A no-nonsense CAPTCHA system with seamless UX | Backend component

Related tags

Web Servers rust privacy captcha self-hosted spam-protection ddos-mitigation proof-of-work self-host ddos-protection actix-web mcaptcha
Overview
mcaptcha logo

mCaptcha

Proof of work based, privacy respecting CAPTCHA system with a kickass UX.

Documentation Build Docker dependency status codecov
AGPL License Chat

STATUS: ACTIVE DEVELOPMENT

Skip to demo

mCaptcha is a privacy respecting, free CAPTCHA system with a kickass UX. Your users no longer have to interact with ridiculous image-based CAPTCHA system, wasting precious mental bandwidth. Instead, your computer will do the work for you, see for yourself!

How does it work?

mCaptcha uses SHA256 based proof-of-work(PoW) to rate limit users.

When a user wants to do something on an mCaptcha-protected website,

  1. they will have to generate proof-of-work(a bunch of math that will takes time to compute) and submit it to mCaptcha.

  2. We'll validate the proof:

    • if validation is unsuccessful, they will be prevented from accessing their target website
    • if validation is successful, read on,

  3. They will be issued a token that they should submit along with their request/form submission to the target website.

  4. The target website should validate the user-submitted token with mCaptcha before processing the user's request.

The whole process is automated from the user's POV. All they have to do is click on a button to initiate the process.

mCaptcha makes interacting with websites (computationally)expensive for the user. A well-behaving user will experience a slight delay(no delay when under moderate load to 2s when under attack; PoW difficulty is variable) but if someone wants to hammer your site, they will have to do more work to send requests than your server will have to do to respond to their request.

Why use mCaptcha?

  • Free software, privacy focused
  • Seamless UX - No more annoying CAPTCHAs!
  • No tracking: Our CAPTCHA routes are cookie free!
  • IP address independent: your users are behind a NAT? We got you covered!
  • Resistant to replay attacks: proof-of-work configurations have short lifetimes(30s) and can be used only once. If a user submits a PoW to an already used configuration or an expired one, their proof will be rejected.

Demo

Client-side widget:

mCaptcha's UX is super silent, solving CAPTCHAs have never been more easier. One click and you are on your way. To observe mCaptcha in action, open dev tools and monitor console and network activity.

  1. Link to widget

  2. Video:

Demo servers are available at:

Core functionality is working but it's still very much work-in-progress. Since we don't have a stable release yet, hosted demo servers might be a few versions behind master. Please check footer for build commit.

Feel free to provide bogus information while signing up(project under development, database frequently wiped).

Self-hosted:

Clone the repo and run the following from the root of the repo:

$ docker-compose -d up

It takes a while to build the image so please be patient :)

See DEPLOYMENT.md detailed alternate deployment methods.

Development:

See HACKING.md

Deployment:

See DEPLOYMENT.md

Configuration:

See CONFIGURATION.md

Comments
  • [SECURITY ISSUE] this is not a captcha

    [SECURITY ISSUE] this is not a captcha

    Hi, i'm trying to estimate the reliability of this mechanism as an actual captcha (and not just as an overcomplicated rate limiter).

    So I was wondering, what would prevent a bot from automatically fetch the PoW configuration (since sitekey is accessible), solve the challenge (maybe reusing the same Rust code for simplicity and efficiency), submit the PoW, get the token and either use it for every following request or repeat the process (for bruteforcing as an example)?

    I get that the difficulty can be tuned, but still, I assume a bot implemented in Rust would be faster than its js/wasm counterpart, so it's safe to say a bot would take less than a browser anyway, thus kind of bypassing the rate limiting factor.

    What am I missing?

    Edit: adding PoC code https://github.com/evilsocket/mcaptcha_bypass

    opened by evilsocket 42
  • Troubles with ports using docker

    Troubles with ports using docker

    Hi, I'm trying to run mCaptcha with docker compose, on a server that already have some redis and postgres containers mapped on 6379 and 5432.

    I tried to map postgres and redis on other port, but the main app doesn't recognise.

