From 60c6c10b0f58c0f040fada4e8a39e51e372e3499 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 23 Nov 2025 02:59:14 +0000
Subject: [PATCH 01/10] SECURITY: Implement server-side SHA-256 verification
 for PoW

Major security fix: The proof-of-work challenge was previously
just trusting the client, allowing bots to bypass it by submitting
random nonces without doing any work.

Changes:
- Added proper server-side SHA-256 verification using resty.sha256
- Server now verifies that sha256(challenge + nonce) has the
  required number of leading zeros based on pow_difficulty
- Bots must now actually compute the proof-of-work

Updated tests:
- Added computeValidNonce() helper that actually computes valid
  nonces by brute force (for testing purposes)
- testValidPowPassesChallenge now uses a real computed nonce

Updated README to explicitly mention server-side verification.
---
 scripts/ddos_protection_challenge.README.md |  2 ++
 scripts/ddos_protection_challenge.lua       | 24 ++++++++++++++------
 tests/ddos_protection_challenge.lua         | 25 ++++++++++++++++++++-
 3 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/scripts/ddos_protection_challenge.README.md b/scripts/ddos_protection_challenge.README.md
index 3907106..cae5110 100644
--- a/scripts/ddos_protection_challenge.README.md
+++ b/scripts/ddos_protection_challenge.README.md
@@ -207,6 +207,8 @@ pow_difficulty = 4  -- Difficulty levels:
 
 This creates real computational cost for attackers - a bot making 1000 requests/sec would need to spend 1000-3000 seconds of CPU time with difficulty 4.
 
+**Security**: The server verifies the proof-of-work by computing `SHA-256(challenge + nonce)` and checking that it has the required leading zeros. Bots cannot bypass this by submitting random nonces.
+
 ## Path-Based Protection
 
 You can configure the module to protect only specific paths, which is useful for:
diff --git a/scripts/ddos_protection_challenge.lua b/scripts/ddos_protection_challenge.lua
index eb8b3f5..b3071f8 100644
--- a/scripts/ddos_protection_challenge.lua
+++ b/scripts/ddos_protection_challenge.lua
@@ -468,14 +468,24 @@ local function challengeCallback(cfg, state)
                 local challenge_exists = state.tokens_dict:get("pow:" .. challenge)
 
                 if challenge_exists then
-                    -- Verify the hash using resty.sha256 or just trust client for now
-                    -- In production, you'd want to verify: sha256(challenge + nonce) starts with N zeros
-                    -- For simplicity, we'll trust the client solved it correctly
-                    -- A more secure implementation would verify server-side
-                    challenge_passed = true
+                    -- Verify the proof-of-work server-side
+                    local resty_sha256 = require("resty.sha256")
+                    local str = require("resty.string")
 
-                    -- Clean up the challenge
-                    state.tokens_dict:delete("pow:" .. challenge)
+                    local sha256 = resty_sha256:new()
+                    sha256:update(challenge .. nonce)
+                    local digest = sha256:final()
+                    local hash_hex = str.to_hex(digest)
+
+                    -- Check if hash starts with required number of zeros
+                    local required_zeros = string.rep("0", state.pow_difficulty)
+                    if hash_hex:sub(1, state.pow_difficulty) == required_zeros then
+                        challenge_passed = true
+                        -- Clean up the challenge
+                        state.tokens_dict:delete("pow:" .. challenge)
+                    else
+                        ngx.log(ngx.WARN, "PoW verification failed: hash doesn't have enough leading zeros")
+                    end
                 end
             end
 
diff --git a/tests/ddos_protection_challenge.lua b/tests/ddos_protection_challenge.lua
index 11bf984..d34b157 100644
--- a/tests/ddos_protection_challenge.lua
+++ b/tests/ddos_protection_challenge.lua
@@ -493,6 +493,26 @@ function TestDDoSProtectionChallengeQuestion:teardown()
     teardownNgx()
 end
 
+-- Helper function to compute a valid PoW nonce for testing
+local function computeValidNonce(challenge, difficulty)
+    local resty_sha256 = require("resty.sha256")
+    local str = require("resty.string")
+    local required_zeros = string.rep("0", difficulty)
+
+    for nonce = 0, 1000000 do
+        local sha256 = resty_sha256:new()
+        sha256:update(challenge .. tostring(nonce))
+        local digest = sha256:final()
+        local hash_hex = str.to_hex(digest)
+
+        if hash_hex:sub(1, difficulty) == required_zeros then
+            return tostring(nonce)
+        end
+    end
+
+    error("Could not find valid nonce after 1M attempts")
+end
+
 -- Tests for proof-of-work challenge type
 TestDDoSProtectionChallengePow = {}
 
@@ -562,13 +582,16 @@ function TestDDoSProtectionChallengePow:testValidPowPassesChallenge()
     local test_challenge = 'test_pow_challenge'
     ngx.shared.aproxy_tokens:set('pow:' .. test_challenge, true, 300)
 
+    -- Compute a valid nonce that satisfies the PoW requirement
+    local valid_nonce = computeValidNonce(test_challenge, 4)
+
     setupFakeRequest('/__aproxy_challenge_verify', {})
     ngx.var.remote_addr = '192.168.4.2'
     ngx.var.request_method = 'POST'
     ngx._post_args = {
         return_to = '/api/test',
         challenge = test_challenge,
-        nonce = '12345'  -- In reality, this would be computed
+        nonce = valid_nonce
     }
 
     onRequest()

From fbe238d3c117e4ac65ed8510493d2946a6a5afe2 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 23 Nov 2025 03:10:25 +0000
Subject: [PATCH 02/10] Add mock resty.sha256 and resty.string for testing

The test environment doesn't have OpenResty libraries, so we need
to provide mock implementations for testing.

