vufind-org · crhallberg · Jul 21, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
diff --git a/module/VuFind/src/VuFind/Captcha/PluginManager.php b/module/VuFind/src/VuFind/Captcha/PluginManager.php
@@ -52,6 +52,7 @@ class PluginManager extends \VuFind\ServiceManager\AbstractPluginManager
         'dumb' => Dumb::class,
         'image' => Image::class,
         'interval' => Interval::class,
+        'pow' => PoW::class,
         'recaptcha' => ReCaptcha::class,
     ];
 
@@ -65,6 +66,7 @@ class PluginManager extends \VuFind\ServiceManager\AbstractPluginManager
         Dumb::class => DumbFactory::class,
         Image::class => ImageFactory::class,
         Interval::class => IntervalFactory::class,
+        PoW::class => PoWFactory::class,
         ReCaptcha::class => ReCaptchaFactory::class,
     ];
 

diff --git a/module/VuFind/src/VuFind/Captcha/PoW.php b/module/VuFind/src/VuFind/Captcha/PoW.php
@@ -0,0 +1,103 @@
+<?php
+
+/**
+ * ReCaptcha CAPTCHA.
+ *
+ * PHP version 8
+ *
+ * Copyright (C) Villanova University 2020.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Mario Trojan <mario.trojan@uni-tuebingen.de>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org Main Page
+ */
+
+namespace VuFind\Captcha;
+
+use Laminas\Mvc\Controller\Plugin\Params;
+
+/**
+ * ReCaptcha CAPTCHA.
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Mario Trojan <mario.trojan@uni-tuebingen.de>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+class PoW extends AbstractBase
+{
+    /**
+     * Constructor
+     *
+     * @param string $hashAlgo hash algorithm (default sha256)
+     * @param int $difficulty number of zeroes needed for proof (default 5)
+     */
+    public function __construct(
+        string $hashAlgo,
+        int $difficulty,
+    ) {
+        $this->hashAlgo = $hashAlgo;
+        $this->difficulty = $difficulty;
+    }
+
+    /**
+     * Get list of URLs with JS dependencies to load for the active CAPTCHA type.
+     *
+     * @return array
+     */
+    public function getJsIncludes(): array
+    {
+        return ['captcha-pow.js'];
+    }
+
+    /**
+     * Pull the captcha field from controller params and check them for accuracy
+     *
+     * @param Params $params Controller params
+     *
+     * @return bool
+     */
+    public function verify(Params $params): bool
+    {
+        error_log($params->fromPost('pow-captcha-challenge'));
+        error_log($params->fromPost('pow-captcha-nonce'));
+
+        // @TODO: compare to Session challenge
+
+        return false;
+    }
+
+    public function getChallenge() {
+        // @TODO: random challenge
+        // @TODO: story in session for verify
+        return $this->challenge ?? "WOW VERY CHALLENGE MUCH FIND";
+    }
+
+    public function getDifficulty() {
+        return $this->difficulty;
+    }
+
+    public function getHashAlgo() {
+        return $this->hashAlgo;
+    }
+
+    public function getStart() {
+        return random_int(0, 1000);
+    }
+}
diff --git a/module/VuFind/src/VuFind/Captcha/PoWFactory.php b/module/VuFind/src/VuFind/Captcha/PoWFactory.php
@@ -0,0 +1,87 @@
+<?php
+
+/**
+ * Factory for Image CAPTCHA module.
+ *
+ * PHP version 8
+ *
+ * Copyright (C) Villanova University 2020.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Mario Trojan <mario.trojan@uni-tuebingen.de>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+
+namespace VuFind\Captcha;
+
+use Laminas\ServiceManager\Exception\ServiceNotCreatedException;
+use Laminas\ServiceManager\Exception\ServiceNotFoundException;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+use Psr\Container\ContainerExceptionInterface as ContainerException;
+use Psr\Container\ContainerInterface;
+
+use function is_callable;
+
+/**
+ * Image CAPTCHA factory.
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Mario Trojan <mario.trojan@uni-tuebingen.de>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+class PoWFactory implements FactoryInterface
+{
+    /**
+     * Create an object
+     *
+     * @param ContainerInterface $container     Service manager
+     * @param string             $requestedName Service being created
+     * @param null|array         $options       Extra options (optional)
+     *
+     * @return object
+     *
+     * @throws ServiceNotFoundException if unable to resolve the service.
+     * @throws ServiceNotCreatedException if an exception is raised when
+     * creating a service.
