From 6645632846022ea3256f3c2745bbf06ff00da9ec Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Wed, 19 May 2021 17:36:29 +0200
Subject: [PATCH] antibot - basic pow with javascript

---
 antibot/javascript.data  | 12 ++++++++++--
 confs/site/main-lua.conf |  8 ++++----
 lua/javascript.lua       |  7 +++++--
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/antibot/javascript.data b/antibot/javascript.data
index 03962a9..1511c0c 100644
--- a/antibot/javascript.data
+++ b/antibot/javascript.data
@@ -7,7 +7,15 @@
 		return hashHex;
 	}
 	(async () => {
-		const digestHex = await digestMessage('%s');
+		const nonce = '%s';
+		var i = 0;
+		while (true) {
+			var digestHex = await digestMessage(nonce + i.toString());
+			if (digestHex.startsWith("0000")) {
+				break;
+			}
+			i++;
+		}
 		xhr = new XMLHttpRequest();
 		xhr.open('POST', '%s');
 		xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
@@ -16,6 +24,6 @@
 				window.location.replace('%s');
 			}
 		};
-		xhr.send(encodeURI('challenge=' + digestHex));
+		xhr.send(encodeURI('challenge=' + i.toString()));
 	})();
 </script>
diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf
index 7d0607c..58b6a57 100644
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@@ -242,7 +242,7 @@ if use_crowdsec then
 end
 
 -- cookie check
-if use_antibot_cookie then
+if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
 	if not cookie.is_set("uri") then
 		if ngx.var.request_uri ~= antibot_uri then
 			cookie.set({uri = ngx.var.request_uri})
@@ -258,7 +258,7 @@ if use_antibot_cookie then
 end
 
 -- javascript check
-if use_antibot_javascript then
+if use_antibot_javascript and ngx.var.uri ~= "/favicon.ico" then
 	if not cookie.is_set("javascript") then
 		if ngx.var.request_uri ~= antibot_uri then
 			cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
@@ -268,7 +268,7 @@ if use_antibot_javascript then
 end
 
 -- captcha check
-if use_antibot_captcha then
+if use_antibot_captcha and ngx.var.uri ~= "/favicon.ico" then
 	if not cookie.is_set("captcha") then
 		if ngx.var.request_uri ~= antibot_uri then
 			cookie.set({uri = ngx.var.request_uri})
@@ -278,7 +278,7 @@ if use_antibot_captcha then
 end
 
 -- recaptcha check
-if use_antibot_recaptcha then
+if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then
 	if not cookie.is_set("recaptcha") then
 		if ngx.var.request_uri ~= antibot_uri then
 			cookie.set({uri = ngx.var.request_uri})
diff --git a/lua/javascript.lua b/lua/javascript.lua
index 5dde85c..26a6b4c 100644
--- a/lua/javascript.lua
+++ b/lua/javascript.lua
@@ -32,12 +32,15 @@ function M.get_code (challenge, antibot_uri, original_uri)
 end
 
 function M.check (challenge, user)
+	ngx.log(ngx.ERR, "debug challenge = " .. challenge)
+	ngx.log(ngx.ERR, "debug user = " .. user)
 	local resty_sha256 = require "resty.sha256"
 	local str = require "resty.string"
 	local sha256 = resty_sha256:new()
-	sha256:update(challenge)
+	sha256:update(challenge .. user)
 	local digest = sha256:final()
-	return str.to_hex(digest) == user
+	ngx.log(ngx.ERR, "debug digest = " .. str.to_hex(digest))
+	return str.to_hex(digest):find("^0000") ~= nil
 end
 
 return M