Created:
- tests/mock_resty_sha256.lua: Uses system sha256sum command to
  compute SHA-256 hashes. Mimics the resty.sha256 API (new,
  update, final).

- tests/mock_resty_string.lua: Implements to_hex() to convert
  binary strings to hexadecimal.

Updated test.lua to preload these mocks so that when the module
or tests require 'resty.sha256' or 'resty.string', they get our
mock implementations instead.

This allows the PoW verification tests to run and actually verify
the SHA-256 proof-of-work.
---
 test.lua                    |  8 ++++++++
 tests/mock_resty_sha256.lua | 35 +++++++++++++++++++++++++++++++++++
 tests/mock_resty_string.lua | 13 +++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100644 tests/mock_resty_sha256.lua
 create mode 100644 tests/mock_resty_string.lua

diff --git a/test.lua b/test.lua
index 7152815..8179923 100644
--- a/test.lua
+++ b/test.lua
@@ -2,6 +2,14 @@ lu = require('luaunit')
 local rex = require('rex_pcre2')
 require('util')
 
+-- Preload mock resty libraries for testing
+package.preload['resty.sha256'] = function()
+    return require('tests.mock_resty_sha256')
+end
+package.preload['resty.string'] = function()
+    return require('tests.mock_resty_string')
+end
+
 function createNgx()
     local ngx = {
         status = nil
diff --git a/tests/mock_resty_sha256.lua b/tests/mock_resty_sha256.lua
new file mode 100644
index 0000000..4ba79cd
--- /dev/null
+++ b/tests/mock_resty_sha256.lua
@@ -0,0 +1,35 @@
+-- Mock implementation of resty.sha256 for testing
+-- Uses system sha256sum command since we don't have OpenResty libraries
+
+local sha256 = {}
+sha256.__index = sha256
+
+function sha256:new()
+    local obj = {
+        buffer = ""
+    }
+    setmetatable(obj, sha256)
+    return obj
+end
+
+function sha256:update(data)
+    self.buffer = self.buffer .. data
+end
+
+function sha256:final()
+    -- Use sha256sum command to compute hash
+    local handle = io.popen("echo -n '" .. self.buffer:gsub("'", "'\\''") .. "' | sha256sum")
+    local result = handle:read("*a")
+    handle:close()
+
+    -- Parse hex string into binary
+    local hex = result:match("^(%x+)")
+    local binary = {}
+    for i = 1, #hex, 2 do
+        table.insert(binary, string.char(tonumber(hex:sub(i, i+1), 16)))
+    end
+
+    return table.concat(binary)
+end
+
+return sha256
diff --git a/tests/mock_resty_string.lua b/tests/mock_resty_string.lua
new file mode 100644
index 0000000..474a21a
--- /dev/null
+++ b/tests/mock_resty_string.lua
@@ -0,0 +1,13 @@
+-- Mock implementation of resty.string for testing
+
+local str = {}
+
+function str.to_hex(binary)
+    local hex = {}
+    for i = 1, #binary do
+        table.insert(hex, string.format("%02x", string.byte(binary, i)))
+    end
+    return table.concat(hex)
+end
+
+return str

From be059b26c1b96b2f473077c04ec584697f3e16a9 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sun, 23 Nov 2025 00:30:17 -0300
Subject: [PATCH 03/10] make tests actually finish challenges quickly

---
 tests/ddos_protection_challenge.lua | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/tests/ddos_protection_challenge.lua b/tests/ddos_protection_challenge.lua
index d34b157..3fc8758 100644
--- a/tests/ddos_protection_challenge.lua
+++ b/tests/ddos_protection_challenge.lua
@@ -550,7 +550,7 @@ function TestDDoSProtectionChallengePow:setup()
         shared_dict_tokens = 'aproxy_tokens',
         protected_paths = {},
         challenge_type = 'pow',
-        pow_difficulty = 4
+        pow_difficulty = 1
     }
 
     self.mod = require('scripts.ddos_protection_challenge')
@@ -578,12 +578,22 @@ function TestDDoSProtectionChallengePow:testPowChallengeShown()
     lu.assertStrContains(ngx._say, '<script>')
 end
 
+local function generateToken()
+    local chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
+    local token = {}
+    for i = 1, 32 do
+        local idx = math.random(1, #chars)
+        token[i] = chars:sub(idx, idx)
+    end
+    return table.concat(token)
+end
+
 function TestDDoSProtectionChallengePow:testValidPowPassesChallenge()
-    local test_challenge = 'test_pow_challenge'
+    local test_challenge = generateToken()
     ngx.shared.aproxy_tokens:set('pow:' .. test_challenge, true, 300)
 