+     * @throws ContainerException&\Throwable if any other error occurs
+     */
+    public function __invoke(
+        ContainerInterface $container,
+        $requestedName,
+        ?array $options = null
+    ) {
+        if (!empty($options)) {
+            throw new \Exception('Unexpected options passed to factory.');
+        }
+
+        $config = $container
+            ->get(\VuFind\Config\PluginManager::class)
+            ->get('config');
+
+        $hashAlgo = $config->Captcha->hashAlgo ?? 'sha256';
+        if (!in_array($hashAlgo, hash_algos())) {
+            throw new \Exception('Invalid hash algorithm: ' . $hashAlgo . '.');
+        }
+
+        $difficulty = intval($config->Captcha->pow_difficulty ?? 5);
+
+        return new $requestedName($hashAlgo, $difficulty);
+    }
+}
diff --git a/themes/root/js/captcha-pow-worker.js b/themes/root/js/captcha-pow-worker.js
@@ -0,0 +1,49 @@
+function hashChallenge(hashAlgo, challenge, nonce) {
+  return new Promise((resolve, reject) => {
+    let buffer = new TextEncoder().encode(`${challenge}:${nonce}`);
+    crypto.subtle.digest(phpAlgoToJS(hashAlgo), buffer.buffer).then((result) => {
+      // convert buffer to byte array
+      const bytes = Array.from(new Uint8Array(result));
+
+      // convert bytes to hex string
+      const hex = bytes
+          .map((byte) => byte.toString(16).padStart(2, "0"))
+          .join("")
+
+      resolve(hex);
+    }, reject);
+  });
+}
+
+function phpAlgoToJS(algo) {
+  return {
+    "sha1": "SHA-1",
+    "sha256": "SHA-256",
+    "sha384": "SHA-384",
+    "sha512": "SHA-512",
+  }[algo] ?? algo;
+}
+
+
+self.addEventListener("message", async (event) => {
+  const { challenge, difficulty, hashAlgo, start } = event.data;
+  const algo = phpAlgoToJS(hashAlgo);
+
+  let nonce = start;
+  const target = "0".repeat(difficulty);
+  console.log(target);
+  let attempt = await hashChallenge(algo, challenge, nonce);
+  while (!attempt.startsWith(target)) {
+    nonce += 1;
+    attempt = await hashChallenge(algo, challenge, nonce);
+
+    if (attempt.startsWith("0000")) {
+      console.log(attempt);
+    }
+  }
+
+  self.postMessage({
+    nonce,
+    iters: nonce - start,
+  });
+});
diff --git a/themes/root/js/captcha-pow.js b/themes/root/js/captcha-pow.js
@@ -0,0 +1,87 @@
+/* global VuFind */
+
+VuFind.register('pow-captcha', function PoWCaptchas() {
+  const READY_CLASS = "js-pow-captcha-ready";
+  const CHALLENGE_SELECTOR = '[name="pow-captcha-challenge"]';
+
+  function powCaptchaInit(form) {
+    if (form.classList.contains(READY_CLASS)) {
+      return;
+    }
+
+    form.classList.add(READY_CLASS);
+
+    // Wait for user interaction to start work
+
+    form.addEventListener("input", () => { powPerformWork(form) }, { once: true });
+
+    const statusEl = form.querySelector(".pow-captcha-status");
+    statusEl.textContent = "PoW Captcha waiting for interaction.";
+  }
+
+  function powPerformWork(form) {
+    const challenge = form.querySelector('[name="pow-captcha-challenge"]').value;
+    const difficulty = Number(form.querySelector('[name="pow-captcha-difficulty"]').value);
+    const hashAlgo = form.querySelector('[name="pow-captcha-hash-algo"]').value;
+    const start = Number(form.querySelector('[name="pow-captcha-start"]')?.value ?? 0);
+
+    const statusEl = form.querySelector(".pow-captcha-status");
+    statusEl.textContent = `PoW Captcha doing work (${hashAlgo} x${difficulty}).`;
+
+    // Do the number crunching in a Web Worker for speed and responsiveness
+    const worker = new Worker(`${VuFind.path}/themes/root/js/captcha-pow-worker.js`);
+
+    worker.onmessage = (event) => {
+      worker.terminate();
+      powResolveWork(form, event.data);
+    };
+
+    worker.onerror = (event) => {
+      worker.terminate();
+      powRejectWork(form, event);
+    };
+
+    worker.postMessage({ challenge, difficulty, hashAlgo, start });
+  }
+
+  function powResolveWork(form, { nonce, iters }) {
+    const nonceInput = form.querySelector('[name="pow-captcha-nonce"]');
+    nonceInput.value = nonce;
+
+    const statusEl = form.querySelector(".pow-captcha-status");
+    statusEl.textContent = `PoW Captcha: nonce (${nonce}) found after ${iters} iterations.`;
+  }
+
+  function powRejectWork(form, event) {
+      console.error(event);
+  }
+
+  function init() {
+    // Find PoW challenges
+    for (const pow of document.querySelectorAll(CHALLENGE_SELECTOR)) {
+      powCaptchaInit(pow.closest("form"));
+    }
+
+    // Listen for future forms
+    const observer = new MutationObserver(lookForNewPoWCaptchas);
+    observer.observe(document, { childList: true, subtree: true });
+
+    function lookForNewPoWCaptchas(records, observer) {
+      for (const record of records) {
+        for (const addedNode of record.addedNodes) {
+          if (addedNode instanceof Text) {
+            continue;
+          }
+          if (addedNode.matches(CHALLENGE_SELECTOR)) {
+            powCaptchaInit(addedNode.closest("form"));
+          }
+          for (const pow of document.querySelectorAll(CHALLENGE_SELECTOR)) {
+            powCaptchaInit(pow.closest("form"));
+          }
+        }
+      }
+    }
+  }
+
+  return { init };
+});
diff --git a/themes/root/templates/Captcha/pow.phtml b/themes/root/templates/Captcha/pow.phtml
@@ -0,0 +1,7 @@
+<?php ?>
+<input type="hidden" name="pow-captcha-challenge" value="<?=$this->captcha->getChallenge() ?>">
+<input type="hidden" name="pow-captcha-difficulty" value="<?=$this->captcha->getDifficulty() ?>">
+<input type="hidden" name="pow-captcha-hash-algo" value="<?=$this->captcha->getHashAlgo() ?>">
+<input type="hidden" name="pow-captcha-start" value="<?=$this->captcha->getStart() ?>">
+<input type="hidden" name="pow-captcha-nonce" value="">
+<p class="pow-captcha-status">PoW Captcha not initiated.</p>