module ActiveHashcash

Call that method via a before_action when the form is submitted:

before_action :check_hashcash, only: :create

In case of invalid hashcash it calls hashcash_after_failure that you can override. Otherwise, hashcash stamp is stored in database to prevent from double spending.

# File lib/active_hashcash.rb, line 41
def check_hashcash
  attrs = {
    ip_address: hashcash_ip_address,
    request_path: hashcash_request_path,
    context: hashcash_stamp_context
  }
  if hashcash_param && Stamp.spend(hashcash_param, hashcash_resource, hashcash_bits, Date.yesterday, attrs)
    hashcash_after_success
  else
    hashcash_after_failure
  end
end

That method is called when check_hashcash fails. It raises ActionController::InvalidAuthenticityToken so HTTP response will be 422 by default. Override this method to provide a different behaviour.

# File lib/active_hashcash.rb, line 103
def hashcash_after_failure
  raise ActionController::InvalidAuthenticityToken.new("Invalid hashcash #{hashcash_param}")
end

Maybe you want something special when the hashcash is valid. By default nothing happens.

# File lib/active_hashcash.rb, line 108
def hashcash_after_success
  # Override me for your own needs.
end

Returns the complexity, the higher the slower it is. Complexity is increased logarithmicly for each IP during the last 24H to slowdown brute force attacks. The minimun value returned is ActiveHashcash.bits.

# File lib/active_hashcash.rb, line 82
def hashcash_bits
  if (previous_stamp_count = ActiveHashcash::Stamp.where(ip_address: hashcash_ip_address).where(created_at: 1.day.ago..).count) > 0
    (ActiveHashcash.bits + Math.log2(previous_stamp_count)).floor
  else
    ActiveHashcash.bits
  end
end

Call it inside the form that have to be protected and don’t forget to initialize the JavaScript Hascash.setup(). Unless you need something really special, you should not need to override this method.

<% form_for model do |form| %>
  <%= hashcash_hidden_field_tag %>

<% end %>

# File lib/active_hashcash.rb, line 120
def hashcash_hidden_field_tag(name = :hashcash)
  options = {resource: hashcash_resource, bits: hashcash_bits, waiting_message: hashcash_waiting_message}
  view_context.hidden_field_tag(name, "", "data-hashcash" => options.to_json)
end

Returns remote IP address. They are used to automatically increase complexity when the same IP sends many valid hashcash. If you’re app is behind a load balancer, you should probably override it to read the right HTTP header.

# File lib/active_hashcash.rb, line 57
def hashcash_ip_address
  request.remote_ip
end

Override if you want to rename the hashcash param.

# File lib/active_hashcash.rb, line 91
def hashcash_param
  params[:hashcash]
end

Return current request path to be saved to the sucessful ActiveHash::Stamp. If multiple forms are protected via hashcash this is an interesting info.

# File lib/active_hashcash.rb, line 63
def hashcash_request_path
  request.path
end

This is the resource used to build the hashcash stamp. By default the host name is returned. It’ should be good for most cases and prevent from reusing the same stamp between sites.

# File lib/active_hashcash.rb, line 75
def hashcash_resource
  ActiveHashcash.resource || request.host
end

Override this method to store custom data for each stamp. It must returns a hash or nil.

# File lib/active_hashcash.rb, line 69
def hashcash_stamp_context
end

Override to customize message displayed on submit button while computing hashcash.

# File lib/active_hashcash.rb, line 96
def hashcash_waiting_message
  t("active_hashcash.waiting_label")
end