)if(e[r]!==t[r])return!1;return!0}function r(e){return Array.from(new Uint8Array(e)).map(e=>e.toString(16).padStart(2,"0")).join("")}function n(e){if(e.length%2!=0)throw new Error(`Hex string must have an even length. Got: ${e}`);const t=new ArrayBuffer(e.length/2),r=new DataView(t);for(let t=0;t<e.length;t+=2){const n=e.substring(t,t+2),a=parseInt(n,16);r.setUint8(t/2,a)}return new Uint8Array(t)}async function a(e){await new Promise(t=>setTimeout(t,e))}function o(e){return Math.floor(10*(performance.now()-e))/10}var i=(e=>(e.CODE="code",e.ERROR="error",e.VERIFIED="verified",e.VERIFYING="verifying",e.UNVERIFIED="unverified",e.EXPIRED="expired",e))(i||{});class s{constructor(e,t="uint32"){this.nonce=e,this.mode=t,this.buffer=new Uint8Array(this.nonce.length+this.COUNTER_BYTES),this.buffer.set(this.nonce,0),this.dataView=new DataView(this.buffer.buffer)}COUNTER_BYTES=4;buffer;dataView;encoder=new TextEncoder;setCounter(e){return"string"===this.mode?function(e,t){const r=new Uint8Array(e.length+t.length);return r.set(e,0),r.set(t,e.length),r}(this.nonce,this.encoder.encode(e.toString())):(this.dataView.setUint32(this.nonce.length,e,!1),this.buffer)}}async function c(e){const{challenge:t,concurrency:r=navigator.hardwareConcurrency,controller:n=new AbortController,createWorker:a,onOutOfMemory:o=e=>e>1?Math.floor(e/2):0,counterMode:i}=e,s=Math.min(16,Math.max(1,r)),l=[],h=()=>{for(const e of l)e.terminate()};for(let e=0;e<s;e++)l.push(await a(t.parameters.algorithm));let u=null;try{u=await Promise.race(l.map((e,r)=>(n.signal.addEventListener("abort",()=>{e.postMessage({type:"abort"})}),new Promise((n,a)=>{e.addEventListener("error",e=>{a(e)}),e.addEventListener("message",t=>{if(t.data){for(const t of l)t!==e&&t.postMessage({type:"abort"});if(t.data.error)return a(new Error(t.data.error))}n(t.data)}),e.postMessage({challenge:t,counterMode:i,counterStart:r,counterStep:s,type:"work"})}))))}catch(r){if(r instanceof Error&&!!r?.message?.includes("Out of memory")&&o){h();const r=o(s);if(r)return c({...e,challenge:t,controller:n,concurrency:r,createWorker:a})}throw r}finally{h()}return n.signal.aborted?null:u||null}async function l(e,i={}){const{concurrency:l=navigator.hardwareConcurrency,deriveKey:h}=i;let u=null;try{u=JSON.parse(atob(e))}catch{throw new Error("Unable to parse obfuscated data.")}if(!u||"object"!=typeof u||!("parameters"in u)||!("cipher"in u))throw new Error("Invalid obfuscated data format.");const f=u.cipher;let g=null;if(h)g=await async function(e){const{challenge:i,controller:c,counterMode:l="uint32",counterStart:h=0,counterStep:u=1,deriveKey:f,timeout:g=9e4}=e,{nonce:d,keyPrefix:w,salt:m}=i.parameters,y=n(d),p=n(m),E=w.length%2==0?n(w):null,b=new s(y,l),T=performance.now();let v=h,S="",C=T;for(;;){if(c?.signal.aborted||g&&v%10==0&&performance.now()-T>g)return null;const{derivedKey:e}=await f(i.parameters,p,b.setCounter(v));if(v%10==0&&performance.now()-C>200&&(await a(0),C=performance.now()),E?t(e,E):r(e).startsWith(w)){S=r(e);break}v+=u}return{counter:v,derivedKey:S,time:o(T)}}({challenge:u,deriveKey:h});else{const e=globalThis.$altcha.algorithms.get(u.parameters.algorithm);if(!e)throw new Error(`Unsupported algorithm ${u.parameters.algorithm}.