vufind-org · crhallberg · Jul 21, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
diff --git a/config/vufind/config.ini b/config/vufind/config.ini
@@ -2512,6 +2512,7 @@ validateHierarchySequences = true
 ; - image (generate a local image for the user to interpret)
 ; - interval (allow an action after a specified time has elapsed from session start
 ;   or previous action)
+; - pow (proof of work bot deterent)
 ; - recaptcha (use Google's ReCaptcha service)
 ; If multiple values are given, the user will be able to pick their favorite.
 ; See below for additional type-specific settings.
@@ -2542,6 +2543,12 @@ validateHierarchySequences = true
 ; action_interval):
 ;time_from_session_start = 0
 
+; Proof of Work options
+; PHP and JS both natively support sha1, sha256, sha384, sha512.
+;pow_hash = sha256
+; number of leading zeroes required; default: 5
+;pow_difficulty = 5
+
 ; See http://www.google.com/recaptcha for more information on reCAPTCHA and to
 ; create keys for your domain. Make sure that SSL settings are correct in the
 ; [Http] section, or your Captcha may not work.

diff --git a/config/vufind/contentsecuritypolicy.ini b/config/vufind/contentsecuritypolicy.ini
@@ -44,8 +44,11 @@ script-src[] = "https:"
 connect-src[] = "'self'"
 ; If you are using Google Analytics, uncomment the line below
 ;connect-src[] = "https://*.google-analytics.com"
-; worker-src required for jsTree with browsers that don't support 'strict-dynamic' (e.g. Safari):
+; worker-src (permission to load web worker JS files)
+; (blob) required for jsTree with browsers that don't support 'strict-dynamic' (e.g. Safari):
 worker-src[] = "blob:"
+; (self) required for proof of work (PoW) Captcha web wworker
+worker-src[] = "'self'"
 style-src[] = "'self'"
 style-src[] = "'unsafe-inline'"
 img-src[] = "'self'"

diff --git a/module/VuFind/src/VuFind/Captcha/PluginManager.php b/module/VuFind/src/VuFind/Captcha/PluginManager.php
@@ -52,6 +52,7 @@ class PluginManager extends \VuFind\ServiceManager\AbstractPluginManager
         'dumb' => Dumb::class,
         'image' => Image::class,
         'interval' => Interval::class,
+        'pow' => PoW::class,
         'recaptcha' => ReCaptcha::class,
     ];
 
@@ -65,6 +66,7 @@ class PluginManager extends \VuFind\ServiceManager\AbstractPluginManager
         Dumb::class => DumbFactory::class,
         Image::class => ImageFactory::class,
         Interval::class => IntervalFactory::class,
+        PoW::class => PoWFactory::class,
         ReCaptcha::class => ReCaptchaFactory::class,
     ];
 

