npm install pow_captcha
const {makeTest, takeTest, takeTestAsync} = require('pow_captcha');
Usually, when one thinks of a "CAPTCHA", weird looking images with instructions about which one(s) to select to prove you're human. These ensure only human traffic to certain operations on a website.
However, they do not stop spam to a server that much. The only way the server can verify a token is to use its resources to send a request the CAPTCHA service API (for at least reCAPTCHA and hCAPTCHA). On top of that, if the attacker spams enough, you would have sent enough requests to the respective API to disable your API credentials for a period of time, leading to denial of services to valid requests.
Now, this proof of work captcha utilises cryptography in a way that a cryptographic "puzzle" can be created that takes a physical amount of processor time to complete, adding a logical delay to the spamming capabilities of an attacker.
- The puzzle is the hash of a correct buffer, an incorrect buffer being given and the definitions of various ranges where the computer can edit the buffer.
- The idea here is that a computer has to edit the incorrect buffer using the ranges, then to only stop when its hash is equal to the hash of the correct buffer.
- Buffer length has its part to play to be large enough that an attacker cannot pre hash every single possibility. An attacker needs to hash
(a2-a1)^B
B lengthed buffers to do this. - For instance the default values have
a1
at 0,a2
at 256 andB
at 1024 if you check the argument descriptions below in themakeTest
function. This means that an attacker would have to prehash 256^1024 sets of 1024 lengthed buffers (this is a ridiculous amount, check it out yourself) and therefore, one needs to take the processor time to complete this puzzle :D
There are 3 functions that are exported for use
-
makeTest([tries[,B[,a1[,a2]]]])
- Description: This function generates a cryptographic quiz based on the arguments given. Arguments in this function have these constraints
- Returns:
[ string that looks like garbage but is the cryptographic quiz(hash of correct buffer, incorrect buffer, ranges of where to modify when guessing), string that looks like garbage but is the SOLUTION of the given cryptographic quiz(the correct buffer) ]
- Arguments:
- tries
number (default is 2^20 or 1048576)
The maximum amount of combinations(of the buffer) that might get guessed before arriving at the solution. In the cryptographic quiz, this is expressed in one or more ranges that multiply up to this number - B
number OR Buffer (default is 64)
The length of the buffer OR a chosen buffer. This will not affect tries because specific ranges across the buffer are chosen, but it prevents an attacker from prehashing all combinations of the buffer - a1
number (default is 0)
The lowest value a byte can be. For example if a1 is 65, there will be no byte less than 'A' in the buffer - a2
number (default is 256)
The highest value a byte can be plus one. For example if a2 is 91, there will be no byte greater than 'Z' in the buffer
- tries
-
takeTest(input)
- Description: This function solves a cryptographic quiz based on the string input given
- Returns:
string that looks like garbage but is the SOLUTION of the given cryptographic quiz(the correct buffer)
- Arguments:
- input
string
A string which is a cryptographic quiz
- input
-
takeTestAsync(input)
- Description: To avoid hanging the process that called it, this runs the takeTest function in a worker thread
- Returns:
string that looks like garbage but is the SOLUTION of the given cryptographic quiz(the correct buffer)
- Arguments:
- input
string
A string which is a cryptographic quiz
- input