`);g=await c({challenge:u,concurrency:l,createWorker:e})}if(!g)throw new Error("Unable to find solution.");const d=await crypto.subtle.importKey("raw",n(g.derivedKey),{name:"AES-GCM"},!1,["decrypt"]),w=await crypto.subtle.decrypt({name:"AES-GCM",iv:n(f.iv)},d,n(f.data));return(new TextDecoder).decode(w)}e.register(class extends e{elTrigger=null;activate(){this.elTrigger=this.host.querySelector("button"),this.elTrigger&&(this.elTrigger.addEventListener("click",this.onTriggerClick.bind(this)),this.host.configure({floatingAnchor:this.elTrigger}))}destroy(){}async onVerify(e){const{minDuration:t=500}=e,r=performance.now(),n=this.host.getAttribute("data-obfuscated");if(n){this.host.reset(i.VERIFYING);try{const e=await l(n);await this.#e(Math.max(0,t-(performance.now()-r))),this.#t(e)}catch(e){this.host.setState(i.ERROR,String(e))}finally{this.host.setState(i.VERIFIED)}return null}}onTriggerClick(e){e.preventDefault(),this.host.show(),this.host.verify().then(()=>{this.host.hide()})}#t(e){let t;if(e.match(/^(mailto|tel|sms|https?):/)){const[r]=e.slice(e.indexOf(":")+1).replace(/^\/\//,"").split("?");t=document.createElement("a"),t.href=e,t.innerText=r}else t=document.createTextNode(e);this.elTrigger&&t&&(this.elTrigger.after(t),this.elTrigger.parentElement?.removeChild(this.elTrigger))}async#e(e){await new Promise(t=>setTimeout(t,e))}})});
+!function(e){"function"==typeof define&&define.amd?define(e):e()}(function(){"use strict";const e=()=>{};function t(t,r,n){if(null==t)return r(void 0),e;const a=function(e){var t=i;try{return i=!0,e()}finally{i=t}}(()=>t.subscribe(r,n));return a.unsubscribe?()=>a.unsubscribe():a}const r=[];function n(t,n=e){let a=null;const i=new Set;function o(e){if(o=e,((n=t)!=n?o==o:n!==o||null!==n&&"object"==typeof n||"function"==typeof n)&&(t=e,a)){const e=!r.length;for(const e of i)e[1](),r.push(e,t);if(e){for(let e=0;e<r.length;e+=2)r[e][0](r[e+1]);r.length=0}}var n,o}function s(e){o(e(t))}return{set:o,update:s,subscribe:function(r,c=e){const l=[r,c];return i.add(l),1===i.size&&(a=n(o,s)||e),r(t),()=>{i.delete(l),0===i.size&&a&&(a(),a=null)}}}}function a(e){let r;return t(e,e=>r=e)(),r}let i=!1;function o(e){const t={get:e=>a(t.store)[e],set:(e,r)=>{"string"==typeof e?Object.assign(a(t.store),{[e]:r}):Object.assign(a(t.store),e),t.store.set(a(t.store))},store:n(e)};return t}globalThis.$altcha=globalThis.$altcha||{algorithms:new Map,defaults:o({}),i18n:o({}),instances:new Set,plugins:new Set};class s{constructor(e){this.host=e}static register(e){"$altcha"in globalThis&&!globalThis.$altcha.plugins.has(e)&&globalThis.$altcha.plugins.add(e)}async onFetchChallenge(e){}async onRequestServerVerification(e,t){}async onVerify(e){}}function c(e){switch(e){case"PBKDF2/SHA-512":return"SHA-512";case"PBKDF2/SHA-384":return"SHA-384";default:return"SHA-256"}}async function l(e,t,r){const{algorithm:n,cost:a,keyLength:i=32}=e,o=await crypto.subtle.importKey("raw",r,{name:"PBKDF2"},!1,["deriveKey"]),s=await crypto.subtle.deriveKey({name:"PBKDF2",salt:t,iterations:a,hash:c(n)},o,{name:"AES-GCM",length:8*i},!0,["encrypt"]);return{derivedKey:new Uint8Array(await crypto.subtle.exportKey("raw",s))}}function u(e,t){if(t.length>e.length)return!1;for(let r=0;r<t.length;r++)if(e[r]!