     -- Compute a valid nonce that satisfies the PoW requirement
-    local valid_nonce = computeValidNonce(test_challenge, 4)
+    local valid_nonce = computeValidNonce(test_challenge, 1)
 
     setupFakeRequest('/__aproxy_challenge_verify', {})
     ngx.var.remote_addr = '192.168.4.2'

From 4795879278c1965ccc380caa18601de20cf4a59b Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sun, 23 Nov 2025 17:23:00 -0300
Subject: [PATCH 04/10] configure shared maps globally

---
 test.lua                            | 35 +++++++++++++++
 tests/ddos_protection_challenge.lua | 67 ++---------------------------
 2 files changed, 39 insertions(+), 63 deletions(-)

diff --git a/test.lua b/test.lua
index 8179923..b471500 100644
--- a/test.lua
+++ b/test.lua
@@ -10,6 +10,32 @@ package.preload['resty.string'] = function()
     return require('tests.mock_resty_string')
 end
 
+-- Create a mock shared dictionary
+local function createMockSharedDict()
+    local storage = {}
+    return {
+        get = function(self, key)
+            local item = storage[key]
+            if not item then return nil end
+            if item.expiry and item.expiry < ngx.time() then
+                storage[key] = nil
+                return nil
+            end
+            return item.value
+        end,
+        set = function(self, key, value, exptime)
+            storage[key] = {
+                value = value,
+                expiry = exptime and (ngx.time() + exptime) or nil
+            }
+            return true, nil
+        end,
+        delete = function(self, key)
+            storage[key] = nil
+        end
+    }
+end
+
 function createNgx()
     local ngx = {
         status = nil
@@ -53,6 +79,15 @@ function createNgx()
     ngx.re.match = rex.match
     ngx.re.search = rex.find
 
+    -- shared memory dictionaries for testing
+    ngx.shared = {
+        aproxy_bans = createMockSharedDict(),
+        aproxy_tokens = createMockSharedDict()
+    }
+
+    -- time function for testing
+    ngx.time = function() return 1000000 end
+
     return ngx
 end
 
diff --git a/tests/ddos_protection_challenge.lua b/tests/ddos_protection_challenge.lua
index 3fc8758..83290a1 100644
--- a/tests/ddos_protection_challenge.lua
+++ b/tests/ddos_protection_challenge.lua
@@ -1,44 +1,9 @@
 TestDDoSProtectionChallenge = {}
 
--- Mock shared dictionary
-local function createMockSharedDict()
-    local storage = {}
-    return {
-        get = function(self, key)
-            local item = storage[key]
-            if not item then return nil end
-            if item.expiry and item.expiry < ngx.time() then
-                storage[key] = nil
-                return nil
-            end
-            return item.value
-        end,
-        set = function(self, key, value, exptime)
-            storage[key] = {
-                value = value,
-                expiry = exptime and (ngx.time() + exptime) or nil
-            }
-            return true, nil
-        end,
-        delete = function(self, key)
-            storage[key] = nil
-        end
-    }
-end
-
 function TestDDoSProtectionChallenge:setup()
-    -- Reset ngx
+    -- Reset ngx (includes shared dicts and time function)
     resetNgx()
 
-    -- Create mock shared dictionaries AFTER resetNgx
-    ngx.shared = {
-        aproxy_bans = createMockSharedDict(),
-        aproxy_tokens = createMockSharedDict()
-    }
-
-    -- Mock ngx.time for consistent testing
-    ngx.time = function() return 1000000 end
-
     -- Add missing ngx.req functions
     ngx.req.read_body = function() end
     ngx.req.get_post_args = function()
@@ -215,17 +180,9 @@ end
 TestDDoSProtectionChallengePaths = {}
 
 function TestDDoSProtectionChallengePaths:setup()
-    -- Reset ngx
+    -- Reset ngx (includes shared dicts and time function)
     resetNgx()
 
-    -- Create mock shared dictionaries AFTER resetNgx
-    ngx.shared = {
-        aproxy_bans = createMockSharedDict(),
-        aproxy_tokens = createMockSharedDict()
-    }
-
-    ngx.time = function() return 1000000 end
-
     -- Add missing ngx.req functions
     ngx.req.read_body = function() end
     ngx.req.get_post_args = function()
@@ -382,17 +339,9 @@ end
 TestDDoSProtectionChallengeQuestion = {}
 
 function TestDDoSProtectionChallengeQuestion:setup()
-    -- Reset ngx
+    -- Reset ngx (includes shared dicts and time function)
     resetNgx()
 
-    -- Create mock shared dictionaries AFTER resetNgx
-    ngx.shared = {
-        aproxy_bans = createMockSharedDict(),
-        aproxy_tokens = createMockSharedDict()
-    }
-
-    ngx.time = function() return 1000000 end
-
     -- Add missing ngx.req functions
     ngx.req.read_body = function() end
     ngx.req.get_post_args = function()
@@ -517,17 +466,9 @@ end
 TestDDoSProtectionChallengePow = {}
 
 function TestDDoSProtectionChallengePow:setup()
-    -- Reset ngx
+    -- Reset ngx (includes shared dicts and time function)
     resetNgx()
 
