Use base payload for challenge verification

Fabinatix97 · Fabinatix97 · commit d44b3ae47583 · 2025-09-13T11:30:55.000+02:00
diff --git a/captchaservice-backend/src/main/java/de/muenchen/captchaservice/controller/captcha/request/PostVerifyRequest.java b/captchaservice-backend/src/main/java/de/muenchen/captchaservice/controller/captcha/request/PostVerifyRequest.java
@@ -1,14 +1,13 @@
 package de.muenchen.captchaservice.controller.captcha.request;
 
+import de.muenchen.captchaservice.data.ExtendedPayload;
 import de.muenchen.captchaservice.validation.ValidSourceAddress;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 
-import de.muenchen.captchaservice.data.ExtendedPayload;
-
 @Data
 @NoArgsConstructor
 @AllArgsConstructor
diff --git a/captchaservice-backend/src/main/java/de/muenchen/captchaservice/data/ExtendedPayload.java b/captchaservice-backend/src/main/java/de/muenchen/captchaservice/data/ExtendedPayload.java
@@ -14,4 +14,14 @@ public class ExtendedPayload extends Altcha.Payload {
      */
     private Long took;
 
+    public Altcha.Payload toBasePayload() {
+        Altcha.Payload base = new Altcha.Payload();
+        base.algorithm = this.algorithm;
+        base.challenge = this.challenge;
+        base.number = this.number;
+        base.salt = this.salt;
+        base.signature = this.signature;
+        return base;
+    }
+
 }
diff --git a/captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/captcha/CaptchaService.java b/captchaservice-backend/src/main/java/de/muenchen/captchaservice/service/captcha/CaptchaService.java
@@ -57,7 +57,8 @@ public boolean verify(final String siteKey, final ExtendedPayload payload, final
             return false;
         }
         try {
-            final boolean isValid = Altcha.verifySolution(payload, captchaProperties.hmacKey(), false);
+            Altcha.Payload base = payload.toBasePayload();
+            final boolean isValid = Altcha.verifySolution(base, captchaProperties.hmacKey(), true);
             log.info("Altcha.verifySolution() returned {} for payloadHash={}", isValid, getPayloadHash(payload));
             if (isValid) {
                 log.info("Sucessfully verified. Recording success for metrics...");
diff --git a/captchaservice-backend/src/test/java/de/muenchen/captchaservice/controller/captcha/CaptchaControllerTest.java b/captchaservice-backend/src/test/java/de/muenchen/captchaservice/controller/captcha/CaptchaControllerTest.java
@@ -183,7 +183,7 @@ void postVerify_success() {
         final String requestBody = objectMapper.writeValueAsString(request);
         try (MockedStatic<Altcha> mock = Mockito.mockStatic(Altcha.class)) {
             mock
-                    .when(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(false)))
+                    .when(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(true)))
                     .thenReturn(true);
             // --
             mockMvc.perform(
@@ -194,7 +194,7 @@ void postVerify_success() {
                     .andExpect(content().contentType(MediaType.APPLICATION_JSON))
                     .andExpect(jsonPath("$.valid", is(true)));
             // --
-            mock.verify(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(false)));
+            mock.verify(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(true)));
         } catch (Exception e) {
             fail(e.getMessage());
         }
@@ -222,7 +222,7 @@ void postVerify_expired() {
         try (MockedStatic<Altcha> mock = Mockito.mockStatic(Altcha.class)) {
             // Successful request
             mock
-                    .when(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(false)))
+                    .when(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(true)))
                     .thenReturn(true);
             mockMvc.perform(
                     post("/api/v1/captcha/verify")
@@ -231,11 +231,11 @@ void postVerify_expired() {
                     .andExpect(status().isOk())
                     .andExpect(content().contentType(MediaType.APPLICATION_JSON))
                     .andExpect(jsonPath("$.valid", is(true)));
-            mock.verify(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(false)));
+            mock.verify(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(true)));
 
             // Expired request
             mock
-                    .when(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(false)))
+                    .when(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(true)))
                     .thenReturn(true);
             mockMvc.perform(
                     post("/api/v1/captcha/verify")
@@ -244,7 +244,7 @@ void postVerify_expired() {
                     .andExpect(status().isOk())
                     .andExpect(content().contentType(MediaType.APPLICATION_JSON))
                     .andExpect(jsonPath("$.valid", is(false)));
-            mock.verify(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(false)));
+            mock.verify(() -> Altcha.verifySolution(ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()), eq(TEST_HMAC_KEY), eq(true)));
         } catch (Exception e) {
             fail(e.getMessage());
         }
@@ -286,7 +286,7 @@ void testVerifyMetricsIncrement() {
             mock.when(() -> Altcha.verifySolution(
                     ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()),
                     eq(TEST_HMAC_KEY),
-                    eq(false)))
+                    eq(true)))
                     .thenReturn(true);
 
             for (int i = 1; i <= calls; i++) {
@@ -328,7 +328,7 @@ void testInvalidatedPayloadsGauge() {
             mock.when(() -> Altcha.verifySolution(
                     ArgumentMatchers.<Altcha.Payload>argThat(p -> p.algorithm.isEmpty()),
                     eq(TEST_HMAC_KEY),
-                    eq(false)))
+                    eq(true)))
                     .thenReturn(true);
 
             mockMvc.perform(post("/api/v1/captcha/verify")