==t[r])return!1;return!0}function h(e){return Array.from(new Uint8Array(e)).map(e=>e.toString(16).padStart(2,"0")).join("")}function f(e){if(e.length%2!=0)throw new Error(`Hex string must have an even length. Got: ${e}`);const t=new ArrayBuffer(e.length/2),r=new DataView(t);for(let t=0;t<e.length;t+=2){const n=e.substring(t,t+2),a=parseInt(n,16);r.setUint8(t/2,a)}return new Uint8Array(t)}async function y(e){await new Promise(t=>setTimeout(t,e))}async function g(e,t,r){const n=await crypto.subtle.importKey("raw",(new TextEncoder).encode(r),{name:"HMAC",hash:{name:e}},!1,["sign","verify"]),a=await crypto.subtle.sign("HMAC",n,"string"==typeof t?(new TextEncoder).encode(t):t);return new Uint8Array(a)}function d(e){return"object"!=typeof e||null===e||Array.isArray(e)?e:Object.keys(e).sort().reduce((t,r)=>{const n=e[r];return void 0!==n&&(t[r]=d(n)),t},{})}function m(e){return Math.floor(10*(performance.now()-e))/10}var w=(e=>(e.SHA_256="SHA-256",e.SHA_384="SHA-384",e.SHA_512="SHA-512",e))(w||{}),p=(e=>(e.CODE="code",e.ERROR="error",e.VERIFIED="verified",e.VERIFYING="verifying",e.UNVERIFIED="unverified",e.EXPIRED="expired",e))(p||{});class b{constructor(e,t="uint32"){this.nonce=e,this.mode=t,this.buffer=new Uint8Array(this.nonce.length+this.COUNTER_BYTES),this.buffer.set(this.nonce,0),this.dataView=new DataView(this.buffer.buffer)}COUNTER_BYTES=4;buffer;dataView;encoder=new TextEncoder;setCounter(e){return"string"===this.mode?function(e,t){const r=new Uint8Array(e.length+t.length);return r.set(e,0),r.set(t,e.length),r}(this.nonce,this.encoder.encode(e.toString())):(this.dataView.setUint32(this.nonce.length,e,!1),this.buffer)}}async function S(e){const{algorithm:t,counter:r,counterMode:n="uint32",cost:a,deriveKey:i,data:o,expiresAt:s,hmacAlgorithm:c=w.SHA_256,hmacKeySignatureSecret:l,hmacSignatureSecret:u,keyLength:y=32,keyPrefix:m="00",keyPrefixLength:p=y/2,memoryCost:S,parallelism:v}=e,A={algorithm:t,nonce:h(crypto.getRandomValues(new Uint8Array(16))),salt:h(crypto.getRandomValues(new Uint8Array(16))),cost:a,keyLength:y,memoryCost:S,parallelism:v,keyPrefix:m,expiresAt:s instanceof Date?Math.floor(s.getTime()/1e3):s,data:o};let E=null;if(void 0!==r){const e=f(A.nonce);E=await i(A,f(A.salt),new b(e,n).setCounter(r)),E.parameters&&Object.assign(A,E.parameters),A.keyPrefix=h(E.derivedKey.slice(0,p))}return u?async function(e,t,r,n,a){r&&a&&(t.keySignature=h(await g(e,r,a)));return t=d(t),{parameters:t,signature:h(await g(e,JSON.stringify(t),n))}}(c,A,E?.derivedKey,u,l):{parameters:d(A)}}async function v(e){const{challenge:t,concurrency:r=navigator.hardwareConcurrency,controller:n=new AbortController,createWorker:a,onOutOfMemory:i=e=>e>1?Math.floor(e/2):0,counterMode:o,timeout:s=9e4}=e,c=Math.min(16,Math.max(1,r)),l=[],u=()=>{for(const e of l)e.terminate()};for(let e=0;e<c;e++)l.push(await a(t.parameters.algorithm));let h=null;try{h=await Promise.race(l.map((e,r)=>(n.signal.addEventListener("abort",()=>{e.postMessage({type:"abort"})}),new Promise((n,a)=>{e.addEventListener("error",e=>{a(e)}),e.addEventListener("message",t=>{if(t.data){for(const t of l)t!