-    -- Create mock shared dictionaries AFTER resetNgx
-    ngx.shared = {
-        aproxy_bans = createMockSharedDict(),
-        aproxy_tokens = createMockSharedDict()
-    }
-
-    ngx.time = function() return 1000000 end
-
     -- Add missing ngx.req functions
     ngx.req.read_body = function() end
     ngx.req.get_post_args = function()

From 37e9af217f80464ccf101785691793ce5676d111 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sun, 23 Nov 2025 17:23:21 -0300
Subject: [PATCH 05/10] use metatable so ngx.shared is created dynamically

---
 test.lua | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/test.lua b/test.lua
index b471500..6576535 100644
--- a/test.lua
+++ b/test.lua
@@ -36,6 +36,19 @@ local function createMockSharedDict()
     }
 end
 
+-- Create a proxy table that dynamically creates mock dictionaries on access
+local function createSharedProxy()
+    local dicts = {}
+    return setmetatable({}, {
+        __index = function(_, key)
+            if not dicts[key] then
+                dicts[key] = createMockSharedDict()
+            end
+            return dicts[key]
+        end
+    })
+end
+
 function createNgx()
     local ngx = {
         status = nil
@@ -79,11 +92,8 @@ function createNgx()
     ngx.re.match = rex.match
     ngx.re.search = rex.find
 
-    -- shared memory dictionaries for testing
-    ngx.shared = {
-        aproxy_bans = createMockSharedDict(),
-        aproxy_tokens = createMockSharedDict()
-    }
+    -- shared memory dictionaries for testing (dynamically created on access)
+    ngx.shared = createSharedProxy()
 
     -- time function for testing
     ngx.time = function() return 1000000 end

From 9dd95c82a7e66643474c0a49bae73cd17b61f513 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sun, 23 Nov 2025 17:26:54 -0300
Subject: [PATCH 06/10] move more things to test ngx

---
 test.lua                            | 17 +++++++-
 tests/ddos_protection_challenge.lua | 64 ++---------------------------
 2 files changed, 20 insertions(+), 61 deletions(-)

diff --git a/test.lua b/test.lua
index 6576535..0d96dcb 100644
--- a/test.lua
+++ b/test.lua
@@ -74,7 +74,9 @@ function createNgx()
     ngx.ERR = 3
 
     -- only hold data here
-    ngx.var = {}
+    ngx.var = {
+        request_method = 'GET'
+    }
 
     -- request params api
     ngx.req = {}
@@ -87,6 +89,19 @@ function createNgx()
         ngx._uri_args = val
     end
 
+    ngx.req.read_body = function() end
+
+    ngx.req.get_post_args = function()
+        return ngx._post_args or {}
+    end
+
+    ngx.req.get_headers = function()
+        return ngx._headers or {}
+    end
+
+    -- response headers
+    ngx.header = {}
+
     -- regex api
     ngx.re = {}
     ngx.re.match = rex.match
diff --git a/tests/ddos_protection_challenge.lua b/tests/ddos_protection_challenge.lua
index 83290a1..8079b7f 100644
--- a/tests/ddos_protection_challenge.lua
+++ b/tests/ddos_protection_challenge.lua
@@ -1,20 +1,9 @@
 TestDDoSProtectionChallenge = {}
 
 function TestDDoSProtectionChallenge:setup()
-    -- Reset ngx (includes shared dicts and time function)
+    -- Reset ngx (includes shared dicts, time, and request functions)
     resetNgx()
 
-    -- Add missing ngx.req functions
-    ngx.req.read_body = function() end
-    ngx.req.get_post_args = function()
-        return ngx._post_args or {}
-    end
-    ngx.req.get_headers = function()
-        return ngx._headers or {}
-    end
-    ngx.header = {}
-    ngx.var.request_method = 'GET'
-
     -- Setup module manually (can't use setupTest because it calls resetNgx)
     local ctx = require('ctx')
     local config = require('config')
@@ -170,9 +159,6 @@ function TestDDoSProtectionChallenge:testExpiredTokenShowsChallenge()
 end
 
 function TestDDoSProtectionChallenge:teardown()
-    ngx.shared = nil
-    ngx.header = nil
-    ngx._post_args = nil
     teardownNgx()
 end
 
@@ -180,20 +166,9 @@ end
 TestDDoSProtectionChallengePaths = {}
 
 function TestDDoSProtectionChallengePaths:setup()
-    -- Reset ngx (includes shared dicts and time function)
+    -- Reset ngx (includes shared dicts, time, and request functions)
     resetNgx()
 
-    -- Add missing ngx.req functions
-    ngx.req.read_body = function() end
-    ngx.req.get_post_args = function()
-        return ngx._post_args or {}
-    end
-    ngx.req.get_headers = function()
-        return ngx._headers or {}
-    end
-    ngx.header = {}
-    ngx.var.request_method = 'GET'
-
     -- Setup module manually
     local ctx = require('ctx')
     local config = require('config')
@@ -329,9 +304,6 @@ function TestDDoSProtectionChallengePaths:testBannedIPBlockedOnUnprotectedPath()
 end
 
 function TestDDoSProtectionChallengePaths:teardown()
-    ngx.shared = nil
-    ngx.header = nil
-    ngx._post_args = nil
     teardownNgx()
 end
 
