Add ALTCHA proof-of-work challenge to registration form

smgdkngt · claude · smgdkngt · commit 29c74d6b0f51 · 2026-03-19T12:53:45.000+01:00
Blocks automated signups with a privacy-friendly, self-hosted challenge.
Uses altcha gem for server-side verification and CDN-hosted widget.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Gemfile b/Gemfile
@@ -96,3 +96,6 @@ gem "noticed", "~> 3.0"
 # TOTP two-factor authentication
 gem "rotp", "~> 6.3"
 gem "rqrcode", "~> 3.0"
+
+# ALTCHA proof-of-work spam protection
+gem "altcha"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -77,6 +77,7 @@ GEM
       uri (>= 0.13.1)
     addressable (2.8.8)
       public_suffix (>= 2.0.2, < 8.0)
+    altcha (1.0.0)
     ast (2.4.3)
     base64 (0.3.0)
     bcrypt (3.1.21)
@@ -483,6 +484,7 @@ PLATFORMS
   x86_64-linux-musl
 
 DEPENDENCIES
+  altcha
   bcrypt (~> 3.1.7)
   bootsnap
   brakeman
@@ -534,6 +536,7 @@ CHECKSUMS
   activestorage (8.1.2) sha256=8a63a48c3999caeee26a59441f813f94681fc35cc41aba7ce1f836add04fba76
   activesupport (8.1.2) sha256=88842578ccd0d40f658289b0e8c842acfe9af751afee2e0744a7873f50b6fdae
   addressable (2.8.8) sha256=7c13b8f9536cf6364c03b9d417c19986019e28f7c00ac8132da4eb0fe393b057
+  altcha (1.0.0) sha256=6f85e1e1b6cc81fd9110c05b5f72e07e1635b75ec62bb4c851a5bdc1b0739f04
   ast (2.4.3) sha256=954615157c1d6a382bc27d690d973195e79db7f55e9765ac7c481c60bdb4d383
   base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
   bcrypt (3.1.21) sha256=5964613d750a42c7ee5dc61f7b9336fb6caca429ba4ac9f2011609946e4a2dcf
diff --git a/app/controllers/altcha_controller.rb b/app/controllers/altcha_controller.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class AltchaController < ApplicationController
+  allow_unauthenticated_access
+
+  def challenge
+    options = Altcha::ChallengeOptions.new(
+      hmac_key: altcha_hmac_key,
+      max_number: 50_000,
+      expires: Time.now + 5.minutes
+    )
+    render json: Altcha.create_challenge(options)
+  end
+
+  private
+
+  def altcha_hmac_key
+    Rails.application.secret_key_base.first(32)
+  end
+end
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
@@ -10,6 +10,12 @@ def new
   end
 
   def create
+    unless verify_altcha
+      @user = User.new(user_params)
+      flash.now[:alert] = "Please complete the verification."
+      return render :new, status: :unprocessable_entity
+    end
+
     @user = User.new(user_params)
 
     if @user.save
@@ -27,6 +33,20 @@ def create
 
   private
 
+  def verify_altcha
+    payload = params[:altcha]
+    return false if payload.blank?
+
+    parsed = JSON.parse(Base64.decode64(payload), symbolize_names: true)
+    Altcha.verify_solution(parsed, altcha_hmac_key)
+  rescue JSON::ParserError, ArgumentError
+    false
+  end
+
+  def altcha_hmac_key
+    Rails.application.secret_key_base.first(32)
+  end
+
   def user_params
     params.require(:user).permit(:first_name, :last_name, :email_address, :password, :password_confirmation)
   end
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
@@ -44,6 +44,7 @@
     <link rel="apple-touch-startup-image" href="/apple-splash-750-1334.png" media="(device-width: 375px) and (device-height: 667px) and (-webkit-device-pixel-ratio: 2) and (orientation: portrait)">
     <link rel="apple-touch-startup-image" href="/apple-splash-640-1136.png" media="(device-width: 320px) and (device-height: 568px) and (-webkit-device-pixel-ratio: 2) and (orientation: portrait)">
 
+    <script async defer src="https://eu.altcha.org/js/latest/altcha.min.js" type="module"></script>
     <%= stylesheet_link_tag "rhino-editor", "data-turbo-track": "reload" %>
     <%= stylesheet_link_tag "tailwind", "data-turbo-track": "reload" %>
     <%= javascript_importmap_tags %>
diff --git a/app/views/registrations/new.html.erb b/app/views/registrations/new.html.erb
@@ -65,6 +65,8 @@
           %>
         </div>
 
+        <altcha-widget challengeurl="/altcha/challenge" name="altcha"></altcha-widget>
+
         <%= render "components/button", text: "Create Account", full_width: true %>
       <% end %>
     </div>
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -10,7 +10,7 @@
     policy.font_src    :self, :data
     policy.img_src     :self, :data, :https
     policy.object_src  :none
-    policy.script_src  :self, "https://ga.jspm.io", "https://cdn.jsdelivr.net"
+    policy.script_src  :self, "https://ga.jspm.io", "https://cdn.jsdelivr.net", "https://eu.altcha.org"
     policy.style_src   :self, "'unsafe-inline'"
     policy.frame_src   :self
     policy.connect_src :self, *[ ENV["LIVEKIT_URL"]&.sub(%r{^https?://}, "wss://") ].compact
diff --git a/config/routes.rb b/config/routes.rb
@@ -15,6 +15,7 @@
   delete "logout", to: "sessions#destroy"
   get "signup", to: "registrations#new"
   post "signup", to: "registrations#create"
+  get "altcha/challenge", to: "altcha#challenge"
 
   scope "login" do
     resource :two_factor_challenge, only: %i[new create], path: "verify"
