search

altcha-org / altcha

GDPR compliant, self-hosted CAPTCHA alternative with PoW mechanism and advanced anti-spam filter.
https://altcha.org
MIT License
241 stars 5 forks source link

Verification expired. Try again. #25

Closed stanbekker closed 2 months ago

stanbekker commented 2 months ago

Hello,

I am integrating the Altcha Widget in my contact form. I have written a PHP Class that serves /api/altcha with the json for the widget, and I have function to verify the submitted form. When I put the widget in TEST mode, all is well, I receive the Altcha in my $_POST['altcha'] variable, life is good.

But when I get the challenge json from my API, the widget keeps giving the error: "Verification expired. Try again."

In DEBUG mode the widget reports this in the browser console:

And after clicking the widget verify check:

What bothers me, is that it first notifies me that the expire time is right, just what I set it. But when I fetch the challenge from /api/altcha, it changes the expire time. The JSON on the /api/altcha looks like this:

{ "algorithm": "SHA-256", "challenge": "64c1f13b14b262535d8a41f731150d51220ce8fa571661f2b46524c795590b68", "salt": "y9QZZr83JO", "signature": "7da4b3fbf197a69977847b74f156841e1ec09e5e1b2eb566f9a7b3b5eda550bc" }

I never change the expire time in the /api/altcha data. Any tips on how to get rid of the "Verification expired. Try again." message and to start using Altcha?

Thanks and good luck with Altcha, it looks great so far!

ovx commented 2 months ago

Hi, the widget automatically detects the Expires HTTP header from the API response, but it seems like it fails to process it right. Can you post here what the header Expires looks like in the response?

stanbekker commented 2 months ago

Ah thanks a lot, you pointed me in the right direction! I needed to include the "Expires" header in the JSON that I serve from my PHP server. When I looked at the current header it wasn't set. It now starts verifying!

It doesn't complete verification unfortunately, it returns a null solution in the console with the messages:

ovx commented 2 months ago

This happens when maxnumber is lower than the actual random number. The default maxnumber is 1,000,000. If you're generating numbers higher than this, you have set the maxnumber on the widget. Although that's too big for most devices, recommended value is below 100,000.

stanbekker commented 2 months ago

Wow you have been super helpful! It's fixed. Thanks a lot, really, much appreciated!