added max-verifies-per-payload configuration property

Author: tobiasholler

captchaservice-backend/src/main/java/de/muenchen/captchaservice/configuration/captcha/CaptchaSite.java

@@ -1,13 +1,15 @@
 package de.muenchen.captchaservice.configuration.captcha;
 
+import jakarta.validation.constraints.Min;
 import jakarta.validation.constraints.NotNull;
 
 import java.util.List;
 
-public record CaptchaSite(String siteKey, String secret, @NotNull List<DifficultyItem> difficultyMap) {
-    public CaptchaSite(final String siteKey, final String secret, final List<DifficultyItem> difficultyMap) {
+public record CaptchaSite(String siteKey, String secret, @Min(1) Integer maxVerifiesPerPayload, @NotNull List<DifficultyItem> difficultyMap) {
+    public CaptchaSite(final String siteKey, final String secret, final Integer maxVerifiesPerPayload, final List<DifficultyItem> difficultyMap) {
         this.siteKey = siteKey;
         this.secret = secret;
+        this.maxVerifiesPerPayload = maxVerifiesPerPayload != null ? maxVerifiesPerPayload : 1;
         this.difficultyMap = List.copyOf(difficultyMap);
     }
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/controller/captcha/CaptchaController.java

@@ -40,7 +40,7 @@ public PostVerifyResponse postVerify(@Valid @RequestBody final PostVerifyRequest
             throw new UnauthorizedException("Wrong credentials.");
         }
 
-        final boolean isValid = captchaService.verify(request.getPayload());
+        final boolean isValid = captchaService.verify(request.getSiteKey(), request.getPayload());
         return new PostVerifyResponse(isValid);
     }
 }

captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/captcha/CaptchaService.java

@@ -4,13 +4,15 @@
 import com.hazelcast.map.IMap;
 import de.muenchen.captchaservice.common.HazelcastConstants;
 import de.muenchen.captchaservice.configuration.captcha.CaptchaProperties;
+import de.muenchen.captchaservice.configuration.captcha.CaptchaSite;
 import de.muenchen.captchaservice.data.SourceAddress;
 import de.muenchen.captchaservice.service.difficulty.DifficultyService;
 import lombok.extern.slf4j.Slf4j;
 import org.altcha.altcha.Altcha;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.springframework.stereotype.Service;
 
+import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 
 @Service
@@ -43,8 +45,8 @@ public Altcha.Challenge createChallenge(final String siteKey, final SourceAddres
         return null;
     }
 
-    public boolean verify(final Altcha.Payload payload) {
-        if (isPayloadInvalidated(payload)) {
+    public boolean verify(final String siteKey, final Altcha.Payload payload) {
+        if (isPayloadInvalidated(siteKey, payload)) {
             return false;
         }
         try {
@@ -61,12 +63,16 @@ public boolean verify(final Altcha.Payload payload) {
 
     public void invalidatePayload(final Altcha.Payload payload) {
         final String payloadHash = getPayloadHash(payload);
-        invalidatedPayloads.set(payloadHash, "", captchaProperties.captchaTimeoutSeconds(), TimeUnit.SECONDS);
+        invalidatedPayloads.set(String.format("%s_%s_%s", payloadHash, System.currentTimeMillis(), UUID.randomUUID()), "",
+                captchaProperties.captchaTimeoutSeconds(), TimeUnit.SECONDS);
         log.debug("Invalidated payloadHash: {}", payloadHash);
     }
 
-    public boolean isPayloadInvalidated(final Altcha.Payload payload) {
-        return invalidatedPayloads.containsKey(getPayloadHash(payload));
+    public boolean isPayloadInvalidated(final String siteKey, final Altcha.Payload payload) {
+        CaptchaSite site = captchaProperties.sites().get(siteKey);
+        String payloadHash = getPayloadHash(payload);
+        final long payloadHashCount = invalidatedPayloads.keySet().stream().filter(s -> s.startsWith(String.format("%s_", payloadHash))).count();
+        return payloadHashCount >= site.maxVerifiesPerPayload();
     }
 
     private static String getPayloadHash(final Altcha.Payload payload) {