Class: Altcha::Submission

Inherits:

Object

• Object
• Altcha::Submission

Defined in:

lib/altcha-rails.rb

Instance Attribute Summary

• #algorithm ⇒ Object readonly

  Returns the value of attribute algorithm.

• #challenge ⇒ Object readonly

  Returns the value of attribute challenge.

• #number ⇒ Object readonly

  Returns the value of attribute number.

• #salt ⇒ Object readonly

  Returns the value of attribute salt.

• #signature ⇒ Object readonly

  Returns the value of attribute signature.

Class Method Summary

• .verify(base64_string) ⇒ Object

Instance Method Summary

• #initialize(payload = {}) ⇒ Submission constructor

  A new instance of Submission.

• #valid? ⇒ Boolean

Constructor Details

#initialize(payload = {}) ⇒ Submission

Returns a new instance of Submission.

# File 'lib/altcha-rails.rb', line 102

def initialize(payload = {})
  @algorithm = payload["algorithm"].to_s
  @challenge = payload["challenge"].to_s
  @signature = payload["signature"].to_s
  @salt      = payload["salt"].to_s
  @number    = payload["number"]
end

Instance Attribute Details

#algorithm ⇒ Object (readonly)

Returns the value of attribute algorithm.

# File 'lib/altcha-rails.rb', line 87

def algorithm
  @algorithm
end

#challenge ⇒ Object (readonly)

Returns the value of attribute challenge.

# File 'lib/altcha-rails.rb', line 87

def challenge
  @challenge
end

#number ⇒ Object (readonly)

Returns the value of attribute number.

# File 'lib/altcha-rails.rb', line 87

def number
  @number
end

#salt ⇒ Object (readonly)

Returns the value of attribute salt.

# File 'lib/altcha-rails.rb', line 87

def salt
  @salt
end

#signature ⇒ Object (readonly)

Returns the value of attribute signature.

# File 'lib/altcha-rails.rb', line 87

def signature
  @signature
end

Class Method Details

.verify(base64_string) ⇒ Object

# File 'lib/altcha-rails.rb', line 89

def self.verify(base64_string)
  raw = begin
    Base64.decode64(base64_string.to_s)
  rescue ArgumentError
    return nil
  end
  payload = JSON.parse(raw) rescue nil
  return nil unless payload.is_a?(Hash)

  submission = new(payload)
  submission.valid? ? submission : nil
end

Instance Method Details

#valid? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/altcha-rails.rb', line 110

def valid?
  return false unless @algorithm == Altcha.algorithm
  return false unless @number.is_a?(Integer)
  return false if Altcha.hmac_key.nil? || Altcha.hmac_key.empty?

  expires = extract_expires(@salt)
  return false if expires.nil?
  return false unless Time.at(expires) > Time.now

  # Normalize to canonical trailing-'&' form before recomputing the hash;
  # a spliced salt no longer round-trips to the same digest. Mitigates
  # CVE-2025-68113.
  canonical_salt = @salt.end_with?("&") ? @salt : "#{@salt}&"
  check = Digest::SHA256.hexdigest(canonical_salt + @number.to_s)

  return false unless @challenge == check

  expected_sig = OpenSSL::HMAC.hexdigest(
    OpenSSL::Digest.new(@algorithm), Altcha.hmac_key, check
  )
  secure_compare(@signature, expected_sig)
end