Ixnas.AltchaNet 1.1.0

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. .NET Standard 2.0 This package targets .NET Standard 2.0. The package is compatible with this framework or higher. 
dotnet add package Ixnas.AltchaNet --version 1.1.0
                    


                    

                
NuGet\Install-Package Ixnas.AltchaNet -Version 1.1.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Ixnas.AltchaNet" Version="1.1.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Ixnas.AltchaNet" Version="1.1.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Ixnas.AltchaNet" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Ixnas.AltchaNet --version 1.1.0
                    


                    

                
#r "nuget: Ixnas.AltchaNet, 1.1.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#addin nuget:?package=Ixnas.AltchaNet&version=1.1.0
                    


                            Install Ixnas.AltchaNet as a Cake Addin
                        

                    

                
#tool nuget:?package=Ixnas.AltchaNet&version=1.1.0
                    


                            Install Ixnas.AltchaNet as a Cake Tool

Altcha.NET

Build status Nuget version

C# implementation of the ALTCHA challenge.

Features

Contents

Installation

This library is available on NuGet, so you can add it to your project as follows:

dotnet add package Ixnas.AltchaNet

Using self-hosted challenges

Set up

First make sure you've set up the front-end widget to use your challenge endpoint.

The entrypoint of this library contains a service builder for self-hosted configurations. This builder configures the service that is used to create ALTCHA challenges and validate their responses. The most basic configuration looks like this:

var altchaService = Altcha.CreateServiceBuilder()
                          .UseSha256(key)
                          .UseStore(storeFactory)
                          .Build();

Here is a description of the different configuration options.

Method Description
UseStore(Func<IAltchaChallengeStore> storeFactory)<br>UseStore(Func<IAltchaCancellableChallengeStore> storeFactory) (Required) Configures a store factory to use for previously verified ALTCHA responses. Used to prevent replay attacks.
UseStore(IAltchaChallengeStore store)<br>UseStore(IAltchaCancellableChallengeStore store) (Required) Configures a store instance to use for previously verified ALTCHA responses. Used to prevent replay attacks.
UseSha256(byte[] key) (Required) Configures the SHA-256 algorithm for hashing and signing. Must be 64 bytes long. Currently the only supported algorithm.
SetComplexity(AltchaComplexity complexity)<br>SetComplexity(int min, int max) (Optional) Overrides the default complexity to tweak the amount of computational effort a client has to put in. See ALTCHA's documentation for more information (default 50,000 - 100,000).
SetExpiry(AltchaExpiry expiry)<br>SetExpiryInSeconds(int expiryInSeconds) (Optional) Overrides the default time it takes for a challenge to expire (default 120 seconds).
UseInMemoryStore() Configures a simple in-memory store for previously verified ALTCHA responses. Should only be used for testing purposes.
Build() Returns a new configured service instance.
Key

The library requires a key to sign and verify ALTCHA challenges. You can use a random number generator from .NET to create one for you:

var key = new byte[64];
using (var rng = RandomNumberGenerator.Create())
{
    rng.GetBytes(key);
}
Store

The library requires a store implementation to store previously verified challenge responses. You can use anything persistent, like a database or a file. As long as it implements the IAltchaChallengeStore or the IAltchaCancellableStore interface, it will work.

For persistent (I/O-bound) storage implementations, you should probably implement IAltchaCancellableStore which supports CancellationTokens.

You can use expiryUtc to periodically remove expired challenges from your store.

As an example, the bundled in-memory store looks similar to this:

public class InMemoryStore : IAltchaChallengeStore
{
    private class StoredChallenge
    {
        public string Challenge { get; set; }
        public DateTimeOffset ExpiryUtc { get; set; }
    }

    private readonly List<StoredChallenge> _stored = new List<StoredChallenge>();

    public Task Store(string challenge, DateTimeOffset expiryUtc)
    {
        var challengeToStore = new StoredChallenge
        {
            Challenge = challenge,
            ExpiryUtc = expiryUtc
        };
        _stored.Add(challengeToStore);
        return Task.CompletedTask;
    }

    public Task<bool> Exists(string challenge)
    {
        _stored.RemoveAll(storedChallenge => storedChallenge.ExpiryUtc <= DateTimeOffset.UtcNow);
        var exists = _stored.Exists(storedChallenge => storedChallenge.Challenge == challenge);
        return Task.FromResult(exists);
    }
}

If you're using a short-lived object to access your database (like a request-scoped Entity Framework DbContext), it is recommended to provide a factory function for the store instead of an instance.

Usage

Generating a challenge

To generate a challenge:

var challenge = altchaService.Generate();

The challenge object can be serialized to JSON for the client to use. Read ALTCHA's documentation on how to use such a JSON object.

It's possible to override configuration options by passing an AltchaGenerateChallengeOverrides object. This can be useful when implementing a dynamic complexity strategy, for example.

var overrides = new AltchaGenerateChallengeOverrides
{
    Complexity = new AltchaComplexity(200000, 300000),
    Expiry = new AltchaExpiry(300),
};
var challenge = altchaService.Generate(overrides);

Only the properties that are set will affect the generation, and only for this single call.