    Here is my conf file :

    version: '3.9'

services:
  mcaptcha:
    image: mcaptcha/mcaptcha:latest
    ports:
      - 7000:7000
    environment:
      DATABASE_URL: postgres://postgres:password@postgres:5433/postgres # set password at placeholder
      MCAPTCHA_REDIS_URL: redis://mcaptcha-redis:6380/
      RUST_LOG: debug
      RUST_BACKTRACE: 1
      PORT: 7000
    depends_on:
      - postgres
      - mcaptcha-redis

  postgres:
    image: postgres:13.2
    ports:
      - "5433:5432"
    volumes:
      - mcaptcha-data:/var/lib/postgresql/
    environment:
      POSTGRES_PASSWORD: password # change password
      PGDATA: /var/lib/postgresql/data/mcaptcha/

  mcaptcha-redis:
    image: mcaptcha/cache:latest
    ports:
      - "6380:6379"

volumes:
  mcaptcha-data:
    opened by CartierPierre 6
  • failed to load source for dependency `actix-web-codegen`

    failed to load source for dependency `actix-web-codegen`

    I get this error running the docker-compose up -d command

     => [rust  2/15] WORKDIR /src                                                                                                                                                                 1.9s 
#0 47.95     Updating git repository `https://github.com/realaravinth/cache-buster`
#0 48.72     Updating git repository `https://github.com/mCaptcha/libmcaptcha`
#0 49.47     Updating git repository `https://github.com/realaravinth/actix-web`
#0 51.92 error: failed to get `actix-web-codegen` as a dependency of package `mcaptcha v0.1.0 (/src)`
#0 51.92
#0 51.92 Caused by:
#0 51.92   failed to load source for dependency `actix-web-codegen`
#0 51.92
#0 51.92 Caused by:
#0 51.92   Unable to update https://github.com/realaravinth/actix-web#950d1265
#0 51.92
#0 51.92 Caused by:
#0 51.92   object not found - no match for id (950d1265ee32f34efe6acb6663c56881ba1b489a); class=Odb (9); code=NotFound (-3)
------
failed to solve: executor failed running [/bin/sh -c cargo build --release]: exit code: 101

    steps followed:

    1. git clone https://github.com/mCaptcha/mCaptcha
    2. cd mCaptcha
    3. docker-compose up -d
    opened by lucahttp 5
  • Can't login using docker compose installation

    Can't login using docker compose installation

    Hi, it's me again, I'm using docker-compose installation. I tried to login use default credentials or create new one but it's not working. It redirects me to login page. I see the INSERT in the log when creating an account, and the SELECT, but it says from conversin: Account not found

    opened by CartierPierre 4
  • ERROR [frontend 16/16] RUN make frontend -> make: ./scripts/librejs.sh: Command not found

    ERROR [frontend 16/16] RUN make frontend -> make: ./scripts/librejs.sh: Command not found

