feat: refactor captcha to stateless JWT-based design (#146)

* feat: refactor captcha to stateless JWT-based design

Replaces session-based captcha with stateless JWT tokens.

Changes:
- Stateless JWT cookies with HMAC-SHA256 signing
- Removed internal/session package (no server-side storage)
- Removed internal/cookie package (consolidated into captcha)
- Added 20 comprehensive JWT tests (signing, expiration, tampering)
- Fixed RFC-compliant Content-Type matching (case-insensitive + charset)

Breaking changes:
- signing_key now required (min 32 bytes)
- Cookie format changed from custom to JWT

Stats: +961 / -1,072 lines (net -111)

* fix: resolve golangci-lint issues

- Use assert.Len/require.Len for length checks (testifylint)
- Use require.Error for critical error assertions (testifylint)
- Remove unused removeHost/patchHost methods

All tests pass. 0 linting issues.

* fix: address Copilot review feedback

High Priority:
- Fix nil pointer dereference after cookie generation failure
  Update token status even if cookie generation fails to prevent
  users from being stuck after successful captcha validation

Medium Priority:
- Add error logging for UUID generation failures
- Remove redundant nil check (tok guaranteed non-nil at this point)

Code Quality:
- Fix misleading comment (JWT tokens, not base64-encoded)
- Skip unnecessary encoding for empty cookie values
- Simplify duplicate error message

All tests pass. 0 linting issues.

* fix: work on @blotus comments

* fix: refactoring

* refactor: happy path spoa captcha

* fix: linter

* Refactor captcha: split JWT and cookie logic into separate packages

- Move JWT token handling from internal/remediation/captcha to internal/captcha/jwt
- Extract cookie generation to internal/captcha/cookie
- Move captcha package from internal/remediation/captcha to pkg/captcha
- Rename CaptchaToken to Token, SignCaptchaToken to Sign, etc.
- Update imports in pkg/host and pkg/spoa to use new package structure

Author: LaurenceJJones

cmd/root.go

@@ -20,7 +20,6 @@ import (
 	"golang.org/x/sync/errgroup"
 
 	"github.com/crowdsecurity/crowdsec-spoa/internal/appsec"
-	"github.com/crowdsecurity/crowdsec-spoa/internal/session"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/cfg"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/dataset"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/host"
@@ -246,15 +245,6 @@ func Execute() error {
 		}
 	}
 
-	// Create and initialize global session manager (single GC goroutine for all hosts)
-	globalSessions := &session.Sessions{
-		SessionIdleTimeout:    "1h", // Default values
-		SessionMaxTime:        "12h",
-		SessionGarbageSeconds: 60,
-	}
-	sessionLogger := log.WithField("component", "global_sessions")
-	globalSessions.Init(sessionLogger, ctx)
-
 	// Add hosts from config
 	for _, h := range config.Hosts {
 		HostManager.AddHost(h)
@@ -271,14 +261,13 @@ func Execute() error {
 
 	// Create single SPOA directly with minimal configuration
 	spoaConfig := &spoa.SpoaConfig{
-		TcpAddr:        config.ListenTCP,
-		UnixAddr:       config.ListenUnix,
-		Dataset:        dataSet,
-		HostManager:    HostManager,
-		GeoDatabase:    &config.Geo,
-		GlobalSessions: globalSessions,
-		GlobalAppSec:   globalAppSec,
-		Logger:         spoaLogger,
+		TcpAddr:      config.ListenTCP,
+		UnixAddr:     config.ListenUnix,
+		Dataset:      dataSet,
+		HostManager:  HostManager,
+		GeoDatabase:  &config.Geo,
+		GlobalAppSec: globalAppSec,
+		Logger:       spoaLogger,
 	}
 
 	singleSpoa, err := spoa.New(spoaConfig)

config/haproxy-upstreamproxy.cfg

@@ -67,8 +67,8 @@ frontend test
     ## Set a custom header on the request for upstream services to use
     http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
 
