gotosocial/web/source/nollamasworker/index.js

/*
	GoToSocial
	Copyright (C) GoToSocial Authors admin@gotosocial.org
	SPDX-License-Identifier: AGPL-3.0-or-later

	This program is free software: you can redistribute it and/or modify
	it under the terms of the GNU Affero General Public License as published by
	the Free Software Foundation, either version 3 of the License, or
	(at your option) any later version.

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
	GNU Affero General Public License for more details.

	You should have received a copy of the GNU Affero General Public License
	along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

import sha256 from "./sha256";

let compute = async function(challengeStr, diffStr) {
	const textEncoder = new TextEncoder();

	// Get difficulty1 as number and generate
	// expected zero ASCII prefix to check for.
	const diff1 = parseInt(diffStr, 10);
	const zeros = "0".repeat(diff1);

	// Calculate hex encoded prefix required to check solution, where we
	// need diff1 no. chars in hex, and hex encoding doubles input length.
	const prefixLen = diff1 / 2 + (diff1 % 2 != 0 ? 2 : 0);

	let nonce = 0;
	while (true) { // eslint-disable-line no-constant-condition

		// Create possible solution string from challenge string + nonce.
		const solution = textEncoder.encode(challengeStr + nonce.toString());

		// Generate SHA256 hashsum of solution string, and hex encode the
		// necessary prefix length we need to check for a valid solution.
		const prefixArray = Array.from(sha256(solution).slice(0, prefixLen));
		const prefixHex = prefixArray.map(b => b.toString(16).padStart(2, "0")).join("");

		// Check if the hex encoded hash has
		// difficulty defined zeroes prefix.
		if (prefixHex.startsWith(zeros)) {
			return nonce;
		}

		// Iter.
		nonce++;
	}
};

onmessage = async function(e) {
	console.log('worker started'); // eslint-disable-line no-console

	const challenge = e.data.challenge;
	const difficulty = e.data.difficulty;

	// Compute the nonce that produces solution with args.
	let nonce = await compute(challenge, difficulty);

	// Post the solution nonce back to caller.
	postMessage({ nonce: nonce, done: true });
};
[feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi <tobi.smethurst@protonmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi <tsmethurst@noreply.codeberg.org> Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-04-28 20:12:27 +00:00			`/*`
			`GoToSocial`
			`Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`SPDX-License-Identifier: AGPL-3.0-or-later`

			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU Affero General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU Affero General Public License for more details.`

			`You should have received a copy of the GNU Affero General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

[chore] more NoLLaMas proof-of-work tweaking (#4096) - replaces the sha256 calculation with an alternative implementation that seems to use more uniform time-taken across different platforms - goes back to the simpler difficulty calculation without a "partial" difficulty level Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4096 Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-05-03 16:45:25 +00:00			`import sha256 from "./sha256";`
[feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi <tobi.smethurst@protonmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi <tsmethurst@noreply.codeberg.org> Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-04-28 20:12:27 +00:00
[chore] more NoLLaMas proof-of-work tweaking (#4096) - replaces the sha256 calculation with an alternative implementation that seems to use more uniform time-taken across different platforms - goes back to the simpler difficulty calculation without a "partial" difficulty level Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4096 Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-05-03 16:45:25 +00:00			`let compute = async function(challengeStr, diffStr) {`
[feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi <tobi.smethurst@protonmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi <tsmethurst@noreply.codeberg.org> Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-04-28 20:12:27 +00:00			`const textEncoder = new TextEncoder();`

[chore] more NoLLaMas proof-of-work tweaking (#4096) - replaces the sha256 calculation with an alternative implementation that seems to use more uniform time-taken across different platforms - goes back to the simpler difficulty calculation without a "partial" difficulty level Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4096 Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-05-03 16:45:25 +00:00			`// Get difficulty1 as number and generate`
			`// expected zero ASCII prefix to check for.`
			`const diff1 = parseInt(diffStr, 10);`
			`const zeros = "0".repeat(diff1);`

			`// Calculate hex encoded prefix required to check solution, where we`
			`// need diff1 no. chars in hex, and hex encoding doubles input length.`
			`const prefixLen = diff1 / 2 + (diff1 % 2 != 0 ? 2 : 0);`
[feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi <tobi.smethurst@protonmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi <tsmethurst@noreply.codeberg.org> Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-04-28 20:12:27 +00:00
			`let nonce = 0;`
			`while (true) { // eslint-disable-line no-constant-condition`