    sorry again, I get this error running the docker-compose up -d command

     => ERROR [frontend 16/16] RUN make frontend                                                                                                                                                                                   33.9s 
------
 > [frontend 16/16] RUN make frontend:
#0 1.033 yarn install
#0 1.321 yarn install v1.22.5
#0 1.605 [1/4] Resolving packages...
#0 2.405 success Already up-to-date.
#0 2.424 Done in 1.11s.
#0 2.473 cd docs/openapi && yarn install
#0 2.756 yarn install v1.22.5
#0 2.834 warning package.json: License should be a valid SPDX license expression
#0 2.985 warning [email protected]: License should be a valid SPDX license expression
#0 2.990 [1/4] Resolving packages...
#0 3.535 success Already up-to-date.
#0 3.551 Done in 0.81s.
#0 3.605 cd docs/openapi && yarn build
#0 3.968 yarn run v1.22.5
#0 4.157 warning package.json: License should be a valid SPDX license expression
#0 4.226 $ swagger-cli bundle openapi.yaml --outfile dist/openapi.yaml --type yaml
#0 4.923 Created dist/openapi.yaml from openapi.yaml
#0 4.941 Done in 0.99s.
#0 4.963 yarn install
#0 5.341 yarn install v1.22.5
#0 5.640 [1/4] Resolving packages...
#0 6.494 success Already up-to-date.
#0 6.514 Done in 1.19s.
#0 6.584 yarn build
#0 6.977 yarn run v1.22.5
#0 7.110 $ webpack --mode production
#0 24.77 Browserslist: caniuse-lite is outdated. Please run:
#0 24.77   npx browserslist@latest --update-db
#0 24.77   Why you should do it regularly: https://github.com/browserslist/browserslist#browsers-data-updating
#0 25.57 assets by path *.js 25.7 KiB
#0 25.57   asset bundle.js 17.6 KiB [emitted] [minimized] (name: bundle)
#0 25.57   asset bench.js 5.83 KiB [emitted] [minimized] (name: bench)
#0 25.57   asset verificationWidget.js 2.28 KiB [emitted] [minimized] (name: verificationWidget)
#0 25.57 asset d31bd4308c685c96d507.module.wasm 72 KiB [emitted] [immutable] (auxiliary name: bench)
#0 25.57 asset verificationWidget.css 1.55 KiB [emitted] [minimized] (name: verificationWidget)
#0 25.57 Entrypoint bundle 17.6 KiB = bundle.js
#0 25.57 Entrypoint verificationWidget 3.83 KiB = verificationWidget.css 1.55 KiB verificationWidget.js 2.28 KiB
#0 25.57 Entrypoint bench 5.83 KiB (72 KiB) = bench.js 1 auxiliary asset
#0 25.57 orphan modules 55.8 KiB (javascript) 937 bytes (runtime) [orphan] 59 modules
#0 25.57 runtime modules 4.72 KiB 8 modules
#0 25.57 cacheable modules 63.2 KiB (javascript) 1.59 KiB (css/mini-extract) 72 KiB (webassembly)
#0 25.57   javascript modules 63.2 KiB
#0 25.57     modules by path ./templates/ 57.9 KiB
#0 25.57       modules by path ./templates/widget/ 7.46 KiB 3 modules
#0 25.57       ./templates/index.ts + 47 modules 49.9 KiB [built] [code generated]
#0 25.57       ./templates/logger.ts 529 bytes [built] [code generated]
#0 25.57     modules by path ./node_modules/@mcaptcha/ 5.31 KiB
#0 25.57       ./node_modules/@mcaptcha/pow_sha256-polyfill/dist/index.js 1.15 KiB [built] [code generated]
#0 25.57       ./node_modules/@mcaptcha/pow-wasm/pow_wasm_bg.js 4.16 KiB [built] [code generated]
#0 25.57   css ./node_modules/css-loader/dist/cjs.js!./node_modules/sass-loader/dist/cjs.js??ruleSet[1].rules[1].use[2]!./templates/widget/main.scss 1.59 KiB [built] [code generated]
#0 25.57   ./node_modules/@mcaptcha/pow-wasm/pow_wasm_bg.wasm 50 bytes (javascript) 72 KiB (webassembly) [built] [code generated]
#0 25.57 webpack 5.58.1 compiled successfully in 15557 ms
#0 25.66 Done in 18.69s.
#0 26.08 yarn run v1.22.5
#0 26.17 $ /src/node_modules/.bin/sass -s compressed templates/main.scss ./static/cache/bundle/css/main.css
#0 27.48 Done in 1.42s.
#0 27.84 yarn run v1.22.5
#0 27.97 $ /src/node_modules/.bin/sass -s compressed templates/mobile.scss ./static/cache/bundle/css/mobile.css
#0 28.88 Done in 1.05s.
#0 29.24 yarn run v1.22.5
#0 29.39 $ /src/node_modules/.bin/sass -s compressed templates/widget/main.scss ./static/cache/bundle/css/widget.css
#0 30.27 Done in 1.04s.
#0 30.28 make: ./scripts/librejs.sh: Command not found
#0 30.28 make: *** [Makefile:49: frontend] Error 127
------
failed to solve: executor failed running [/bin/sh -c make frontend]: exit code: 2
    opened by lucahttp 2
  • Bump nanoid from 3.1.29 to 3.2.0

    Bump nanoid from 3.1.29 to 3.2.0

    Bumps nanoid from 3.1.29 to 3.2.0.