@@ -339,20 +311,9 @@ end
 TestDDoSProtectionChallengeQuestion = {}
 
 function TestDDoSProtectionChallengeQuestion:setup()
-    -- Reset ngx (includes shared dicts and time function)
+    -- Reset ngx (includes shared dicts, time, and request functions)
     resetNgx()
 
-    -- Add missing ngx.req functions
-    ngx.req.read_body = function() end
-    ngx.req.get_post_args = function()
-        return ngx._post_args or {}
-    end
-    ngx.req.get_headers = function()
-        return ngx._headers or {}
-    end
-    ngx.header = {}
-    ngx.var.request_method = 'GET'
-
     -- Setup module manually
     local ctx = require('ctx')
     local config = require('config')
@@ -436,9 +397,6 @@ function TestDDoSProtectionChallengeQuestion:testWrongAnswerFailsChallenge()
 end
 
 function TestDDoSProtectionChallengeQuestion:teardown()
-    ngx.shared = nil
-    ngx.header = nil
-    ngx._post_args = nil
     teardownNgx()
 end
 
@@ -466,20 +424,9 @@ end
 TestDDoSProtectionChallengePow = {}
 
 function TestDDoSProtectionChallengePow:setup()
-    -- Reset ngx (includes shared dicts and time function)
+    -- Reset ngx (includes shared dicts, time, and request functions)
     resetNgx()
 
-    -- Add missing ngx.req functions
-    ngx.req.read_body = function() end
-    ngx.req.get_post_args = function()
-        return ngx._post_args or {}
-    end
-    ngx.req.get_headers = function()
-        return ngx._headers or {}
-    end
-    ngx.header = {}
-    ngx.var.request_method = 'GET'
-
     -- Setup module manually
     local ctx = require('ctx')
     local config = require('config')
@@ -570,8 +517,5 @@ function TestDDoSProtectionChallengePow:testInvalidPowFailsChallenge()
 end
 
 function TestDDoSProtectionChallengePow:teardown()
-    ngx.shared = nil
-    ngx.header = nil
-    ngx._post_args = nil
     teardownNgx()
 end

From 2cbf796aef5b5908b80c5cebd1a425a798f00e58 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sun, 23 Nov 2025 17:33:27 -0300
Subject: [PATCH 07/10] make pow test fail much earlier

(should never fail)
---
 tests/ddos_protection_challenge.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/ddos_protection_challenge.lua b/tests/ddos_protection_challenge.lua
index 8079b7f..f4c4bc5 100644
--- a/tests/ddos_protection_challenge.lua
+++ b/tests/ddos_protection_challenge.lua
@@ -406,7 +406,7 @@ local function computeValidNonce(challenge, difficulty)
     local str = require("resty.string")
     local required_zeros = string.rep("0", difficulty)
 
-    for nonce = 0, 1000000 do
+    for nonce = 0, 150 do
         local sha256 = resty_sha256:new()
         sha256:update(challenge .. tostring(nonce))
         local digest = sha256:final()
@@ -417,7 +417,7 @@ local function computeValidNonce(challenge, difficulty)
         end
     end
 
-    error("Could not find valid nonce after 1M attempts")
+    error("Could not find valid nonce after 150 attempts")
 end
 
 -- Tests for proof-of-work challenge type

From 0b0a9c7aaa068a3c7434ffb0bee21c25e6a2b4dc Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sun, 23 Nov 2025 17:48:57 -0300
Subject: [PATCH 08/10] ddos: use csprng for tokens

---
 CLAUDE.md                                   |  4 +-
 scripts/ddos_protection_challenge.README.md | 49 ---------------------
 scripts/ddos_protection_challenge.lua       | 25 ++++++-----
 test.lua                                    |  3 ++
 tests/mock_resty_random.lua                 | 16 +++++++
 5 files changed, 35 insertions(+), 62 deletions(-)
 create mode 100644 tests/mock_resty_random.lua

diff --git a/CLAUDE.md b/CLAUDE.md
index 66f46f8..c1f73e7 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -10,8 +10,10 @@ aproxy is an Activity Pub Reverse Proxy Framework built on OpenResty (NGINX + Lu
 
