README

A local Proof-of-Work CAPTCHA extension for Flarum that protects login, registration and password-reset forms without relying on any external service (no Cloudflare, no Google reCAPTCHA, no cookies).

How it works

1. When an auth modal opens, the browser silently fetches a one-time challenge from the Flarum API.
2. The browser solves a SHA-256 hash puzzle (finds a nonce N such that SHA-256(challenge:N) starts with D hex zeros, where D is the configured difficulty).
3. The solution token challenge:nonce is appended to the form submission.
4. The server verifies the solution and rejects the request if the check fails.

Bots must solve the same puzzle for every request; legitimate users complete it invisibly in the background (< 100 ms at the default difficulty).

Features

• 🔒 No external services – fully self-hosted
• ⚡ Invisible to users – solved automatically while they fill the form
• ⚙️ Configurable difficulty – 5 levels (< 1 ms → ~10 s)
• 🌓 Dark / light mode – widget adapts to Flarum's current theme
• 🌍 Italian & English – auto-detected; add more locales in locale/
• 🔁 Replay-proof – each challenge is single-use (stored in Flarum's cache)
• ✅ Flarum 1.x and 2.x compatible

Requirements

Screenshot

Installation

composer require peopleinside/fla-powcaptcha

Update

composer update peopleinside/fla-powcaptcha

How to remove

composer remove peopleinside/fla-powcaptcha

Then enable the extension in the Flarum admin panel.

Configuration

Go to Admin → Extensions → PoW CAPTCHA and choose:

Development (for contributors only)

The extension is distributed with pre-compiled frontend assets (js/dist/*), so no JS build step is required to install or use it.

Security Notes

• Each challenge is valid for 5 minutes and is single-use (deleted after successful verification).
• The challenge is a 128-bit cryptographically random value; it cannot be guessed or forged.
• The server independently re-computes the SHA-256 hash to verify the solution.

License

Apache-2.0