定制 o3-shop/altcha-module 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

o3-shop/altcha-module

Composer 安装命令:

composer require o3-shop/altcha-module

包简介

Altcha (self-hosted, proof-of-work) provider for the O3-Shop core CAPTCHA layer

README 文档

README

Self-hosted, privacy-friendly Altcha (proof-of-work) provider for the O3-Shop core CAPTCHA layer. No third-party calls, no tracking, no operator account — GDPR-clean by design.

The module ships no forms, templates or blocks — storefront widget rendering and the admin CAPTCHA screen live in O3-Shop core. This module contributes one CAPTCHA provider (plus a challenge endpoint and the self-hosted widget asset), wired in via the oxid.captcha.provider DI tag.

Requirements

  • PHP 8.1+ (depends on altcha-org/altcha, which requires php >= 8.1).
  • O3-Shop with the core pluggable CAPTCHA layer (CaptchaProviderInterface + oxid.captcha.provider).

Install

composer require o3-shop/altcha-module
./vendor/bin/oe-console oe:module:activate o3altcha

Configure

In Admin → CAPTCHA: select Altcha, optionally adjust Difficulty (max random number; low ≈ 50000, medium ≈ 100000, high ≈ 500000). The per-shop HMAC secret is auto-generated on first use and never sent to the browser.

Because Altcha is proof-of-work and makes no third-party calls, it is consent-exempt: it is never gated by the core cookie-consent modes.

Three modes

Set Mode to select the operating mode (local is the default).

  1. This shop is the Altcha server (local, default). Leave Challenge URL empty. The shop issues challenges at index.php?cl=altcha_challenge, signed with an auto-generated per-shop HMAC secret. No external network calls.

  2. External self-hosted Altcha server (external). Set Mode to external, Challenge URL to your Altcha server's challenge endpoint, and Shared HMAC secret to the HMAC key that server signs with. The widget fetches challenges from your server; the shop still verifies solutions locally with the shared secret (no verify-time API call). The Difficulty setting applies only in mode 1 (in mode 2 the external server controls difficulty).

    Both fields are required for external mode. If you set a Challenge URL but leave the Shared HMAC secret empty, the widget loads against the external server but the shop verifies with its own local secret, so every submission is rejected. The module logs a WARNING in this case — check the shop log if an external-mode form rejects all submissions.

  3. ALTCHA Sentinel (self-hosted bot-detection server). Set Mode to sentinel, Challenge URL to your Sentinel challenge endpoint, and Sentinel API-key secret to the key secret. The widget talks to Sentinel; Sentinel returns a signed verdict which the shop verifies locally with verifyServerSignature (no verify-time API call), so Sentinel's bot/spam detection gates submissions.

    The Sentinel API-key secret is required for sentinel mode. Without it the shop cannot verify Sentinel's signed response and every submission will be rejected. The module logs a WARNING in this case — check the shop log if a sentinel-mode form rejects all submissions.

Adding Altcha to a new form

No module changes are needed. A form is protected automatically once:

  1. its form-id is registered in the core CaptchaFormRegistry, and
  2. its template calls [{$oViewConf->getCaptchaWidget('<formId>')}], and
  3. its controller calls verifyForForm('<formId>', Registry::getRequest()) before processing.

When Altcha is the active provider, that form then renders the <altcha-widget> and verifies the posted altcha solution server-side.

How it works

Class Role
Provider\AltchaProvider consent-exempt provider (altcha); renders <altcha-widget>, verifies the altcha field
Controller\AltchaChallengeController cl=altcha_challenge — JSON challenge endpoint (throttled, no-store)
Challenge\AltchaChallengeService mints/verifies challenges via altcha-org/altcha
Secret\HmacSecretProvider per-shop HMAC secret (auto-generate / rotate)
Throttle\FixedWindowChallengeThrottle per-IP challenge-issuance throttle

License

GPL-3.0

统计信息

  • 总下载量: 0
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 2
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: GPL-3.0
  • 更新时间: 2026-07-01

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固