fix: Improve handling for solutions to ALTCHA challenges (!173) · Merge requests · The Tor Project / Web / donate-neo

Merged stephen requested to merge better-challenge-solution-handling into main 3 months ago

Dec 02, 2024

fix: Improve handling for solutions to ALTCHA challenges · 99cfe7f9

stephen authored 3 months ago

The ALTCHA proof-of-work mechanism employed on the Stripe side of the donation form requires two open URL endpoints; one for the user to ping and receive the challenge, and the other for the user to submit a solution to that challenge.

Regardless of how the rest of this mechanism operates, the endpoint which receives the challenge appears to be a little naive in its expectations; as #148 notes, it is receiving traffic which `donate-neo` is having trouble handling. Indeed, simply hitting `/verifychallenge/` with a GET request in a browser causes the application to throw an exception. This MR intends to resolve this issue by giving that endpoint some healthy skepticism in what it's expecting.

`tordonate.views.verify_challenge()` has been extended with two new early exits, which both return HTTP 500. The first checks to see if the request contains a body at all, exiting early if not. The second takes the line which formerly assumed a JSON-formatted payload, and wraps it in a `try/except` block that handles `JSONDecodeError`s gracefully. (And, again, we exit early if the payload isn't legible JSON.)

Code comments within this method have been expanded and tidied up commensurate with these changes.

99cfe7f9

fix: Improve handling for solutions to ALTCHA challenges

Merge request reports

Activity