==e&&t.postMessage({type:"abort"});if(t.data.error)return a(new Error(t.data.error))}n(t.data)}),e.postMessage({challenge:t,counterMode:o,counterStart:r,counterStep:c,timeout:s,type:"work"})}))))}catch(r){if(r instanceof Error&&!!r?.message?.includes("Out of memory")&&i){u();const r=i(c);if(r)return v({...e,challenge:t,controller:n,concurrency:r,createWorker:a})}throw r}finally{u()}return n.signal.aborted?null:h||null}async function A(e,t={}){let{concurrency:r=Math.max(1,Math.min(4,navigator.hardwareConcurrency)),createWorker:n,deriveKey:a=l}=t,i=null;try{i=JSON.parse(atob(e))}catch{throw new Error("Unable to parse obfuscated data.")}if(!i||"object"!=typeof i||!("parameters"in i)||!("cipher"in i))throw new Error("Invalid obfuscated data format.");const o=i.cipher;let s=null;if(!n&&"$altcha"in globalThis&&(n=globalThis.$altcha.algorithms.get(i.parameters.algorithm)),s=n?await v({challenge:i,concurrency:r,createWorker:n}):await async function(e){const{challenge:t,controller:r,counterMode:n="uint32",counterStart:a=0,counterStep:i=1,deriveKey:o,timeout:s=9e4}=e,{nonce:c,keyPrefix:l,salt:g}=t.parameters,d=f(c),w=f(g),p=l.length%2==0?f(l):null,S=new b(d,n),v=performance.now();let A=a,E="",T=v;for(;;){if(r?.signal.aborted||s&&A%10==0&&performance.now()-v>s)return null;const{derivedKey:e}=await o(t.parameters,w,S.setCounter(A));if(A%10==0&&performance.now()-T>200&&(await y(0),T=performance.now()),p?u(e,p):h(e).startsWith(l)){E=h(e);break}A+=i}return{counter:A,derivedKey:E,time:m(v)}}({challenge:i,deriveKey:a}),!s)throw new Error("Unable to find solution.");const c=await crypto.subtle.importKey("raw",f(s.derivedKey),{name:"AES-GCM"},!1,["decrypt"]),g=await crypto.subtle.decrypt({name:"AES-GCM",iv:f(o.iv)},c,f(o.data));return(new TextDecoder).decode(g)}async function E(e,t={}){const{deriveKey:r=l}=t,n=t?.counterMin||20,a=t?.counterMax||200,{parameters:i}=await S({algorithm:"PBKDF2/SHA-256",cost:5e3,deriveKey:r,counter:Math.floor(Math.random()*(a-n+1))+n,keyPrefixLength:32,...t}),o=await crypto.subtle.importKey("raw",f(i.keyPrefix),{name:"AES-GCM"},!1,["encrypt"]),s=crypto.getRandomValues(new Uint8Array(12)),c=await crypto.subtle.encrypt({name:"AES-GCM",iv:s},o,(new TextEncoder).encode(e));return btoa(JSON.stringify({parameters:{...i,keyPrefix:i.keyPrefix.slice(0,i.keyLength||32)},cipher:{iv:h(s),data:h(c)}}))}s.register(class extends s{static deobfuscate=A;static obfuscate=E;elTrigger=null;activate(){this.elTrigger=this.host.querySelector("button"),this.elTrigger&&(this.elTrigger.addEventListener("click",this.onTriggerClick.bind(this)),this.host.configure({floatingAnchor:this.elTrigger}))}destroy(){}async onVerify(e){const{minDuration:t=500}=e,r=performance.now(),n=this.host.getAttribute("data-obfuscated");if(n){this.host.reset(p.VERIFYING);try{const e=await A(n);await this.#e(Math.max(0,t-(performance.now()-r))),this.#t(e)}catch(e){this.host.setState(p.ERROR,String(e))}finally{this.host.setState(p.VERIFIED)}return null}}onTriggerClick(e){e.preventDefault(),this.host.show(),this.host.verify().then(()=>{this.host.hide()})}#t(e){let t;if(e.match(/^(mailto|tel|sms|https?):/)){const[r]=e.slice(e.indexOf(":")+1).replace(/^\/\//,"").split("?");t=document.createElement("a"),t.href=e,t.innerText=r}else t=document.createTextNode(e);this.elTrigger&&t&&(this.elTrigger.after(t),this.elTrigger.parentElement?.removeChild(this.elTrigger))}async#e(e){await new Promise(t=>setTimeout(t,e))}})});