[chore] more NoLLaMas proof-of-work tweaking (#4096) - replaces the sha256 calculation with an alternative implementation that seems to use more uniform time-taken across different platforms - goes back to the simpler difficulty calculation without a "partial" difficulty level Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4096 Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-05-03 16:45:25 +00:00			`// Create possible solution string from challenge string + nonce.`
			`const solution = textEncoder.encode(challengeStr + nonce.toString());`
[feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi <tobi.smethurst@protonmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi <tsmethurst@noreply.codeberg.org> Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-04-28 20:12:27 +00:00
[chore] more NoLLaMas proof-of-work tweaking (#4096) - replaces the sha256 calculation with an alternative implementation that seems to use more uniform time-taken across different platforms - goes back to the simpler difficulty calculation without a "partial" difficulty level Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4096 Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-05-03 16:45:25 +00:00			`// Generate SHA256 hashsum of solution string, and hex encode the`
			`// necessary prefix length we need to check for a valid solution.`
			`const prefixArray = Array.from(sha256(solution).slice(0, prefixLen));`
			`const prefixHex = prefixArray.map(b => b.toString(16).padStart(2, "0")).join("");`
[feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi <tobi.smethurst@protonmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi <tsmethurst@noreply.codeberg.org> Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-04-28 20:12:27 +00:00
			`// Check if the hex encoded hash has`
			`// difficulty defined zeroes prefix.`
[chore] more NoLLaMas proof-of-work tweaking (#4096) - replaces the sha256 calculation with an alternative implementation that seems to use more uniform time-taken across different platforms - goes back to the simpler difficulty calculation without a "partial" difficulty level Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4096 Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-05-03 16:45:25 +00:00			`if (prefixHex.startsWith(zeros)) {`
			`return nonce;`
[feature] proof of work scraper deterrence (#4043) This adds a proof-of-work based scraper deterrence to GoToSocial's middleware stack on profile and status web pages. Heavily inspired by https://github.com/TecharoHQ/anubis, but massively stripped back for our own usecase. Todo: - ~~add configuration option so this is disabled by default~~ - ~~fix whatever weirdness is preventing this working with CSP (even in debug)~~ - ~~use our standard templating mechanism going through apiutil helper func~~ - ~~probably some absurdly small performance improvements to be made in pooling re-used hex encode / hash encode buffers~~ the web endpoints aren't as hot a path as API / ActivityPub, will leave as-is for now as it is already very minimal and well optimized - ~~verify the cryptographic assumptions re: using a portion of token as challenge data~~ this isn't a serious application of cryptography, if it turns out to be a problem we'll fix it, but it definitely should not be easily possible to guess a SHA256 hash from the first 1/4 of it even if mathematically it might make it a bit easier - ~~theme / make look nice??~~ - ~~add a spinner~~ - ~~add entry in example configuration~~ - ~~add documentation~~ Verification page originally based on https://github.com/LucienV1/powtect Co-authored-by: tobi <tobi.smethurst@protonmail.com> Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4043 Reviewed-by: tobi <tsmethurst@noreply.codeberg.org> Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-04-28 20:12:27 +00:00			`}`

			`// Iter.`
			`nonce++;`
			`}`
			`};`
[chore] more NoLLaMas proof-of-work tweaking (#4096) - replaces the sha256 calculation with an alternative implementation that seems to use more uniform time-taken across different platforms - goes back to the simpler difficulty calculation without a "partial" difficulty level Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4096 Co-authored-by: kim <grufwub@gmail.com> Co-committed-by: kim <grufwub@gmail.com> 2025-05-03 16:45:25 +00:00
			`onmessage = async function(e) {`
			`console.log('worker started'); // eslint-disable-line no-console`

			`const challenge = e.data.challenge;`
			`const difficulty = e.data.difficulty;`

			`// Compute the nonce that produces solution with args.`
			`let nonce = await compute(challenge, difficulty);`

			`// Post the solution nonce back to caller.`
			`postMessage({ nonce: nonce, done: true });`
			`};`