-    ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
-    http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
+    ## Handle 302 redirect for successful captcha validation (redirect to current request URL)
+    http-request redirect code 302 location %[url] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
 
     ## Call lua script only for ban and captcha remediations (performance optimization)
     http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }

config/haproxy.cfg

@@ -51,8 +51,8 @@ frontend test
     ## Set a custom header on the request for upstream services to use
     http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
 
-    ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
-    http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
+    ## Handle 302 redirect for successful captcha validation (redirect to current request URL)
+    http-request redirect code 302 location %[url] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
 
     ## Call lua script only for ban and captcha remediations (performance optimization)
     http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/crowdsecurity/go-cs-lib v0.0.23
 	github.com/dropmorepackets/haproxy-go v0.0.7
 	github.com/gaissmai/bart v0.25.0
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/google/uuid v1.6.0
 	github.com/oschwald/geoip2-golang/v2 v2.0.0
 	github.com/prometheus/client_golang v1.23.2

go.sum

@@ -53,6 +53,8 @@ github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7Lk
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=

internal/captcha/cookie/cookie.go

@@ -0,0 +1,82 @@
+package cookie
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/crowdsecurity/go-cs-lib/ptr"
+	log "github.com/sirupsen/logrus"
+)
+
+// Generator handles cookie configuration and generation for captcha
+// Note: This struct handles HTTP cookie attributes only (Secure, HttpOnly, etc.)
+// JWT signing is handled at the Captcha level using signing_key
+type Generator struct {
+	Secure   string     `yaml:"secure"`    // Secure sets the secure flag on the cookie, valid arguments are "auto", "always", "never". "auto" relies on the `ssl_fc` flag from HAProxy
+	HTTPOnly *bool      `yaml:"http_only"` // HttpOnly sets the HttpOnly flag on the cookie
+	Name     string     `yaml:"-"`         // Name of the cookie, usually set by the remediation. EG "crowdsec_captcha"
+	logger   *log.Entry `yaml:"-"`         // logger passed from the remediation
+}
+
+func (g *Generator) Init(logger *log.Entry, name string) {
+	g.logger = logger.WithField("type", "cookie")
+	g.Name = name
+	g.SetDefaults()
+}
+
+func (g *Generator) SetDefaults() {
+	if g.Secure == "" {
+		g.Secure = "auto"
+	}
+	if g.HTTPOnly == nil {
+		g.HTTPOnly = ptr.Of(true)
+	}
+}
+
+// resolveSecure determines the secure flag value based on configuration and SSL state
+func (g *Generator) resolveSecure(ssl *bool) bool {
+	switch g.Secure {
+	case "always":
+		return true
+	case "auto":
+		if ssl != nil {
+			return *ssl
+		}
+		return false
+	default: // "never" or any other value
+		return false
+	}
+}
+
+// GenerateUnset creates a cookie deletion header
+func (g *Generator) GenerateUnset(ssl *bool) *http.Cookie {
+	return &http.Cookie{
+		Name:     g.Name,
+		Value:    "",
+		MaxAge:   -1,
+		HttpOnly: *g.HTTPOnly,
+		Secure:   g.resolveSecure(ssl),
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	}
+}
+
+// Generate generates an HTTP cookie with the provided signed token value
+// This is called by Captcha.GenerateCookie() which handles the JWT signing
+func (g *Generator) Generate(signedToken string, ssl *bool) (*http.Cookie, error) {
+	cookie := &http.Cookie{
+		Name:     g.Name,
+		Value:    signedToken,
+		MaxAge:   0, // Session cookie
+		HttpOnly: *g.HTTPOnly,
+		Secure:   g.resolveSecure(ssl),
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	}
+
+	if len(cookie.String()) > 4096 {
+		return nil, fmt.Errorf("cookie value too long")
+	}
+
+	return cookie, nil
+}