    Changelog

    Sourced from nanoid's changelog.

    Change Log

    This project adheres to Semantic Versioning.

    3.2

    • Added --size and --alphabet arguments to binary (by Vitaly Baev).

    3.1.32

    • Reduced async exports size (by Artyom Arutyunyan).
    • Moved from Jest to uvu (by Vitaly Baev).

    3.1.31

    • Fixed collision vulnerability on object in size (by Artyom Arutyunyan).

    3.1.30

    • Reduced size for project with brotli compression (by Anton Khlynovskiy).
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Bump follow-redirects from 1.14.4 to 1.14.7

    Bump follow-redirects from 1.14.4 to 1.14.7

    Bumps follow-redirects from 1.14.4 to 1.14.7.

    Commits
    • 2ede36d Release version 1.14.7 of the npm package.
    • 8b347cb Drop Cookie header across domains.
    • 6f5029a Release version 1.14.6 of the npm package.
    • af706be Ignore null headers.
    • d01ab7a Release version 1.14.5 of the npm package.
    • 40052ea Make compatible with Node 17.
    • 86f7572 Fix: clear internal timer on request abort to avoid leakage
    • 2e1eaf0 Keep Authorization header on subdomain redirects.
    • 2ad9e82 Carry over Host header on relative redirects (#172)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Bump nth-check from 2.0.0 to 2.0.1

    Bump nth-check from 2.0.0 to 2.0.1

    Bumps nth-check from 2.0.0 to 2.0.1.

    Release notes

    Sourced from nth-check's releases.

    v2.0.1

    Fixes:

    • Replace regex with hand-rolled parser for nth-expressions (#9) 9894c1d
      • Ensures parsing will always have linear time complexity.

    Internal:

    • chore(ci): Use GitHub Actions, Dependabot (#10) e02b4dd
    • Bump dependencies

    https://github.com/fb55/nth-check/compare/v2.0.0...v2.0.1

    Commits
    • 65e40b0 2.0.1
    • ff63f1d Bump eslint-config-prettier from 6.15.0 to 8.3.0 (#11)
    • ff24c93 Bump jest from 26.6.3 to 27.2.0 (#17)
    • da9d78a Bump @​typescript-eslint/parser from 4.9.0 to 4.31.1 (#18)
    • fa35caf Bump @​types/node from 14.14.10 to 16.9.1 (#16)
    • 5f39402 Bump @​typescript-eslint/eslint-plugin from 4.9.0 to 4.31.1 (#19)
    • a11c0c1 Bump prettier from 2.2.1 to 2.4.0 (#20)
    • 3ddd820 Bump @​types/jest from 26.0.15 to 27.0.1 (#13)
    • 732ab0a Bump ts-jest from 26.4.4 to 26.5.6 (#15)
    • 7efd9da Bump eslint from 7.14.0 to 7.32.0 (#14)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Question: Experiencing relatively low security

    Question: Experiencing relatively low security

    Actually when this project solves the problem of user experience, we have arisen another problem:

    The previous websites using CAPTCHA are in fact making their websites more expensive computationally as well to defend attacks (e.g. need to run a deep learning stuff to identify the characters in the CAPTCHA). As human brains are better doing those jobs than machines, humans take a shorter time than machines doing those, which means to achieve a relatively acceptable delay of user visiting the website, the traditional plans can bring more calculation work to robots. Yet now this project is definitely costing the same when a usual user or a robot visits the website. So when required high levels of security, this plan could work poorly.

    This is just a personal question, and it may not be true.

    opened by xtlsoft 2
  • rm token name unique

    rm token name unique

    Token name is to assist users, having unique constraints make token names less user friendly.