Validating a response

To validate a response:

var validationResult = await altchaService.Validate(altcha, cancellationToken);
if (!validationResult.IsValid)
{
    _logger.LogInformation(validationResult.ValidationError.Message);
    /* ... */
}

The altcha parameter can either be a base64-encoded JSON string (like the raw value of the altcha field in a submitted form), or an already decoded and deserialized AltchaResponse object.

The cancellationToken parameter can be passed if the service was set up with a IAltchaCancellableChallengeStore. The cancellation token can cancel queries and updates to the store implementation.

Verifying challenges from ALTCHA's API

Set up

First make sure you've set up the front-end widget to use the API.

The entrypoint of this library contains a different service builder for integrating with ALTCHA's API. The most basic configuration looks like this:

var altchaApiService = Altcha.CreateApiServiceBuilder()
                             .UseApiSecret(secret)
                             .UseStore(storeFactory)
                             .Build();

Here is a description of the different configuration options.

Method Description
UseStore(Func<IAltchaChallengeStore> storeFactory)<br>UseStore(Func<IAltchaCancellableChallengeStore> storeFactory) (Required) Configures a store factory to use for previously verified ALTCHA responses. Used to prevent replay attacks.
UseStore(IAltchaChallengeStore store)<br>UseStore(IAltchaCancellableChallengeStore store) (Required) Configures a store instance to use for previously verified ALTCHA responses. Used to prevent replay attacks.
UseApiSecret(string secret) (Required) Configures the API secret used to validate challenges from ALTCHA's API. Starts with either "sec_" or "_csec".
SetMaxSpamFilterScore(double score) (Optional) Overrides the default maximum score that a spam filtered form may have before it's rejected (default 2).
UseInMemoryStore() Configures a simple in-memory store for previously verified ALTCHA responses. Should only be used for testing purposes.
Build() Returns a new configured service instance.

The store uses the same interface as it does for the self-hosted service. You can even use the same instance if you like.

Usage

Validating a regular response

To validate a regular response:

var validationResult = await altchaApiService.Validate(altcha, cancellationToken);
if (!validationResult.IsValid)
{
    _logger.LogInformation(validationResult.ValidationError.Message);
    /* ... */
}

This works the same way as self-hosted validation. Challenges generated by the self-hosted service can not be validated by the API service, or vice versa.

Validating a spam filtered form

To validate a spam filtered form, you need an object that represents the form fields as public string properties. By default, the library looks for a public string property named Altcha that should contain the raw value from the altcha field in a submitted form. A form class could look like this:

public class ExampleForm
{
    public string Altcha { get; set; }
    public string Email { get; set; }
    public string Text { get; set; }
}

To validate the form:

var validationResult = await altchaApiService.ValidateSpamFilteredForm(form, cancellationToken);
if (!validationResult.IsValid)
{
    _logger.LogInformation(validationResult.ValidationError.Message);
    /* ... */
}

if (!validationResult.PassedSpamFilter)
    /* ... */

If you prefer to use a different property for the ALTCHA payload, you can use a member expression to select it:

var validationResult = await altchaApiService.ValidateSpamFilteredForm(form, cancellationToken, x => x.AnotherProperty);

The result's IsValid property tells you whether the form data, verification data and the signature are valid. You should probably reject the form submission if this is not the case. The ValidationError property contains more details on why the validation failed.

The result's PassedSpamFilter property tells you whether the form data successfully passed through the spam filter. You might want to keep the form submission and mark it as spam in your application for manual approval.

Solving challenges

Set up

The entrypoint of this library contains a builder for creating solver instances. The most basic configuration looks like this:

var altchaSolver = Altcha.CreateSolverBuilder()
                         .Build();

Here is a description of the different configuration options.

Method Description
IgnoreExpiry() (Optional) Disables checking for expiry before attempting to solve a challenge.
Build() Returns a new configured solver instance.

Usage

To solve a challenge, first make sure you have a deserialized AltchaChallange object to solve. Then you can solve the challenge as follows:

var solverResult = altchaSolver.Solve(challenge);

if (!solverResult.Success)
{
    _logger.LogInformation(solverResult.Error.Message);
    /* ... */
}

var formWithAltcha = new
{
    SomeFormField = "some text",
    Altcha = solverResult.Altcha
};

This example attaches the solution from solverResult.Altcha to a form object as the "altcha" field.

Example

The AspNetCoreExample project contains a few examples for generating, solving and validating challenges.

Contributing

Bug reports, fixes, ideas and suggestions are always welcome! Feel free to reach out by creating new issues, and I'll try to respond as soon as I can.

License

See LICENSE.txt

See LICENSE-ALTCHA.txt for ALTCHA's original license.

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

  • .NETStandard 2.0

  • net8.0

    • No dependencies.

  • net9.0

    • No dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
1.1.0 648 3/22/2025
1.0.0 166 3/18/2025
0.4.1 15,957 11/4/2024
0.4.0 118 11/3/2024
0.3.0 8,361 5/21/2024
0.2.1 107 5/13/2024
0.2.0 107 5/11/2024
0.1.3 143 5/6/2024
0.1.2 146 5/5/2024
0.1.1 118 4/26/2024
0.1.0 127 4/26/2024