 ### Testing
 ```sh
-# Install test dependencies (only needed once)
+# Install test dependencies (only needed once for project setup)
 make testdeps
+
+# run this to setup the PATH so that it works
 eval (luarocks-5.1 path --bin)
 
 # Run test suite
diff --git a/scripts/ddos_protection_challenge.README.md b/scripts/ddos_protection_challenge.README.md
index cae5110..e7196e4 100644
--- a/scripts/ddos_protection_challenge.README.md
+++ b/scripts/ddos_protection_challenge.README.md
@@ -252,23 +252,8 @@ protected_paths = {}
 
 4. **Use PCRE regex**: Patterns are PCRE regular expressions, so you can use advanced patterns like `^/api/v[0-9]+/search$` for complex matching.
 
-## Testing
-
-The module includes comprehensive tests. To run them:
-
-```bash
-# Install test dependencies (once)
-make testdeps
-eval $(luarocks-5.1 path --bin)
-
-# Run tests
-make test
-```
-
 ## Security Considerations
 
-1. **Token Generation**: The module uses Lua's `math.random` for token generation. For production use with high security requirements, consider integrating a cryptographically secure random source.
-
 2. **Cookie Security**: Cookies are set with `HttpOnly` and `SameSite=Lax` flags for security. Consider adding `Secure` flag if you're running HTTPS only.
 
 3. **Shared Dictionary Size**: Size the shared dictionaries appropriately:
@@ -281,37 +266,3 @@ make test
    set_real_ip_from 10.0.0.0/8;  # Your proxy IP range
    real_ip_header X-Forwarded-For;
    ```
-
-## Limitations
-
-- **Shared State**: Uses nginx shared memory, so it's per-server. In a multi-server setup, bans and tokens aren't shared across servers.
-- **Memory Limits**: Shared dictionaries have fixed sizes. Old entries are evicted when full (LRU).
-- **Not a Complete Solution**: This helps with volumetric attacks and simple bots, but sophisticated attackers can bypass it. Use in combination with other security measures.
-
-## Combining With Other Scripts
-
-This module can be combined with other aproxy scripts for defense in depth:
-
-```lua
-return {
-    version = 1,
-    wantedScripts = {
-        -- First layer: Challenge-response for DDoS/bot protection
-        ['ddos_protection_challenge'] = {
-            ban_duration = 3600,
-            token_duration = 86400,
-            -- ... config
-        },
-
-        -- Second layer: Restrict specific expensive endpoints
-        ['pleroma_restrict_unauthenticated_search'] = {},
-
-        -- Third layer: Allowlist for webfinger
-        ['webfinger_allowlist'] = {
-            accounts = {'user@domain.com'}
-        }
-    }
-}
-```
-
-Scripts execute in order, so the challenge runs first, filtering out bots before they hit your more specific rules.
diff --git a/scripts/ddos_protection_challenge.lua b/scripts/ddos_protection_challenge.lua
index b3071f8..3079892 100644
--- a/scripts/ddos_protection_challenge.lua
+++ b/scripts/ddos_protection_challenge.lua
@@ -2,18 +2,16 @@
 -- Similar to Cloudflare's "Under Attack" mode
 -- Presents a challenge page with a honeypot link
 
+local resty_random = require "resty.random"
+local resty_string = require "resty.string"
+
 local function generateToken()
-    -- Generate a random token for validation
-    -- Using ngx.time() and math.random for simplicity
-    -- In production, consider using a more secure method
-    math.randomseed(ngx.time() * 1000 + math.random(1, 1000))
-    local chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
-    local token = {}
-    for i = 1, 32 do
-        local idx = math.random(1, #chars)
-        token[i] = chars:sub(idx, idx)
+    -- Generate a cryptographically strong random token
+    local strong_random = resty_random.bytes(16, true)
+    while strong_random == nil do
+        strong_random = resty_random.bytes(16, true)
     end
-    return table.concat(token)
+    return resty_string.to_hex(strong_random)
 end
 
 local function getCookieValue(cookie_header, cookie_name)
@@ -161,8 +159,11 @@ end
 
 local function serveQuestionChallenge(original_uri, state)
     -- Select a random question
-    math.randomseed(ngx.time() * 1000 + math.random(1, 1000))
-    local q_idx = math.random(1, #QUESTIONS)
+    local random_byte = resty_random.bytes(1, true)
+    while random_byte == nil do
+        random_byte = resty_random.bytes(1, true)
+    end
+    local q_idx = (string.byte(random_byte) % #QUESTIONS) + 1
     local question = QUESTIONS[q_idx]
 
     -- Generate a challenge ID to store the correct answer
diff --git a/test.lua b/test.lua
index 0d96dcb..cbb74ed 100644
--- a/test.lua
+++ b/test.lua
@@ -9,6 +9,9 @@ end
 package.preload['resty.string'] = function()
     return require('tests.mock_resty_string')
 end
+package.preload['resty.random'] = function()
+    return require('tests.mock_resty_random')
+end
 
 -- Create a mock shared dictionary
 local function createMockSharedDict()
diff --git a/tests/mock_resty_random.lua b/tests/mock_resty_random.lua
new file mode 100644
index 0000000..f4386a2
--- /dev/null
+++ b/tests/mock_resty_random.lua
@@ -0,0 +1,16 @@
+-- Mock implementation of resty.random for testing
+
+local random = {}
+
+function random.bytes(len, strong)
+    -- For testing, generate predictable random bytes using math.random
+    -- In real OpenResty, this would use cryptographic random sources
+    local bytes = {}
+    for i = 1, len do
+        -- Use math.random to generate bytes (0-255)
+        table.insert(bytes, string.char(math.random(0, 255)))
+    end
+    return table.concat(bytes)
+end
+
+return random

From 89dc5da94eba4ffa43aec325853ce809fadc21f9 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sun, 23 Nov 2025 17:53:26 -0300
Subject: [PATCH 09/10] unify stylesheets

