Hello, I have some questions for you. (Disclaimer: I didn't reviewed all of your code)
I checked this repository codes, and noticed that the token data generates by client side, not a server side.
Generally, in the captcha system like this, the "correct answer" is generated by server side. The server delivers "question data" to client that is not directly related to "correct answer" - unpredictable by "question". It just for show in frontend; Then the "human" inputs the answer, server verifies human's input data is the "correct answer".
But this captcha system generates token data by client side. It means the malicious actor is able to know client's token generation algorithm anytime. Then the malicious actor requests to server with malicious token treats as "correct answer" by server. So I wonder how can this achieved without security problems.
Hello, I have some questions for you. (Disclaimer: I didn't reviewed all of your code)
I checked this repository codes, and noticed that the token data generates by client side, not a server side.
Generally, in the captcha system like this, the "correct answer" is generated by server side. The server delivers "question data" to client that is not directly related to "correct answer" - unpredictable by "question". It just for show in frontend; Then the "human" inputs the answer, server verifies human's input data is the "correct answer".
But this captcha system generates token data by client side. It means the malicious actor is able to know client's token generation algorithm anytime. Then the malicious actor requests to server with malicious token treats as "correct answer" by server. So I wonder how can this achieved without security problems.