altcha-lib
Advanced tools
A library for creating and verifying ALTCHA challenges for Node.js, Bun and Deno.
ALTCHA JS Library is a lightweight, zero-dependency library designed for creating and verifying ALTCHA challenges.
This library utilizes Web Crypto.
import { createChallenge, verifySolution } from 'altcha-lib';
const hmacKey = 'secret hmac key';
// Create a new challenge and send it to the client:
const challenge = await createChallenge({
hmacKey,
maxNumber: 100000, // the maximum random number
});
// When submitted, verify the payload:
const ok = await verifySolution(payload, hmacKey);
In Node.js version 16, there is no global reference to crypto by default. To use this library, you need to add the following code to your codebase:
globalThis.crypto = require('node:crypto').webcrypto;
Or with import syntax:
import { webcrypto } from 'node:crypto';
globalThis.crypto = webcrypto;
createChallenge(options)Creates a new challenge for ALTCHA.
Parameters:
options: ChallengeOptions:
algorithm?: string: Algorithm to use (SHA-1, SHA-256, SHA-512, default: SHA-256).expires?: Date: Optional expires time (as Date set into the future date).hmacKey: string (required): Signature HMAC key.maxnumber?: number: Optional maximum number for the random number generator (defaults to 1,000,000).number?: number: Optional number to use. If not provided, a random number will be generated.params?: Record<string, string>: Optional parameters to be added to the salt as URL-encoded query string. Use extractParams() to read them.salt?: string: Optional salt string. If not provided, a random salt will be generated.saltLength?: number: Optional maximum lenght of the random salt (in bytes, defaults to 12).Returns: Promise<Challenge>
extractParams(payload)Extracts optional parameters from the challenge or payload.
Parameters:
payload: string | Payload | ChallengeReturns: Record<string, string>
verifySolution(payload, hmacKey, checkExpires = true)Verifies an ALTCHA solution. The payload can be a Base64-encoded JSON payload (as submitted by the widget) or an object.
Parameters:
payload: string | PayloadhmacKey: stringcheckExpires: boolean = true: Whether to perform a check on the optional expires parameter. Will return false if challenge expired.Returns: Promise<boolean>
verifyServerSignature(payload, hmacKey)Verifies the server signature returned by the API. The payload can be a Base64-encoded JSON payload or an object.
Parameters:
payload: string | ServerSignaturePayloadhmacKey: stringReturns: Promise<{ verificationData: ServerSignatureVerificationData | null, verified: boolean }>
verifyFieldsHash(formData, fields, fieldsHash, algorithm?)Verifies the hash of form fields returned by the Spam Filter.
Parameters:
formData: FormData | Record<string, unknown>fields: string[]fieldsHash: stringalgorithm: Algorithm = 'SHA-256'Returns: Promise<boolean>
solveChallenge(challenge, salt, algorithm?, max?, start?)Finds a solution to the given challenge.
Parameters:
challenge: string (required): The challenge hash.salt: string (required): The challenge salt.algorithm?: string: Optional algorithm (default: SHA-256).maxnumber?: string: Optional maxnumber to iterate to (default: 1e6).start?: string: Optional starting number (default: 0).Returns: { controller: AbortController, promise: Promise<Solution | null> }
solveChallengeWorkers(workerScript, concurrency, challenge, salt, algorithm?, max?, start?)Finds a solution to the given challenge with Web Workers running concurrently.
Parameters:
workerScript: string (required): The path or URL of the worker script.concurrency: number (required): The concurrency (number of workers).challenge: string (required): The challenge hash.salt: string (required): The challenge salt.algorithm?: string: Optional algorithm (default: SHA-256).maxnumber?: string: Optional maxnumber to iterate to (default: 1e6).start?: string: Optional starting number (default: 0).Returns: Promise<Solution | null>
Usage with altcha-lib/worker:
import { solveChallengeWorkers } from 'altcha-lib';
const solution = await solveChallengeWorkers(
'altcha-lib/worker', // Worker script URL or path
8, // Spawn 8 workers
challenge,
salt,
);
> solveChallenge()
- n = 1,000............................... 312 ops/s ±2.90%
- n = 10,000.............................. 31 ops/s ±1.50%
- n = 50,000.............................. 6 ops/s ±0.82%
- n = 100,000............................. 3 ops/s ±0.37%
- n = 500,000............................. 0 ops/s ±0.31%
> solveChallengeWorkers() (8 workers)
- n = 1,000............................... 62 ops/s ±3.99%
- n = 10,000.............................. 31 ops/s ±6.83%
- n = 50,000.............................. 11 ops/s ±4.00%
- n = 100,000............................. 7 ops/s ±2.32%
- n = 500,000............................. 1 ops/s ±1.89%
Run with Bun on MacBook Pro M3-Pro. See /benchmark folder for more details.
MIT
FAQs
A library for creating and verifying ALTCHA challenges for Node.js, Bun and Deno.
The npm package altcha-lib receives a total of 6,747 weekly downloads. As such, altcha-lib popularity was classified as popular.
We found that altcha-lib demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Malicious PyPI package semantic-types steals Solana private keys via transitive dependency installs using monkey patching and blockchain exfiltration.
Security News
New CNA status enables OpenJS Foundation to assign CVEs for security vulnerabilities in projects like ESLint, Fastify, Electron, and others, while leaving disclosure responsibility with individual maintainers.
Product
Socket MCP brings real-time security checks to AI-generated code, helping developers catch risky dependencies before they enter the codebase.