---
 scripts/ddos_protection_challenge.lua | 312 ++++++++++----------------
 1 file changed, 114 insertions(+), 198 deletions(-)

diff --git a/scripts/ddos_protection_challenge.lua b/scripts/ddos_protection_challenge.lua
index 3079892..3d521a6 100644
--- a/scripts/ddos_protection_challenge.lua
+++ b/scripts/ddos_protection_challenge.lua
@@ -25,6 +25,79 @@ local function getCookieValue(cookie_header, cookie_name)
     return value
 end
 
+-- Common CSS styles for all challenge pages
+local COMMON_STYLES = [[
+body {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    min-height: 100vh;
+    margin: 0;
+    background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+}
+.container {
+    background: white;
+    padding: 3rem;
+    border-radius: 1rem;
+    box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+    max-width: 450px;
+    text-align: center;
+}
+h1 {
+    color: #333;
+    margin-bottom: 1rem;
+    font-size: 1.75rem;
+}
+p {
+    color: #666;
+    margin-bottom: 2rem;
+    line-height: 1.6;
+}
+button {
+    background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+    color: white;
+    border: none;
+    padding: 1rem 2rem;
+    font-size: 1rem;
+    border-radius: 0.5rem;
+    cursor: pointer;
+    font-weight: 600;
+    transition: transform 0.2s, box-shadow 0.2s;
+    width: 100%;
+}
+button:hover {
+    transform: translateY(-2px);
+    box-shadow: 0 10px 25px rgba(102, 126, 234, 0.4);
+}
+button:active {
+    transform: translateY(0);
+}
+.honeypot {
+    position: absolute;
+    left: -9999px;
+    width: 1px;
+    height: 1px;
+    overflow: hidden;
+}
+.spinner {
+    display: none;
+    border: 3px solid #f3f3f3;
+    border-top: 3px solid #667eea;
+    border-radius: 50%;
+    width: 30px;
+    height: 30px;
+    animation: spin 1s linear infinite;
+    margin: 1rem auto;
+}
+@keyframes spin {
+    0% { transform: rotate(0deg); }
+    100% { transform: rotate(360deg); }
+}
+.loading button { display: none; }
+.loading .spinner { display: block; }
+]]
+
 -- Question pool for multiple-choice challenges
 local QUESTIONS = {
     {q = "What is 7 + 5?", answers = {"10", "12", "14", "15"}, correct = 2},
@@ -58,7 +131,6 @@ local function challengeInit(cfg)
 end
 
 local function serveButtonChallenge(original_uri)
-    -- Simple button challenge page with honeypot
     local html = [[
 <!DOCTYPE html>
 <html>
@@ -66,78 +138,7 @@ local function serveButtonChallenge(original_uri)
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Security Check</title>
-    <style>
-        body {
-            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-            display: flex;
-            justify-content: center;
-            align-items: center;
-            min-height: 100vh;
-            margin: 0;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-        }
-        .container {
-            background: white;
-            padding: 3rem;
-            border-radius: 1rem;
-            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
-            max-width: 400px;
-            text-align: center;
-        }
-        h1 {
-            color: #333;
-            margin-bottom: 1rem;
-            font-size: 1.75rem;
-        }
-        p {
-            color: #666;
-            margin-bottom: 2rem;
-            line-height: 1.6;
-        }
-        button {
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-            color: white;
-            border: none;
-            padding: 1rem 2rem;
-            font-size: 1rem;
-            border-radius: 0.5rem;
-            cursor: pointer;
-            font-weight: 600;
-            transition: transform 0.2s, box-shadow 0.2s;
-            width: 100%;
-        }
-        button:hover {
-            transform: translateY(-2px);
-            box-shadow: 0 10px 25px rgba(102, 126, 234, 0.4);
-        }
-        button:active {
-            transform: translateY(0);
-        }
-        /* Honeypot link - invisible to humans but crawlable by bots */
-        .honeypot {
-            position: absolute;
-            left: -9999px;
-            width: 1px;
-            height: 1px;
-            overflow: hidden;
-        }
-        .spinner {
-            display: none;
-            border: 3px solid #f3f3f3;
-            border-top: 3px solid #667eea;
-            border-radius: 50%;
-            width: 30px;
-            height: 30px;
-            animation: spin 1s linear infinite;
-            margin: 1rem auto;
-        }
-        @keyframes spin {
-            0% { transform: rotate(0deg); }
-            100% { transform: rotate(360deg); }
-        }
-        .loading button { display: none; }
-        .loading .spinner { display: block; }
-    </style>
+    <style>]] .. COMMON_STYLES .. [[</style>
 </head>
 <body>
     <div class="container" id="container">
@@ -148,7 +149,6 @@ local function serveButtonChallenge(original_uri)
             <button type="submit">Verify I'm Human</button>
         </form>
         <div class="spinner"></div>
-        <!-- Honeypot link for bots -->
         <a href="/__aproxy_challenge_trap" class="honeypot">Click here to continue</a>
     </div>
 </body>
@@ -189,77 +189,33 @@ local function serveQuestionChallenge(original_uri, state)
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Security Check</title>
     <style>
-        body {
-            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-            display: flex;
-            justify-content: center;
-            align-items: center;
-            min-height: 100vh;
-            margin: 0;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-        }
-        .container {
-            background: white;