package/dist/types/generic.d.ts

@@ -4,15 +4,18 @@ export {};
 export declare class AltchaWidgetElement extends HTMLElement {
     auto?: Configuration['auto'];
     challenge?: string;
+    configuration?: string;
     display?: Configuration['display'];
     language?: string;
     name?: string;
+    theme?: string;
     type?: Configuration['type'];
+    workers?: number;
     configure: (config: Partial<Configuration>) => Promise<void>;
     getConfiguration: () => Configuration;
     getState: () => State;
     hide: () => void;
-    reset: (newState: State) => void;
+    reset: (newState?: State, err?: string | null) => void;
     setState: (newState: State, err?: string | null) => void;
     show: () => void;
     updateUI: () => void;

package/dist/types/index.d.ts

@@ -46,11 +46,6 @@ export interface Configuration {
      * Enables verbose logging in the browser console for debugging.
      */
     debug: boolean;
-    /**
-     * The minimum verification time in milliseconds (adds an artificial delay if the PoW is faster).
-     * @default 500
-     */
-    minDuration: number;
     /**
      * Prevents the code-challenge modal from stealing focus when opened.
      */
@@ -89,10 +84,19 @@ export interface Configuration {
      * Hides the ALTCHA logo icon.
      */
     hideLogo: boolean;
+    /**
+     * Enables the collection of pointer and scroll events for ALTCHA HIS mechanism (defaults to true).
+     */
+    humanInteractionSignature: boolean;
     /**
      * The ISO alpha-2 language code for localization (requires corresponding i18n file).
      */
     language: string;
+    /**
+     * The minimum verification time in milliseconds (adds an artificial delay if the PoW is faster).
+     * @default 500
+     */
+    minDuration: number;
     /**
      * Forces the widget into a failed state with a mock error for UI testing.
      */
@@ -106,6 +110,10 @@ export interface Configuration {
      * CSS selector for an element to be mirrored inside the overlay modal.
      */
     overlayContent: string | null;
+    /**
+     * Configures the placement (top / bottom) for popovers. Defaults to 'auto'.
+     */
+    popoverPlacement: 'auto' | 'bottom' | 'top';
     /**
      * Automatically attempts to restart verification with fewer workers if the browser runs out of memory (Argon2 and Scrypt only).
      */
@@ -126,6 +134,10 @@ export interface Configuration {
      * Mocks a successful verification. Useful for testing environments without network access.
      */
     test: boolean;
+    /**
+     * PoW verification timeout in milliseconds. Defaults to 90_000 ms.
+     */
+    timeout: number;
     /**
      * The visual style of the interaction element.
      */
@@ -384,7 +396,7 @@ export interface WidgetMethods {
     getConfiguration: () => Configuration;
     getState: () => State;
     hide: () => void;
-    reset: (newState: State) => void;
+    reset: (newState?: State, err?: string | null) => void;
     setState: (newState: State, err?: string | null) => void;
     show: () => void;
     updateUI: () => void;