    So token name unique constraint must be removed and when performing token name lookups, they'll have to be scoped to the domain name.

    enhancement 
    opened by realaravinth 2
  • feat: open links from widget in new pages target=_blank

    feat: open links from widget in new pages target=_blank

    If the widget is added as iframe in a website this links should not open in the iframe. They should open in a new tab instead. Would be nice if you consider a pull and add it to your project.

    opened by DarianAnjuhal 1
  • chore(deps): bump express from 4.17.1 to 4.18.2

    chore(deps): bump express from 4.17.1 to 4.18.2

    Bumps express from 4.17.1 to 4.18.2.

    Release notes

    Sourced from express's releases.

    4.18.2

    4.18.1

    • Fix hanging on large stack of sync routes

    4.18.0

    ... (truncated)

    Changelog

    Sourced from express's changelog.

    4.18.2 / 2022-10-08

    4.18.1 / 2022-04-29

    • Fix hanging on large stack of sync routes

    4.18.0 / 2022-04-25

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
  • Verification not working anymore, restart container helped

    Verification not working anymore, restart container helped

    Hi,

    after couple of months without issues the verification step did not work anymore. The widget looked correct.

    Unfortunately I do not have the errors from the client console (I try to get more infos). But in the mcaptcha service I have the following log (Broken pipe (os error 32):

    Defense { levels: [Level { visitor_threshold: 2000, difficulty_factor: 50000 }, Level { visitor_threshold: 10000, difficulty_factor: 3000000 }, Level { visitor_threshold: 20000, difficulty_factor: 5000000 }], current_visitor_threshold: 0 }
 ERROR mcaptcha::errors              > Broken pipe (os error 32)
 INFO  actix_web::middleware::logger > 10.42.0.226 "POST /api/v1/pow/config HTTP/1.1" 400 37 "https://*********/widget/?sitekey=*****" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" 0.081178
 INFO  sqlx::query                   > /* SQLx ping */; rows affected: 0, rows returned: 0, elapsed: 339.746µs

    Is it possible to monitor the verification endpoint in some way? Next time I prefer to get a mail from our monitoring and not a customers call. :-)

    Are there additional logs I can have a look? Please let me know if I can help to solve this issue. If I fix something by myself, of course I will generate a Pull request (as always).

    Bye and have a nice day Darian

    opened by DarianAnjuhal 2
  • chore(deps): bump minimist from 1.2.5 to 1.2.7 in /docs/openapi

    chore(deps): bump minimist from 1.2.5 to 1.2.7 in /docs/openapi

    Bumps minimist from 1.2.5 to 1.2.7.

    Changelog

    Sourced from minimist's changelog.

    v1.2.7 - 2022-10-10

    Commits

    • [meta] add auto-changelog 0ebf4eb
    • [actions] add reusable workflows e115b63
    • [eslint] add eslint; rules to enable later are warnings f58745b
    • [Dev Deps] switch from covert to nyc ab03356
    • [readme] rename and add badges 236f4a0
    • [meta] create FUNDING.yml; add funding in package.json 783a49b
    • [meta] use npmignore to autogenerate an npmignore file f81ece6
    • Only apps should have lockfiles 56cad44
    • [Dev Deps] update covert, tape; remove unnecessary tap 49c5f9f
    • [Tests] add aud in posttest 228ae93
    • [meta] add safe-publish-latest 01fc23f
    • [meta] update repo URLs 6b164c7

    v1.2.6 - 2022-03-21

    Commits

    • test from prototype pollution PR bc8ecee
    • isConstructorOrProto adapted from PR c2b9819
    • security notice for additional prototype pollution issue ef88b93
    Commits
    • c590d75 v1.2.7
    • 0ebf4eb [meta] add auto-changelog
    • e115b63 [actions] add reusable workflows
    • 01fc23f [meta] add safe-publish-latest
    • f58745b [eslint] add eslint; rules to enable later are warnings
    • 228ae93 [Tests] add aud in posttest
    • 236f4a0 [readme] rename and add badges
    • ab03356 [Dev Deps] switch from covert to nyc
    • 49c5f9f [Dev Deps] update covert, tape; remove unnecessary tap
    • 783a49b [meta] create FUNDING.yml; add funding in package.json
    • Additional commits viewable in compare view
    Maintainer changes

    This version was pushed to npm by ljharb, a new releaser for minimist since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
  • chore(deps): bump minimist from 1.2.5 to 1.2.7

    chore(deps): bump minimist from 1.2.5 to 1.2.7

    Bumps minimist from 1.2.5 to 1.2.7.

