Merge pull request #243 from qgustavor/next

Release - v1.3.7

Author: qgustavor

lib/api.mjs

@@ -2,6 +2,7 @@ import { EventEmitter } from 'events'
 import { Agent as HttpAgent } from 'http'
 import { Agent as HttpsAgent } from 'https'
 import { createPromise } from './util.mjs'
+import { generateHashcashToken } from './crypto/index.mjs'
 
 const MAX_RETRIES = 4
 const ERRORS = {
@@ -89,7 +90,16 @@ class API extends EventEmitter {
     if (this.closed && !isLogout) throw Error('API is closed')
     const [cb, promise] = createPromise(originalCb)
 
-    const qs = { id: (this.counterId++).toString() }
+    // Don't increment counterId when re-requesting with a hashcash
+    // Thanks @angelvega93
+    if (typeof json._hashcash !== 'string') {
+      this.counterId++
+    }
+
+    const qs = {
+      id: this.counterId.toString()
+    }
+
     if (this.sid) {
       qs.sid = this.sid
     }
@@ -99,11 +109,25 @@ class API extends EventEmitter {
       delete json._querystring
     }
 
+    const headers = { 'Content-Type': 'application/json' }
+    if (typeof json._hashcash === 'string') {
+      headers['X-Hashcash'] = json._hashcash
+      delete json._hashcash
+    }
+
     this.fetch(`${this.gateway}cs?${new URLSearchParams(qs)}`, {
       method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers,
       body: JSON.stringify([json])
-    }).then(handleApiResponse).then(resp => {
+    }).then(async resp => {
+      const hashcashChallenge = resp.headers.get('X-Hashcash')
+      if (hashcashChallenge) {
+        json._hashcash = await generateHashcashToken(hashcashChallenge)
+        // Simulate an EAGAIN response
+        return -3
+      }
+      return handleApiResponse(resp)
+    }).then(resp => {
       if (this.closed && !isLogout) return
       if (!resp) return cb(Error('Empty response'))
 
@@ -203,15 +227,13 @@ class API extends EventEmitter {
   }
 
   static getShouldAvoidUA () {
-    // Checks defined using
-    // - https://codepen.io/qgustavor/pen/JjqqBPp
-    // - https://www.browserstack.com/screenshots/149d6d45a4a10de06e05f743190a4c12a9faa6ef
-
     // It's not possible to detect when a browser fails CORS requests by defining an user-agent
     // using feature detection, so the alternatives were using user-agent detection
     // (which is not ideal because might not catch Firefox forks) or hacks.
 
-    // This library uses hacks:
+    // This library uses hacks.
+    // Those were found using BrowserStack and the following tests: https://codepen.io/qgustavor/pen/JjqqBPp
+
     let headersErr
     try {
       globalThis.Headers()

lib/crypto/index.mjs

@@ -167,3 +167,33 @@ function constantTimeCompare (bufferA, bufferB) {
 }
 
 export { constantTimeCompare }
+
+export async function generateHashcashToken (challenge) {
+  const [versionStr, easinessStr,, tokenStr] = challenge.split(':')
+  const version = Number(versionStr)
+  if (version !== 1) throw Error('hashcash challenge is not version 1')
+
+  const easiness = Number(easinessStr)
+  const base = ((easiness & 63) << 1) + 1
+  const shifts = (easiness >> 6) * 7 + 3
+  const threshold = base << shifts
+  const token = d64(tokenStr)
+
+  const buffer = Buffer.alloc(4 + 262144 * 48)
+  for (let i = 0; i < 262144; i++) {
+    buffer.set(token, 4 + i * 48)
+  }
+
+  while (true) {
+    const view = new DataView(await globalThis.crypto.subtle.digest('SHA-256', buffer))
+    if (view.getUint32(0) <= threshold) {
+      return `1:${tokenStr}:${e64(buffer.slice(0, 4))}`
+    }
+
+    let j = 0
+    while (true) {
+      buffer[j]++
+      if (buffer[j++]) break
+    }
+  }
+}