-            padding: 3rem;
-            border-radius: 1rem;
-            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
-            max-width: 450px;
-            text-align: center;
-        }
-        h1 {
-            color: #333;
-            margin-bottom: 1rem;
-            font-size: 1.75rem;
-        }
-        .question {
-            color: #444;
-            font-size: 1.1rem;
-            margin: 2rem 0;
-            font-weight: 500;
-        }
-        .options {
-            text-align: left;
-            margin: 2rem 0;
-        }
-        .option {
-            display: block;
-            padding: 1rem;
-            margin: 0.75rem 0;
-            border: 2px solid #e0e0e0;
-            border-radius: 0.5rem;
-            cursor: pointer;
-            transition: all 0.2s;
-        }
-        .option:hover {
-            border-color: #667eea;
-            background: #f8f9ff;
-        }
-        .option input[type="radio"] {
-            margin-right: 0.75rem;
-        }
-        button {
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-            color: white;
-            border: none;
-            padding: 1rem 2rem;
-            font-size: 1rem;
-            border-radius: 0.5rem;
-            cursor: pointer;
-            font-weight: 600;
-            transition: transform 0.2s, box-shadow 0.2s;
-            width: 100%;
-        }
-        button:hover {
-            transform: translateY(-2px);
-            box-shadow: 0 10px 25px rgba(102, 126, 234, 0.4);
-        }
-        .honeypot {
-            position: absolute;
-            left: -9999px;
-            width: 1px;
-            height: 1px;
-            overflow: hidden;
-        }
+]] .. COMMON_STYLES .. [[
+.question {
+    color: #444;
+    font-size: 1.1rem;
+    margin: 2rem 0;
+    font-weight: 500;
+}
+.options {
+    text-align: left;
+    margin: 2rem 0;
+}
+.option {
+    display: block;
+    padding: 1rem;
+    margin: 0.75rem 0;
+    border: 2px solid #e0e0e0;
+    border-radius: 0.5rem;
+    cursor: pointer;
+    transition: all 0.2s;
+}
+.option:hover {
+    border-color: #667eea;
+    background: #f8f9ff;
+}
+.option input[type="radio"] {
+    margin-right: 0.75rem;
+}
     </style>
 </head>
 <body>
@@ -297,59 +253,19 @@ local function servePowChallenge(original_uri, state)
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Security Check</title>
     <style>
-        body {
-            font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
-            display: flex;
-            justify-content: center;
-            align-items: center;
-            min-height: 100vh;
-            margin: 0;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-        }
-        .container {
-            background: white;
-            padding: 3rem;
-            border-radius: 1rem;
-            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
-            max-width: 450px;
-            text-align: center;
-        }
-        h1 {
-            color: #333;
-            margin-bottom: 1rem;
-            font-size: 1.75rem;
-        }
-        p {
-            color: #666;
-            margin-bottom: 1rem;
-            line-height: 1.6;
-        }
-        .status {
-            font-family: monospace;
-            color: #667eea;
-            font-weight: 600;
-            margin: 1rem 0;
-        }
-        .spinner {
-            border: 3px solid #f3f3f3;
-            border-top: 3px solid #667eea;
-            border-radius: 50%;
-            width: 40px;
-            height: 40px;
-            animation: spin 1s linear infinite;
-            margin: 1.5rem auto;
-        }
-        @keyframes spin {
-            0% { transform: rotate(0deg); }
-            100% { transform: rotate(360deg); }
-        }
-        .honeypot {
-            position: absolute;
-            left: -9999px;
-            width: 1px;
-            height: 1px;
-            overflow: hidden;
-        }
+]] .. COMMON_STYLES .. [[
+.status {
+    font-family: monospace;
+    color: #667eea;
+    font-weight: 600;
+    margin: 1rem 0;
+}
+.spinner {
+    display: block;
+    width: 40px;
+    height: 40px;
+    margin: 1.5rem auto;
+}
     </style>
 </head>
 <body>

From d8aece9d7052a51b19ea23f1b1247308e26f33f7 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sun, 23 Nov 2025 17:55:37 -0300
Subject: [PATCH 10/10] use csprng properly, dont need full random

---
 scripts/ddos_protection_challenge.lua | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/scripts/ddos_protection_challenge.lua b/scripts/ddos_protection_challenge.lua
index 3d521a6..3930e43 100644
--- a/scripts/ddos_protection_challenge.lua
+++ b/scripts/ddos_protection_challenge.lua
@@ -7,11 +7,8 @@ local resty_string = require "resty.string"
 
 local function generateToken()
     -- Generate a cryptographically strong random token
-    local strong_random = resty_random.bytes(16, true)
-    while strong_random == nil do
-        strong_random = resty_random.bytes(16, true)
-    end
-    return resty_string.to_hex(strong_random)
+    -- Uses RAND_pseudo_bytes which is secure and won't fail
+    return resty_string.to_hex(resty_random.bytes(16))
 end
 
 local function getCookieValue(cookie_header, cookie_name)
@@ -159,10 +156,7 @@ end
 
 local function serveQuestionChallenge(original_uri, state)
     -- Select a random question
-    local random_byte = resty_random.bytes(1, true)
-    while random_byte == nil do
-        random_byte = resty_random.bytes(1, true)
-    end
+    local random_byte = resty_random.bytes(1)
     local q_idx = (string.byte(random_byte) % #QUESTIONS) + 1
     local question = QUESTIONS[q_idx]