    Changelog

    Sourced from minimist's changelog.

    v1.2.7 - 2022-10-10

    Commits

    • [meta] add auto-changelog 0ebf4eb
    • [actions] add reusable workflows e115b63
    • [eslint] add eslint; rules to enable later are warnings f58745b
    • [Dev Deps] switch from covert to nyc ab03356
    • [readme] rename and add badges 236f4a0
    • [meta] create FUNDING.yml; add funding in package.json 783a49b
    • [meta] use npmignore to autogenerate an npmignore file f81ece6
    • Only apps should have lockfiles 56cad44
    • [Dev Deps] update covert, tape; remove unnecessary tap 49c5f9f
    • [Tests] add aud in posttest 228ae93
    • [meta] add safe-publish-latest 01fc23f
    • [meta] update repo URLs 6b164c7

    v1.2.6 - 2022-03-21

    Commits

    • test from prototype pollution PR bc8ecee
    • isConstructorOrProto adapted from PR c2b9819
    • security notice for additional prototype pollution issue ef88b93
    Commits
    • c590d75 v1.2.7
    • 0ebf4eb [meta] add auto-changelog
    • e115b63 [actions] add reusable workflows
    • 01fc23f [meta] add safe-publish-latest
    • f58745b [eslint] add eslint; rules to enable later are warnings
    • 228ae93 [Tests] add aud in posttest
    • 236f4a0 [readme] rename and add badges
    • ab03356 [Dev Deps] switch from covert to nyc
    • 49c5f9f [Dev Deps] update covert, tape; remove unnecessary tap
    • 783a49b [meta] create FUNDING.yml; add funding in package.json
    • Additional commits viewable in compare view
    Maintainer changes

    This version was pushed to npm by ljharb, a new releaser for minimist since your current version.


    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
  • chore(deps): bump vm2 from 3.9.5 to 3.9.11 in /docs/openapi

    chore(deps): bump vm2 from 3.9.5 to 3.9.11 in /docs/openapi

    Bumps vm2 from 3.9.5 to 3.9.11.

    Release notes

    Sourced from vm2's releases.

    3.9.11

    New Features

    https://github.com/patriksimek/vm2/commit/58478a58c6f4af3c54faf4117ed5ab72d2cc8cd5: Add option require.strict to allow to load required modules in non strict mode.

    Fixes

    https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873: Security fix.

    3.9.10

    New Features

    61d240f69cc02974be27c7582fee2defd0e6c7a8: Add uptime to process.

    Fixes

    e3e573fdc99a98a9c7db026e4c40474eb78cab4a: Security fix. 245da82dcdfa67031e065fd7c7a7348b5e21f2b8: Fix inspect showProxy.

    3.9.9

    Fixes

    5c2e13bbf0c0518e1958a4307982a999aa181049: Bump ECMA version to 2022.

    3.9.8

    Fixes

    777ffb0e021ef89444f215a69365a689d7051896: Fix access to some restricted function properties on non functions and fix findBestExtensionHandler not finding the best handler. 925e3e665acfa37dd3db0ea8e7f02b57277677e8: Try to return nicer parser errors.

    3.9.7

    Fixes

    b7f794dfb3034d2173b9da957f48425adc4081c3: Custom Resolver is allowed to return undefined 568934f58cf72339a3dd2a2c578cc28550c19d27: Fixed some bugs introduced in v3.9.6 b6581b4a9cf9a4706b2967fceb5930a3de4d2ac7: Fixed root path checking

    3.9.6

    Fixes

    532120d5cdec7da8225fc6242e154ebabc63fe4d: Internal restructuring and security improvements

    Changelog

    Sourced from vm2's changelog.

    v3.9.11 (2022-08-28)

    [new] Add option require.strict to allow to load required modules in non strict mode.
    [fix] Security fix.

