Ixnas.AltchaNet
0.2.1
See the version list below for details.
dotnet add package Ixnas.AltchaNet --version 0.2.1
NuGet\Install-Package Ixnas.AltchaNet -Version 0.2.1
<PackageReference Include="Ixnas.AltchaNet" Version="0.2.1" />
paket add Ixnas.AltchaNet --version 0.2.1
#r "nuget: Ixnas.AltchaNet, 0.2.1"
// Install Ixnas.AltchaNet as a Cake Addin #addin nuget:?package=Ixnas.AltchaNet&version=0.2.1 // Install Ixnas.AltchaNet as a Cake Tool #tool nuget:?package=Ixnas.AltchaNet&version=0.2.1
Altcha.NET
Server-side implementation of the ALTCHA challenge in C#.
Features
- Compatible with the ALTCHA client-side widget
- Independent from ASP.NET (Core)
- Supports self-hosted challenges
- Supports ALTCHA's public API and their spam filter
- Replay attack prevention by denying previously verified challenges
- Expiring challenges
Contents
Installation
This library is available on NuGet, so you can add it to your project as follows:
dotnet add package Ixnas.AltchaNet
Using self-hosted challenges
Set up
First make sure you've set up the front-end widget to use your challenge endpoint.
The entrypoint of this library contains a service builder for self-hosted configurations. This builder configures the service that is used to create ALTCHA challenges and validate their responses. The most basic configuration looks like this:
var altchaService = Altcha.CreateServiceBuilder()
.UseSha256(key)
.UseStore(store)
.Build();
Here is a description of the different configuration options.
Method | Description |
---|---|
UseStore(IAltchaChallengeStore store) |
(Required) Configures a store to use for previously verified ALTCHA responses. Used to prevent replay attacks. |
UseSha256(byte[] key) |
(Required) Configures the SHA-256 algorithm for hashing and signing. Must be 64 bytes long. Currently the only supported algorithm. |
SetComplexity(int min, int max) |
(Optional) Overrides the default complexity to tweak the amount of computational effort a client has to put in. See ALTCHA's documentation for more information (default 50000, 100000). |
SetExpiryInSeconds(int expiryInSeconds) |
(Optional) Overrides the default time it takes for a challenge to expire (default 120 seconds). |
UseInMemoryStore() |
Configures a simple in-memory store for previously verified ALTCHA responses. Should only be used for testing purposes. |
Build() |
Returns a new configured service instance. |
Key
The library requires a key to sign and verify ALTCHA challenges. You can use a random number generator from .NET to create one for you:
var key = new byte[64];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(key);
}
Store
The library requires a store implementation to store previously verified challenge responses.
You can use anything persistent, like a database or a file.
As long as it implements the IAltchaChallengeStore
interface, it will work.
You can use expiryUtc
to periodically remove expired challenges from your store.
For example, the bundled in-memory store looks similar to this:
public class InMemoryStore : IAltchaChallengeStore
{
private class StoredChallenge
{
public string Challenge { get; set; }
public DateTimeOffset ExpiryUtc { get; set; }
}
private readonly List<StoredChallenge> _stored = new List<StoredChallenge>();
public Task Store(string challenge, DateTimeOffset expiryUtc)
{
var challengeToStore = new StoredChallenge
{
Challenge = challenge,
ExpiryUtc = expiryUtc
};
_stored.Add(challengeToStore);
return Task.CompletedTask;
}
public Task<bool> Exists(string challenge)
{
_stored.RemoveAll(storedChallenge => storedChallenge.ExpiryUtc <= DateTimeOffset.UtcNow);
var exists = _stored.Exists(storedChallenge => storedChallenge.Challenge == challenge);
return Task.FromResult(exists);
}
}
Usage
Generating a challenge
To generate a challenge:
var challenge = altchaService.Generate();
The challenge
object can be serialized to JSON for the client to use.
Read ALTCHA's documentation on how to use such a
JSON object.
Validating a response
To validate a response:
var validationResult = await altchaService.Validate(altchaBase64);
if (!validationResult.IsValid)
/* ... */
The altchaBase64
parameter represents the raw value from the altcha
field in a submitted form, so you don't need to
convert anything.
Verifying challenges from ALTCHA's API
Set up
First make sure you've set up the front-end widget to use the API.
The entrypoint of this library contains a different service builder for integrating with ALTCHA's API. The most basic configuration looks like this:
var altchaApiService = Altcha.CreateApiServiceBuilder()
.UseApiSecret(secret)
.UseStore(store)
.Build();
Here is a description of the different configuration options.
Method | Description |
---|---|
UseStore(IAltchaChallengeStore store) |
(Required) Configures a store to use for previously verified ALTCHA responses. Used to prevent replay attacks. |
UseApiSecret(string secret) |
(Required) Configures the API secret used to validate challenges from ALTCHA's API. Starts with either "sec_" or "_csec". |
SetMaxSpamFilterScore(double score) |
(Optional) Overrides the default maximum score that a spam filtered form may have before it's rejected (default 2). |
UseInMemoryStore() |
Configures a simple in-memory store for previously verified ALTCHA responses. Should only be used for testing purposes. |
Build() |
Returns a new configured service instance. |
The store uses the same interface as it does for the self-hosted service. You can even use the same instance if you like.
Usage
Validating a regular response
To validate a regular response:
var validationResult = await altchaApiService.Validate(altchaBase64);
if (!validationResult.IsValid)
/* ... */
This works the same way as self-hosted validation. Challenges generated by the self-hosted service can not be validated by the API service, or vice versa.
Validating a spam filtered form
To validate a spam filtered form, you need an object that represents the form fields as public string properties.
By default, the library looks for a public string property named Altcha
that should contain the raw value from
the altcha
field in a submitted form.
A form class could look like this:
public class ExampleForm
{
public string Altcha { get; set; }
public string Email { get; set; }
public string Text { get; set; }
}
To validate the form:
var validationResult = await altchaApiService.ValidateSpamFilteredForm(form);
if (!validationResult.IsValid)
/* ... */
if (!validationResult.PassedSpamFilter)
/* ... */
If you prefer to use a different property for the ALTCHA payload, you can use a member expression to select it:
var validationResult = await altchaApiService.ValidateSpamFilteredForm(form, x => x.AnotherProperty);
The result's IsValid
property tells you whether the form data, verification data and the signature are valid.
You should probably reject the form submission if this is not the case.
The result's PassedSpamFilter
property tells you whether the form data successfully passed through the spam filter.
You might want to keep the form submission and mark it as spam in your application for manual approval.
Example
You can examine the AspNetCoreExample
project as a minimal example.
License
See LICENSE.txt
See LICENSE-ALTCHA.txt for ALTCHA's original license.
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
.NET Core | netcoreapp2.0 was computed. netcoreapp2.1 was computed. netcoreapp2.2 was computed. netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
.NET Standard | netstandard2.0 is compatible. netstandard2.1 was computed. |
.NET Framework | net461 was computed. net462 was computed. net463 was computed. net47 was computed. net471 was computed. net472 was computed. net48 was computed. net481 was computed. |
MonoAndroid | monoandroid was computed. |
MonoMac | monomac was computed. |
MonoTouch | monotouch was computed. |
Tizen | tizen40 was computed. tizen60 was computed. |
Xamarin.iOS | xamarinios was computed. |
Xamarin.Mac | xamarinmac was computed. |
Xamarin.TVOS | xamarintvos was computed. |
Xamarin.WatchOS | xamarinwatchos was computed. |
-
.NETStandard 2.0
- System.Text.Json (>= 4.6.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.