feat: CAPTCHA session ID

2025-06-16 20:21:22 +08:00 · 2025-02-19 22:24:45 -05:00
parent 51df50a72e
commit 12c7473e36
7 changed files with 82 additions and 14 deletions
--- a/config/error_page/CAPTCHA.html
+++ b/config/error_page/CAPTCHA.html
@ -65,6 +65,10 @@
              alert("Bad CAPTCHA, please refresh the page and try again.\n"
                      + "您未能通过人机验证，请刷新页面后重试。");
              break;
+            case "timeout":
+              alert("Verification timeout, please refresh the page and try again.\n"
+                      + "验证超时，请刷新页面后重试。");
+              break;
            default:
              alert("Unexpected error occurred, please refresh the page and try again.\n"
                      + "发生了意料之外的错误，请刷新页面后重试。");
@ -72,12 +76,24 @@
        }
      }
    }
+
+    function checkCaptchaRender() {
+      const captchaDiv = document.querySelector(".h-captcha");
+
+      if (captchaDiv && captchaDiv.children.length > 0) {
+      } else {
+        document.getElementById("verifyBox").innerHTML = "Loading CAPTCHA failed, please check your internet connection and try again.<br>"
+                + "加载人机验证失败，请检查尝试更换网络环境后重试。";
+      }
+    }
+    setTimeout(checkCaptchaRender, 5000); // 5秒后检查
  </script>
 </head>
 <body>
 <div class="container">
  <div class="message">Checking that you are not a robot</div>
-  <div class="verifyBox"><div class="h-captcha" data-sitekey="" data-callback="onSubmit"></div></div>
+  <div class="message">请完成人机验证</div>
+  <div class="verifyBox" id="verifyBox"><div class="h-captcha" data-sitekey="" data-callback="onSubmit"></div></div>
  <div class="footer">
    DDoS Protection Powered by <a href="https://github.com/Rayzggz/server_torii">⛩️Server Torii</a>
  </div>
--- a/config/rules/CAPTCHA.example.yml
+++ b/config/rules/CAPTCHA.example.yml
@ -1,3 +1,4 @@
 secret_key: "0378b0f84c4310279918d71a5647ba5d"
-captcha_validate_time: 60
+captcha_validate_time: 600
+captcha_challenge_timeout: 120
 hcaptcha_secret: ""
--- a/config/torii.example.yml
+++ b/config/torii.example.yml
@ -1,8 +1,8 @@
 port: "25555"
 web_path: "/torii"
-rule_path: "/www/dev/server_torii/config/rules"
-error_page: "/www/dev/server_torii/config/error_page"
-log_path: "/www/dev/server_torii/log/access.log"
+rule_path: "/www/server_torii/config/rules"
+error_page: "/www/server_torii/config/error_page"
+log_path: "/www/server_torii/log/access.log"
 node_name: "Server Torii"
 connecting_host_headers:
  - "Torii-Real-Host"
--- a/internal/check/Captcha.go
+++ b/internal/check/Captcha.go
@ -31,7 +31,7 @@ func Captcha(reqData dataType.UserRequest, ruleSet *config.RuleSet, decision *ac
 	}

 	if !verifyClearanceCookie(reqData, *ruleSet) {
-		decision.SetCode(action.Done, []byte("CAPTCHA"))
+		decision.SetResponse(action.Done, []byte("CAPTCHA"), genSessionID(reqData, *ruleSet))
 		return
 	}

@ -51,6 +51,11 @@ func CheckCaptcha(r *http.Request, reqData dataType.UserRequest, ruleSet *config
 		return
 	}

+	if !verifySessionCookie(reqData, *ruleSet) {
+		decision.SetResponse(action.Done, []byte("200"), []byte("timeout"))
+		return
+	}
+
 	data := url.Values{}
 	data.Set("secret", ruleSet.CAPTCHARule.HCaptchaSecret)
 	data.Set("response", hCaptchaResponse)
@ -84,7 +89,7 @@ func CheckCaptcha(r *http.Request, reqData dataType.UserRequest, ruleSet *config
 	}

 	if !hCaptchaResp.Success {
-		decision.SetResponse(action.Done, []byte("200"), []byte("bad4"))
+		decision.SetResponse(action.Done, []byte("200"), []byte("bad"))
 		return
 	}

@ -93,10 +98,46 @@ func CheckCaptcha(r *http.Request, reqData dataType.UserRequest, ruleSet *config