    v3.9.10 (2022-07-05)

    [new] Add uptime to process.
    [fix] Security fix.
    [fix] Fix inspection with showProxy.

    v3.9.9 (2022-02-24)

    [fix] Bump parser ECMA version to 2022.

    v3.9.8 (2022-02-16)

    [fix] Add function type check for arguments, caller, and callee property check (GeoffRen)
    [fix] Fix find best extension handler

    v3.9.7 (2022-02-10)

    [fix] Allow relative require from base script
    [fix] Fix issue with modules with exports clause in package JSON
    [fix] Added missing whitelist check before custom require
    [fix] Revert plain object toString behavior
    [fix] Root path check improved

    v3.9.6 (2022-02-08)

    [fix] Security fixes (XmiliaH)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies javascript 
    opened by dependabot[bot] 0
  • docker compose file - can't log into application

    docker compose file - can't log into application

    Hi,

    maybe someone can help me. I've got the docker image running, using the docker-compose.yml file provided. I have the Service running behind an ngnix Server.

    When I try to log in with wrong user credentials I get the red error message, but if I use the ones given (aaronsw, password), I get forwarded to: https://mydomain/login?redirect_to=%2F (302 instead of the 200)

    here is an excerpt of the log files:

    mcaptcha_1           |  INFO  actix_web::middleware::logger > 192.168.160.1 "POST /api/v1/signin HTTP/1.0" 200 0 "https://my-domain/login?redirect_to=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" 0.037804
mcaptcha_1           |  INFO  sqlx::query                   > /* SQLx ping */; rows affected: 0, rows returned: 0, elapsed: 534.716µs
mcaptcha_1           |  INFO  actix_web::middleware::logger > 192.168.160.1 "GET / HTTP/1.0" 302 0 "https://my-domain/login?redirect_to=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" 0.000330
mcaptcha_1           |  INFO  actix_web::middleware::logger > 192.168.160.1 "GET /login?redirect_to=%2F HTTP/1.0" 200 5775 "https://my-domain/login?redirect_to=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" 0.001699

    ngnix config:

    server {
    server_name my-domain;

    # security - prevent information disclosure about server version
    server_tokens off;

    access_log /var/log/nginx/captcha.access.log;
    error_log  /var/log/nginx/captcha.error.log;

    location / {
        proxy_pass http://localhost:7000;
        proxy_redirect     off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_pass_request_headers on;

        client_max_body_size       10m;
        client_body_buffer_size    128k;

        proxy_connect_timeout      300;
        proxy_send_timeout         300;
        proxy_read_timeout         300;

        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;

        gzip on;
        gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
        gzip_proxied any;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = my-domain) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name my-domain;
    listen 80;
    return 404; # managed by Certbot
}
    opened by UBA-NE 2
Owner
mCaptcha
A no-nonsense CAPTCHA system with seamless UX
mCaptcha
GitHub https://demo.mcaptcha.org
A dead simple human-writable URL redirector based loosely on google's `go/` system.

Redirector a redirector written in rust intended for permanent human-readable redirects. The idea was semi-inspired by the book Software Engineering a

Jan Harasym 4 Dec 14, 2022
Captcha based on SVG.

BioSvg Captcha based on SVG. Original idea SVG绘制原理与验证码 Usage cargo add biosvg let (answer, svg) = BiosvgBuilder::new() .length(4) .difficulty(

Reverier Xu 7 Aug 29, 2023
A swc plugin that automatically converts React component libraries into "React Client Component"

A swc plugin that automatically converts React component libraries into "React Client Component". For example, you can automatically convert components from @mui into "React Client Component" without having to wrap a component that uses "use client".

xiaotian 3 Jul 12, 2023
A simple tool to convert a WebAssembly module to a WASI component (component model, WASI-preview2).