diff --git a/module/VuFind/src/VuFind/Captcha/PoW.php b/module/VuFind/src/VuFind/Captcha/PoW.php
@@ -0,0 +1,148 @@
+<?php
+
+/**
+ * Proof of Work CAPTCHA.
+ *
+ * PHP version 8
+ *
+ * Copyright (C) Villanova University 2025.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org Main Page
+ */
+
+namespace VuFind\Captcha;
+
+use Laminas\Mvc\Controller\Plugin\Params;
+use Laminas\Session\ManagerInterface;
+
+use function intval;
+
+/**
+ * Proof of Work CAPTCHA.
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+class PoW extends AbstractBase
+{
+    /**
+     * Constructor
+     *
+     * @param string           $hashAlgo   Hash algorithm (default sha256)
+     * @param int              $difficulty Number of leading zeroes needed for proof (default 5)
+     * @param ManagerInterface $session    Session manager
+     */
+    public function __construct(
+        protected string $hashAlgo,
+        protected int $difficulty,
+        protected ManagerInterface $session,
+    ) {
+    }
+
+    /**
+     * Get list of URLs with JS dependencies to load for the active CAPTCHA type.
+     *
+     * @return array
+     */
+    public function getJsIncludes(): array
+    {
+        return ['captcha-pow.js'];
+    }
+
+    /**
+     * Pull the captcha field from controller params and check them for accuracy
+     * We pull from the form in case config changed since challenge was sent
+     *
+     * @param Params $params Controller params
+     *
+     * @return bool
+     */
+    public function verify(Params $params): bool
+    {
+        $nonce = intval($params->fromPost('pow-captcha-nonce'));
+        $start = intval($params->fromPost('pow-captcha-start', 0));
+
+        // Verify nonce search began with start
+        if ($nonce < $start) {
+            error_log(
+                'PoW: nonce (' . $nonce . ') not incremental from start (' . $start . ')'
+            );
+            return false;
+        }
+
+        // Verify work
+        $challenge = $this->getChallenge($start);
+        $hashAlgo = $params->fromPost('pow-captcha-hash-algo');
+        $hash = hash($hashAlgo, $challenge . $nonce);
+        if (substr($hash, 0, $this->difficulty) !== str_repeat('0', $this->difficulty)) {
+            error_log(
+                'PoW: nonce (' . $nonce . ') produces invalid hash (' . $hash . ')'
+            );
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Generate challenge string from session id
+     *
+     * @param int $salt Number to add to session id (we use start number)
+     *
+     * @return string
+     */
+    public function getChallenge($salt)
+    {
+        return hash('sha256', $this->session->getId() . $salt);
+    }
+
+    /**
+     * Get difficulty from config
+     *
+     * @return int
+     */
+    public function getDifficulty()
+    {
+        return $this->difficulty;
+    }
+
+    /**
+     * Get difficulty from config
+     *
+     * @return string
+     */
+    public function getHashAlgo()
+    {
+        return $this->hashAlgo;
+    }
+
+    /**
+     * Get random starting point to prevent repeatable work
+     *
+     * @return int
+     */
+    public function getStart()
+    {
+        return random_int(1000, 9999);
+    }
+}
diff --git a/module/VuFind/src/VuFind/Captcha/PoWFactory.php b/module/VuFind/src/VuFind/Captcha/PoWFactory.php
@@ -0,0 +1,90 @@
+<?php
+
+/**
+ * Factory for Proof of Work CAPTCHA module.
+ *
+ * PHP version 8
+ *
+ * Copyright (C) Villanova University 2025.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+
+namespace VuFind\Captcha;
+
+use Laminas\ServiceManager\Exception\ServiceNotCreatedException;
+use Laminas\ServiceManager\Exception\ServiceNotFoundException;
+use Laminas\ServiceManager\Factory\FactoryInterface;
+use Psr\Container\ContainerExceptionInterface as ContainerException;
+use Psr\Container\ContainerInterface;
+
+use function in_array;
+use function intval;
+
+/**
+ * Proof of Work CAPTCHA factory.
+ *
+ * @category VuFind
+ * @package  CAPTCHA
+ * @author   Chris Hallberg <challber@villanova.edu>
+ * @license  http://opensource.org/licenses/gpl-2.0.php GNU General Public License
+ * @link     https://vufind.org/wiki/development Wiki
+ */
+class PoWFactory implements FactoryInterface
+{
+    /**
+     * Create an object
+     *
+     * @param ContainerInterface $container     Service manager
+     * @param string             $requestedName Service being created
+     * @param null|array         $options       Extra options (optional)
+     *
+     * @return object
+     *
+     * @throws ServiceNotFoundException if unable to resolve the service.
+     * @throws ServiceNotCreatedException if an exception is raised when
+     * creating a service.
+     * @throws ContainerException&\Throwable if any other error occurs
+     */
+    public function __invoke(
+        ContainerInterface $container,
+        $requestedName,
+        ?array $options = null
+    ) {
+        if (!empty($options)) {
+            throw new \Exception('Unexpected options passed to factory.');
+        }
+
+        $config = $container
+            ->get(\VuFind\Config\PluginManager::class)
+            ->get('config');
+
+        $hashAlgo = $config->Captcha->hashAlgo ?? 'sha256';
+        if (!in_array($hashAlgo, hash_algos())) {
+            throw new \Exception('Invalid hash algorithm: ' . $hashAlgo . '.');
+        }
+
+        return new $requestedName(
+            $hashAlgo,
+            intval($config->Captcha->pow_difficulty ?? 5),
+            $container->get(\Laminas\Session\SessionManager::class),
+        );
+    }
+}
diff --git a/module/VuFind/src/VuFind/Controller/Plugin/Captcha.php b/module/VuFind/src/VuFind/Controller/Plugin/Captcha.php
@@ -138,6 +138,7 @@ public function verify(): bool
                     $errorMessage = $captcha->getErrorMessage();
                 }
             } catch (\Exception $e) {
+                error_log($e);
                 $captchaPassed = false;
                 $errorMessage = $this->translate('captcha_technical_difficulties');
             }

