Mesozoa

Why not Anubis? Because it provides no build instructions and only supports Docker.

Why not using Realm completely? Because the hook system is useless and only allows filtering.

Install

Must be used behind a reverse proxy providing X-Forwarded-For.

Challenge protocol

Challenge generation

Sent by the server as a cookie.

secret <- chosen randomly, long term

salt <- chosen randomly, not stored

timestamp <- UNIX time in seconds, 64 bits, big endian

ua <- User-Agent from request header

ip <- X-Forwarded-For from request header (client's IP)

set-cookie: mesozoa-challenge=BASE64(salt || timestamp || SHA3-256(secret || salt || timestamp || ip || "/" || ua))

Where BASE64 is unpadded.

Challenge verification

Request must contain both cookies mesozoa-challenge and mesozoa-proof.

Security

Network handling and HTTP parsing

This implementation uses cheap tricks and regexes, is probably not fully compliant to HTTP specs, etc. You should probably not expose it directly to an open network. Please use it behind a safer reverse proxy like Apache or Nginx.

Length-extension attack

SHA3 (used as a MAC in the challenge cookie) is not vulnerable. Values in the hash are either fixed-length, safe, or delimited.