README

This is a Laravel implementation for the server-side of Altcha, a proof-of-work captcha that does not require any third-party service.

Installation

You can install the package via composer:

composer require grantholle/laravel-altcha

Optionally, publish the config file with:

php artisan vendor:publish --tag="altcha-config"

Usage

In .env (or published config file), set the following variables:

# Required, sort of like a password
ALTCHA_HMAC_KEY=
# Optional, defaults to SHA-256. Can be SHA-384 or SHA-512
# ALTCHA_ALGORITHM="SHA-256"

Out of the box, the package registers a /altcha-challenge endpoint to use you on your frontend.

Frontend

Following the frontend integration, use the following snippet to get a challenge:

<altcha-widget challengeurl="/altcha-challenge"></altcha-widget>

Implementation will be different given your frontend, but here's an example Vue component to use:

<template>
  <altcha-widget challengeurl="/altcha-challenge" @statechange="stateChanged"></altcha-widget>
</template>

<script setup>
import 'altcha'

const emit = defineEmits(['update:modelValue'])
const stateChanged = ev => {
  if (ev.detail.state === 'verified') {
    emit('update:modelValue', ev.detail.payload)
  }
}
</script>

In an Inertja.js form, you could use this component like so:

<template>
  <form @submit.prevent="form.post('/login')">
    <label for="email">Email</label>
    <input type="email" name="email" v-model="form.email">
    
    <label for="password">Password</label>
    <input type="password" name="password" v-model="form.password">
    
    <Altcha v-model="form.token" />
    
    <button type="submit">Submit</button>
  </form>
</template>

<script setup>
import { useForm } from '@inertiajs/inertia-vue3'
// This is the component we made above
import Altcha from '@/components/forms/Altcha.vue'

const form = useForm({
  email: null,
  password: null,
  token: null,
})
</script>

Backend validation

To validate the frontend-generated token/payload, there's a ValidAltcha rule you can use, assuming the token is passed as token in the request:

use GrantHolle\Altcha\Rules\ValidAltcha;

$request->validate([
    'email' => ['required', 'email'],
    'password' => ['required'],
    'altcha' => ['required', new ValidAltcha()],
]);

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Security Vulnerabilities

Please review our security policy on how to report security vulnerabilities.

Credits

• Grant Holle
• All Contributors

License

The MIT License (MIT). Please see License File for more information.