ovx
commented
3 days ago Hi, ALTCHA can be implemented in several ways, depending on your use case. A common way to integrate is by creating a GET /challenge endpoint which returns a JSON-encoded challenge. The ALTCHA payload is then submitted with your form data, where you verify the solution before processing the form data.
Documentation: https://altcha.org/docs/server-integration/
An working example with Deno+Hono: https://github.com/altcha-org/altcha/blob/main/server/server-deno.ts
I'm struggling to find out how to use this. For example, I have a fastify app with a basic JSON API. I'd like to use altcha to not let a route run until the captcha is sent to the server and proven valid. This seems like by far the most rebust, actively supported open source captcha out there and using a PoW system is really simple for the end user.
According to the docs, this is the example they give for using it with NodeJS.
I don't really know what this is doing or how to integrate it into an API. The first part appears to generate a challenge and send it to the client. Ok, fair enough, but what is the 2nd part? How is it gonna verify the solution when the route just sends a challenge token, that would in theory block the verifySolution code from running at all.
My guess is that it expects a form tag and have it submit to this same route, but that causes a page refresh which is bad practice in a single page app, and requires an x-www-urlencoded field, which won't work on a basic JSON API.
Is there any better info on how to use this? For example just have a "GenerateCaptcha" route, have the widget get a captcha from GenerateCaptcha route, send it to whatever route I want and just use some middleware to verify whether the captcha is legit or not.