diff --git a/themes/bootstrap5/templates/Helpers/captcha.phtml b/themes/bootstrap5/templates/Helpers/captcha.phtml
@@ -5,7 +5,7 @@
 <?php if (count($this->captchas) == 1):?>
   <?php if ($captchaHtml = $this->captcha()->getHtmlForCaptcha($this->captchas[0])): ?>
     <label class="form-label"><?=$this->transEsc('captcha_label_single')?></label>
-    <p><?=$captchaHtml?></p>
+    <div><?=$captchaHtml?></div>
   <?php endif; ?>
 <?php else:?>
   <label class="form-label"><?=$this->transEsc('captcha_label_multiple')?></label>

diff --git a/themes/bootstrap5/templates/RecordTab/usercomments.phtml b/themes/bootstrap5/templates/RecordTab/usercomments.phtml
@@ -20,10 +20,10 @@
           <?=$this->component('star-rating', ['ratingData' => $ratingData, 'allowClear' => 0 === $ratingData['count'] || $this->accountCapabilities()->isRatingRemovalAllowed()]);?>
         </div>
       <?php endif; ?>
+      <div class="clearfix"></div>
       <?php if ($this->tab->isCaptchaActive()): ?>
         <?=$this->captcha()->html(true, false) ?>
       <?php endif; ?>
-      <div class="clearfix"></div>
       <input class="btn btn-primary" type="submit" value="<?=$this->transEscAttr('Add your comment')?>">
       <div class="loading-spinner js-loading-spinner hidden"><?=$this->icon('spinner') ?> <?=$this->translate('loading_ellipsis')?></div>
     </div>

diff --git a/themes/root/js/captcha-pow-worker.js b/themes/root/js/captcha-pow-worker.js
@@ -0,0 +1,72 @@
+/**
+ * @param {string} algo PHP hash algorithm key
+ * @returns {string} JS Crypto algorithm key
+ */
+function phpAlgoToJS(algo) {
+  const map = {
+    "sha1": "SHA-1",
+    "sha256": "SHA-256",
+    "sha384": "SHA-384",
+    "sha512": "SHA-512",
+  };
+  return algo in map ? map[algo] : algo;
+}
+
+/**
+ * @param {string} hashAlgo SHA family algorithm (for now)
+ * @param {string} challenge Hash from server
+ * @param {number} nonce Incrementing number for concat
+ * @returns {Promise<string>} Hash of challenge + nonce
+ */
+function hashChallenge(hashAlgo, challenge, nonce) {
+  return new Promise((resolve, reject) => {
+    let buffer = new TextEncoder().encode(`${challenge}${nonce}`);
+    crypto.subtle.digest(phpAlgoToJS(hashAlgo), buffer.buffer).then((result) => {
+      // convert buffer to byte array
+      const bytes = Array.from(new Uint8Array(result));
+
+      // convert bytes to hex string
+      const hex = bytes
+        .map((byte) => byte.toString(16).padStart(2, "0"))
+        .join("");
+
+      resolve(hex);
+    }, reject);
+  });
+}
+
+/**
+ * @param  {MessageEvent} event Contains hash work parameters
+ * @returns {void} Returns via postMessage
+ */
+function powWorkerMessage(event) {
+  const { challenge, difficulty, hashAlgo, start } = event.data;
+  const algo = phpAlgoToJS(hashAlgo);
+
+  const startTime = Date.now();
+  const target = "0".repeat(difficulty);
+
+  /**
+   * Recursive on Promise resolution
+   * @param {number} nonce Incrementing number for hash concatenation
+   * @returns {void}
+   */
+  function attemptHash(nonce) {
+    hashChallenge(algo, challenge, nonce).then((result) => {
+      if (result.startsWith(target)) {
+        // Return to main thread
+        self.postMessage({
+          nonce,
+          iters: nonce - start,
+          ms: Date.now() - startTime,
+        });
+      } else {
+        attemptHash(nonce + 1);
+      }
+    });
+  }
+
+  attemptHash(start);
+}
+
+self.addEventListener("message", powWorkerMessage);