A simple tool to convert a WebAssembly module (wasm32-wasi, wasm32-freestanding) to a WASI component (component model, WASI-preview2). Installation In

Frank Denis 5 Feb 18, 2024
WebAssembly component model implementation for any backend.

wasm_component_layer wasm_component_layer is a runtime agnostic implementation of the WebAssembly component model. It supports loading and linking WAS

Douglas Dwyer 11 Aug 28, 2023
Tiny, no-nonsense, self-contained, Tensorflow and ONNX inference

Sonos' Neural Network inference engine. This project used to be called tfdeploy, or Tensorflow-deploy-rust. What ? tract is a Neural Network inference

Sonos, Inc. 1.5k Jan 8, 2023
Tiny, no-nonsense, self-contained, Tensorflow and ONNX inference

Sonos' Neural Network inference engine. This project used to be called tfdeploy, or Tensorflow-deploy-rust. What ? tract is a Neural Network inference

Sonos, Inc. 1.5k Jan 2, 2023
Genact - 🌀 A nonsense activity generator

genact - a nonsense activity generator Pretend to be busy or waiting for your computer when you should actually be doing real work! Impress people wit

Sven-Hendrik Haase 6.9k Jan 1, 2023
Neovide - No Nonsense Neovim Client in Rust

Neovide This is a simple graphical user interface for Neovim (an aggressively refactored and updated Vim editor). Where possible there are some graphi

Neovide 9.3k Jan 5, 2023
No-nonsense input!(...) macro for Rust

No-nonsense input!(...) macro for Rust

Oliver Lenehan 2 Oct 30, 2022
No-nonsense, elegant request framework

Note: this crate is in an experimental sketch state. Please be careful if using on production environments. nerf nerf stands for: No-nonsense: Correct

Nam Junghyun 3 Dec 15, 2022
A render-backend independant egui backend for sdl2

A Sdl2 + Egui Backend An egui backend for sdl2 unbound to any renderer-backend. You can include it like so: [dependencies] egui_sdl2_platform = "0.1.0

null 4 Dec 16, 2022
Web 3.0 Realized with Traceless Privacy and Seamless Compatibility

Automata Build On Ubuntu/Debian (or similar distributions on WSL), install the following packages: sudo apt-get update sudo apt-get install -y build-e

Automata Network 81 Nov 29, 2022
All the data an IC app needs to make seamless experiences, accessible directly on the IC. DAB is an open internet service for NFT, Token, Canister, and Dapp registries.

DAB ?? Overview An Internet Computer open internet service for data. All the data an IC app needs to make a seamless experience, accessible directly o

Psychedelic 58 Oct 6, 2022
Seamless Higher-Kinded Types in Rust

Seamless Higher-Kinded Types in Rust This is actual working code: pub trait Functor<A> : HKT1 { fn map<B, F: FnMut(A) -> B>(self, f: F) -> Self::W

Massimiliano Tomassoli 55 Jan 22, 2023
NodeCraft - Crafting seamless node operations for distributed systems

NodeCraft Crafting seamless node operations for distributed systems, which provides foundational traits for node identification and address resolution

Al Liu 3 Oct 9, 2023
TodoX is a sophisticated Rust-based application designed to facilitate seamless todo management.

Rust Todo List App is a command-line tool written in Rust that allows users to manage their tasks efficiently. Whether you need to add, mark as done, edit, or clear tasks from your todo list, this app provides essential functionalities to streamline your task management process. Additionally, I have integrated sqlite3 using the rusqlite crate. The database stores the data and will persist indefinitely until you manually delete it.

Harikesh Ranjan Sinha 3 Apr 4, 2024
A simple entity-component-system crate for rust with serialization support

Gallium A simple entity-component-system crate for rust with serialization support Usage You can include the library using carge: [dependencies] galli

null 7 Aug 31, 2021
Creative Coding Framework based on Entity Component System (ECS) written in Rust

creativity creativity is Creative Coding Framework based on Entity Component System (ECS) written in Rust. Key Features TBA Quick Start TBA How To Con

Chris Ohk 9 Nov 6, 2021
Entity Component System focused on usability and speed.

Shipyard ⚓ Shipyard is an Entity Component System focused on usability and speed. If you have any question or want to follow the development more clos

Dylan Ancel 524 Jan 1, 2023