From 601ff61182b4f62fa8822c98dba36fd3985a6b0d Mon Sep 17 00:00:00 2001
From: Xe Iaso <me@xeiaso.net>
Date: Fri, 25 Apr 2025 14:48:21 -0400
Subject: fix(lib): make Anubis less paranoid

Previously Anubis would aggressively make sure that the client cookie
matched exactly what it should. This has turned out to be too paranoid
in practice and has caused problems with Happy Eyeballs et. al.

This is a potential fix to #303 and #289.
---
 lib/anubis.go | 43 +------------------------------------------
 lib/random.go |  9 ---------
 2 files changed, 1 insertion(+), 51 deletions(-)
 delete mode 100644 lib/random.go

(limited to 'lib')

diff --git a/lib/anubis.go b/lib/anubis.go
index 70eb37e..026783e 100644
--- a/lib/anubis.go
+++ b/lib/anubis.go
@@ -353,48 +353,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 		return
 	}
 
-	if randomJitter() {
-		r.Header.Add("X-Anubis-Status", "PASS-BRIEF")
-		lg.Debug("cookie is not enrolled into secondary screening")
-		s.ServeHTTPNext(w, r)
-		return
-	}
-
-	claims, ok := token.Claims.(jwt.MapClaims)
-	if !ok {
-		lg.Debug("invalid token claims type", "path", r.URL.Path)
-		s.ClearCookie(w)
-		s.RenderIndex(w, r, rule, httpStatusOnly)
-		return
-	}
-	challenge := s.challengeFor(r, rule.Challenge.Difficulty)
-
-	if claims["challenge"] != challenge {
-		lg.Debug("invalid challenge", "path", r.URL.Path)
-		s.ClearCookie(w)
-		s.RenderIndex(w, r, rule, httpStatusOnly)
-		return
-	}
-
-	var nonce int
-
-	if v, ok := claims["nonce"].(float64); ok {
-		nonce = int(v)
-	}
-
-	calcString := fmt.Sprintf("%s%d", challenge, nonce)
-	calculated := internal.SHA256sum(calcString)
-
-	if subtle.ConstantTimeCompare([]byte(claims["response"].(string)), []byte(calculated)) != 1 {
-		lg.Debug("invalid response", "path", r.URL.Path)
-		failedValidations.Inc()
-		s.ClearCookie(w)
-		s.RenderIndex(w, r, rule, httpStatusOnly)
-		return
-	}
-
-	slog.Debug("all checks passed")
-	r.Header.Add("X-Anubis-Status", "PASS-FULL")
+	r.Header.Add("X-Anubis-Status", "PASS")
 	s.ServeHTTPNext(w, r)
 }
 
diff --git a/lib/random.go b/lib/random.go
deleted file mode 100644
index 79cded4..0000000
--- a/lib/random.go
+++ /dev/null
@@ -1,9 +0,0 @@
-package lib
-
-import (
-	"math/rand"
-)
-
-func randomJitter() bool {
-	return rand.Intn(100) > 10
-}
-- 
cgit v1.2.3