internal/captcha/jwt/jwt.go

@@ -0,0 +1,127 @@
+package jwt
+
+import (
+	"fmt"
+	"time"
+
+	jwtlib "github.com/golang-jwt/jwt/v5"
+)
+
+const (
+	// Status constants for captcha tokens
+	Pending = "pending"
+	Valid   = "valid"
+
+	// DefaultPendingTTL is the default TTL for pending captcha tokens (30 minutes)
+	DefaultPendingTTL = 30 * time.Minute
+	// DefaultPassedTTL is the default TTL for passed captcha tokens (24 hours)
+	DefaultPassedTTL = 24 * time.Hour
+)
+
+// Token represents the payload stored in a signed captcha cookie
+type Token struct {
+	UUID string `json:"uuid"` // UUID for traceability and debugging
+	St   string `json:"st"`   // status: "pending", "passed", "failed", etc.
+	Iat  int64  `json:"iat"`  // issued at (unix seconds)
+	Exp  int64  `json:"exp"`  // expires at (unix seconds)
+}
+
+// Sign signs a Token using JWT (JWS) and returns a signed JWT string
+// Uses HMAC-SHA256 for signing. The token can be encrypted (JWE) in the future if needed.
+func Sign(tok Token, secret []byte) (string, error) {
+	// Create JWT claims from Token
+	claims := jwtlib.MapClaims{
+		"uuid": tok.UUID,
+		"st":   tok.St,
+		"iat":  tok.Iat,
+		"exp":  tok.Exp,
+	}
+
+	// Create token with HMAC-SHA256 signing method
+	token := jwtlib.NewWithClaims(jwtlib.SigningMethodHS256, claims)
+
+	// Sign and get the complete encoded token as a string
+	tokenString, err := token.SignedString(secret)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	return tokenString, nil
+}
+
+// ParseAndVerify parses and verifies a JWT token string
+// Returns the token if valid, or an error if invalid, expired, or tampered with
+// JWT library automatically handles expiration checking via the "exp" claim
+func ParseAndVerify(raw string, secret []byte) (*Token, error) {
+	if raw == "" {
+		return nil, fmt.Errorf("empty token")
+	}
+
+	// Parse and verify the JWT token
+	token, err := jwtlib.Parse(raw, func(token *jwtlib.Token) (any, error) {
+		// Validate signing method
+		if _, ok := token.Method.(*jwtlib.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return secret, nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse/verify token: %w", err)
+	}
+
+	// Verify token is valid (signature, expiration, etc.)
+	if !token.Valid {
+		return nil, fmt.Errorf("invalid token")
+	}
+
+	// Extract claims
+	claims, ok := token.Claims.(jwtlib.MapClaims)
+	if !ok {
+		return nil, fmt.Errorf("invalid token claims")
+	}
+
+	// Convert JWT claims back to Token
+	tok := &Token{
+		UUID: getStringClaim(claims, "uuid"),
+		St:   getStringClaim(claims, "st"),
+		Iat:  getInt64Claim(claims, "iat"),
+		Exp:  getInt64Claim(claims, "exp"),
+	}
+
+	return tok, nil
+}
+
+// Helper functions to safely extract claims from JWT
+func getStringClaim(claims jwtlib.MapClaims, key string) string {
+	if val, ok := claims[key]; ok {
+		if str, ok := val.(string); ok {
+			return str
+		}
+	}
+	return ""
+}
+
+func getInt64Claim(claims jwtlib.MapClaims, key string) int64 {
+	if val, ok := claims[key]; ok {
+		switch v := val.(type) {
+		case int64:
+			return v
+		case float64:
+			return int64(v)
+		case int:
+			return int64(v)
+		}
+	}
+	return 0
+}
+
+// IsPassed checks if the token indicates the captcha was passed (not expired and status is valid)
+func (t *Token) IsPassed() bool {
+	return time.Now().Unix() <= t.Exp && t.St == Valid
+}
+
+// IsPending checks if the token indicates the captcha is pending (not expired and status is pending)
+func (t *Token) IsPending() bool {
+	return time.Now().Unix() <= t.Exp && t.St == Pending
+}