Verifying `verificationData` and `fieldHash`

altcha-org / altcha

GDPR compliant, self-hosted CAPTCHA alternative with PoW mechanism and advanced anti-spam filter.

https://altcha.org

MIT License

509 stars 17 forks source link

Verifying `verificationData` and `fieldHash` #29

Closed ixnas closed 6 months ago

ixnas commented 6 months ago

Hi there!

I'm trying to implement the verification for the verificationData field in the payload when using the spam filter API.

I feel like simply verifying the API signature on the server isn't enough, because someone could send different form data to the API than to the server.

So I'm trying to also verify the fieldHash property (I assume it's there for this purpose), but I can't figure out how the API combines the field values before it hashes them. Could you shed some light on this?

Thanks!

ovx commented 6 months ago

Hi, yes you're right about that. The API docs is still work in progress.

The API simply concatenates the field values with \n and computes SHA (the same algo as signature, values in order listed in fields):

For fields = field1,field2,field3

fieldsHash = sha2_hex(field1_value + '\n' + field2_value + '\n' + field3_value)

This will be added to the docs.

ixnas commented 6 months ago

Thanks for the quick reply, got it working!