 }

+func genSessionID(reqData dataType.UserRequest, ruleSet config.RuleSet) []byte {
+	timeNow := time.Now().Unix()
+	mac := hmac.New(sha512.New, []byte(ruleSet.CAPTCHARule.SecretKey))
+	mac.Write([]byte(fmt.Sprintf("%d%s%sCAPTCHA-SESSION-ID", timeNow, reqData.Host, reqData.UserAgent)))
+	return []byte(fmt.Sprintf("%s:%s", fmt.Sprintf("%d", time.Now().Unix()), fmt.Sprintf("%x", mac.Sum(nil))))
+}
+
+func verifySessionCookie(reqData dataType.UserRequest, ruleSet config.RuleSet) bool {
+	if reqData.ToriiSessionID == "" {
+		return false
+	}
+	parts := strings.Split(reqData.ToriiSessionID, ":")
+	if len(parts) != 2 {
+		return false
+	}
+	timestamp := parts[0]
+	expectedHash := parts[1]
+
+	timeNow := time.Now().Unix()
+	parsedTimestamp, err := strconv.ParseInt(timestamp, 10, 64)
+	if err != nil {
+		log.Printf("Error parsing timestamp: %v", err)
+		return false
+	}
+
+	if timeNow-parsedTimestamp > ruleSet.CAPTCHARule.CaptchaChallengeTimeout {
+		return false
+	}
+
+	mac := hmac.New(sha512.New, []byte(ruleSet.CAPTCHARule.SecretKey))
+	mac.Write([]byte(fmt.Sprintf("%d%s%sCAPTCHA-SESSION-ID", parsedTimestamp, reqData.Host, reqData.UserAgent)))
+	computedHash := fmt.Sprintf("%x", mac.Sum(nil))
+
+	return hmac.Equal([]byte(computedHash), []byte(expectedHash))
+}
+
 func GenClearance(reqData dataType.UserRequest, ruleSet config.RuleSet) []byte {
 	timeNow := time.Now().Unix()
 	mac := hmac.New(sha512.New, []byte(ruleSet.CAPTCHARule.SecretKey))
-	mac.Write([]byte(fmt.Sprintf("%d%s%s", timeNow, reqData.Host, reqData.UserAgent)))
+	mac.Write([]byte(fmt.Sprintf("%d%s%sCAPTCHA-CLEARANCE", timeNow, reqData.Host, reqData.UserAgent)))
 	return []byte(fmt.Sprintf("%s:%s", fmt.Sprintf("%d", time.Now().Unix()), fmt.Sprintf("%x", mac.Sum(nil))))
 }

@ -123,7 +164,7 @@ func verifyClearanceCookie(reqData dataType.UserRequest, ruleSet config.RuleSet)
 	}

 	mac := hmac.New(sha512.New, []byte(ruleSet.CAPTCHARule.SecretKey))
-	mac.Write([]byte(fmt.Sprintf("%d%s%s", parsedTimestamp, reqData.Host, reqData.UserAgent)))
+	mac.Write([]byte(fmt.Sprintf("%d%s%sCAPTCHA-CLEARANCE", parsedTimestamp, reqData.Host, reqData.UserAgent)))
 	computedHash := fmt.Sprintf("%x", mac.Sum(nil))

 	return hmac.Equal([]byte(computedHash), []byte(expectedHash))
--- a/internal/dataType/type.go
+++ b/internal/dataType/type.go
@ -13,5 +13,6 @@ type UserRequest struct {
 type CaptchaRule struct {
 	SecretKey               string `yaml:"secret_key"`
 	CaptchaValidateTime     int64  `yaml:"captcha_validate_time"`
+	CaptchaChallengeTimeout int64  `yaml:"captcha_challenge_timeout"`
 	HCaptchaSecret          string `yaml:"hcaptcha_secret"`
 }
--- a/internal/server/checker.go
+++ b/internal/server/checker.go
@ -70,8 +70,9 @@ func CheckMain(w http.ResponseWriter, userRequestData dataType.UserRequest, rule
 			http.Error(w, "500 - Internal Server Error", http.StatusInternalServerError)
 			return
 		}
-		w.WriteHeader(http.StatusServiceUnavailable)
+		w.Header().Set("Set-Cookie", "__torii_session_id="+string(decision.ResponseData)+"; Path=/; Max-Age=86400; Priority=High; HttpOnly;")
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(http.StatusServiceUnavailable)
 		if err = tpl.Execute(w, nil); err != nil {
 			log.Printf("Error template: %v", err)
 			http.Error(w, "500 - Internal Server Error", http.StatusInternalServerError)
--- a/internal/server/torii.go
+++ b/internal/server/torii.go
@ -29,13 +29,21 @@ func CheckTorii(w http.ResponseWriter, r *http.Request, reqData dataType.UserReq
 			}
 			return
 		} else if bytes.Compare(decision.ResponseData, []byte("good")) == 0 {
-			w.Header().Set("Set-Cookie", "__torii_clearance="+string(check.GenClearance(reqData, *ruleSet))+"; Path=/; HttpOnly")
+			w.Header().Set("Set-Cookie", "__torii_clearance="+string(check.GenClearance(reqData, *ruleSet))+"; Path=/; Max-Age=86400; Priority=High; HttpOnly;")
 			w.WriteHeader(http.StatusOK)
 			_, err := w.Write(decision.ResponseData)
 			if err != nil {
 				log.Printf("Error writing response: %v", err)
 				return
 			}
+		} else if bytes.Compare(decision.ResponseData, []byte("timeout")) == 0 {
+			w.WriteHeader(http.StatusOK)
+			_, err := w.Write([]byte("timeout"))
+			if err != nil {
+				log.Printf("Error writing response: %v", err)
+				return
+			}
+			return
 		} else {
 			//should not be here
 			w.WriteHeader(http.StatusInternalServerError)