package/dist/workers/argon2id.js

@@ -112,7 +112,7 @@
     const { deriveKey: deriveKey2 } = options;
     let controller = void 0;
     self.onmessage = async (message) => {
-      const { challenge, counterMode, counterStart, counterStep, type } = message.data;
+      const { challenge, counterMode, counterStart, counterStep, timeout, type } = message.data;
       if (type === "abort") {
         controller?.abort();
       } else if (type === "work") {
@@ -125,7 +125,8 @@
             counterStart,
             counterStep,
             deriveKey: deriveKey2,
-            counterMode
+            counterMode,
+            timeout
           });
         } catch (err) {
           return self.postMessage({ error: err });

package/dist/workers/pbkdf2.js

@@ -112,7 +112,7 @@
     const { deriveKey: deriveKey2 } = options;
     let controller = void 0;
     self.onmessage = async (message) => {
-      const { challenge, counterMode, counterStart, counterStep, type } = message.data;
+      const { challenge, counterMode, counterStart, counterStep, timeout, type } = message.data;
       if (type === "abort") {
         controller?.abort();
       } else if (type === "work") {
@@ -125,7 +125,8 @@
             counterStart,
             counterStep,
             deriveKey: deriveKey2,
-            counterMode
+            counterMode,
+            timeout
           });
         } catch (err) {
           return self.postMessage({ error: err });

package/dist/workers/scrypt.js

@@ -112,7 +112,7 @@
     const { deriveKey: deriveKey2 } = options;
     let controller = void 0;
     self.onmessage = async (message) => {
-      const { challenge, counterMode, counterStart, counterStep, type } = message.data;
+      const { challenge, counterMode, counterStart, counterStep, timeout, type } = message.data;
       if (type === "abort") {
         controller?.abort();
       } else if (type === "work") {
@@ -125,7 +125,8 @@
             counterStart,
             counterStep,
             deriveKey: deriveKey2,
-            counterMode
+            counterMode,
+            timeout
           });
         } catch (err) {
           return self.postMessage({ error: err });

package/dist/workers/sha.js

@@ -112,7 +112,7 @@
     const { deriveKey: deriveKey2 } = options;
     let controller = void 0;
     self.onmessage = async (message) => {
-      const { challenge, counterMode, counterStart, counterStep, type } = message.data;
+      const { challenge, counterMode, counterStart, counterStep, timeout, type } = message.data;
       if (type === "abort") {
         controller?.abort();
       } else if (type === "work") {
@@ -125,7 +125,8 @@
             counterStart,
             counterStep,
             deriveKey: deriveKey2,
-            counterMode
+            counterMode,
+            timeout
           });
         } catch (err) {
           return self.postMessage({ error: err });

package/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "altcha",
 	"description": "Privacy-first CAPTCHA widget, compliant with global regulations (GDPR/HIPAA/CCPA/LGDP/DPDPA/PIPL) and WCAG accessible. No tracking, self-verifying.",
-	"version": "3.0.0-beta.2",
+	"version": "3.0.0-beta.4",
 	"license": "MIT",
 	"author": {
 		"name": "Daniel Regeci",
@@ -50,7 +50,7 @@
 			"require": "./dist/external/altcha.css"
 		},
 		"./external": {
-			"types": "./dist/external/index.d.ts",
+			"types": "./dist/types/generic.d.ts",
 			"import": "./dist/external/altcha.js",
 			"require": "./dist/external/altcha.umd.cjs"
 		},

package/dist/external/index.d.ts

@@ -1 +0,0 @@
-declare module 'altcha/external'; export {};