Skip to content

Altered-Wiki/AltchaCaptcha

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
includes
includes
 
 
CONTRIBUTORS.md
CONTRIBUTORS.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
extension.json
extension.json
 
 

Repository files navigation

AltchaCaptcha

A ConfirmEdit backend for MediaWiki that uses Altcha proof-of-work challenges. No external service, no cookies, no tracking.

How it works

When a CAPTCHA trigger fires (account creation, bad login, URL addition), the server generates a SHA-256 proof-of-work challenge signed with an HMAC key. The browser widget solves it client-side (typically < 2 seconds) and submits the solution. The server re-derives the expected hash and verifies the HMAC. No stored state required.

The Altcha widget JS is never loaded from a CDN by the browser. Instead, Special:AltchaJS fetches it server-side on first use, caches it in $wgUploadDirectory/altcha-cache/, and serves it locally. The cache refreshes automatically after the configured TTL. If the upstream is unreachable, the stale cache is served as a fallback.

Requirements

Tested against MediaWiki 1.44 with the refactored ConfirmEdit AuthManager API.

Installation

  1. Clone or copy this directory into your wiki's extensions/AltchaCaptcha/.

  2. Add to LocalSettings.php:

    wfLoadExtension( 'ConfirmEdit' );
wfLoadExtension( 'AltchaCaptcha' );

$wgCaptchaClass    = 'AltchaCaptcha';
$wgAltchaHmacKey   = 'your-secret-key-here'; // openssl rand -hex 32

# Optional complexity tuning (default shown):
$wgAltchaComplexityMin = 40000;
$wgAltchaComplexityMax = 200000;

# Trigger CAPTCHA on account creation and bad login:
$wgCaptchaTriggers['createaccount'] = true;
$wgCaptchaTriggers['badlogin']      = true;
$wgCaptchaTriggers['addurl']        = true;

  3. Generate your HMAC key:

    openssl rand -hex 32

The widget JS is fetched and cached automatically on first page load — no manual download required.

Configuration

Variable Default Description
$wgAltchaHmacKey '' Required. HMAC-SHA256 key for signing challenges.
$wgAltchaComplexityMin 40000 Minimum PoW iterations (lower = faster solve).
$wgAltchaComplexityMax 200000 Maximum PoW iterations.
$wgAltchaJSUrl https://cdn.jsdelivr.net/npm/altcha/dist/altcha.min.js Upstream URL the server fetches the widget JS from.
$wgAltchaJSTTL 86400 Seconds before the cached JS is re-fetched from upstream.

License

MIT

About

A ConfirmEdit CAPTCHA backend using Altcha proof-of-work

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages