cmd/anubis: forbid bypassing auth by faking the challenge difficulty

This fixes a trivial auth bypass where a user requests a challenge,
formulates any nonce they want (such as 42069), and then passes the
challenge with difficulty zero.

This was fixed by not using the difficulity the client specified and
instead using the fixed difficulty at the server level. The difficulty
has also been encoded into the challenge in 7bd7b209f4f1.

Thanks to Coral Pink for finding this and reporting it over email.

Signed-off-by: Xe Iaso <me@xeiaso.net>

7 files changed, 6 insertions, 22 deletions

diff --git a/cmd/anubis/js/main.mjs b/cmd/anubis/js/main.mjs
index 1418549..3f2c652 100644
--- a/cmd/anubis/js/main.mjs
+++ b/cmd/anubis/js/main.mjs
@@ -66,6 +66,6 @@ const imageURL = (mood) => {
 
   setTimeout(() => {
     const redir = window.location.href;
-    window.location.href = u("/.within.website/x/cmd/anubis/api/pass-challenge", { response: hash, nonce, redir, elapsedTime: t1 - t0, difficulty });
+    window.location.href = u("/.within.website/x/cmd/anubis/api/pass-challenge", { response: hash, nonce, redir, elapsedTime: t1 - t0 });
   }, 2000);
 })();
\ No newline at end of file
diff --git a/cmd/anubis/main.go b/cmd/anubis/main.go
index 53714cf..a15dba8 100644
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@@ -373,22 +373,6 @@ func (s *Server) passChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	difficultyStr := r.FormValue("difficulty")
-	if difficultyStr == "" {
-		clearCookie(w)
-		lg.Debug("no difficulty")
-		templ.Handler(base("Oh noes!", errorPage("missing difficulty")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
-		return
-	}
-
-	difficulty, err := strconv.Atoi(difficultyStr)
-	if err != nil {
-		clearCookie(w)
-		lg.Debug("difficulty doesn't parse", "err", err)
-		templ.Handler(base("Oh noes!", errorPage("invalid difficulty")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
-		return
-	}
-
 	lg.Info("challenge took", "elapsedTime", elapsedTime)
 	timeTaken.Observe(elapsedTime)
 
@@ -423,9 +407,9 @@ func (s *Server) passChallenge(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// compare the leading zeroes
-	if !strings.HasPrefix(response, strings.Repeat("0", difficulty)) {
+	if !strings.HasPrefix(response, strings.Repeat("0", *challengeDifficulty)) {
 		clearCookie(w)
-		lg.Debug("difficulty check failed", "response", response, "difficulty", difficulty)
+		lg.Debug("difficulty check failed", "response", response, "difficulty", *challengeDifficulty)
 		templ.Handler(base("Oh noes!", errorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
 		failedValidations.Inc()
 		return
diff --git a/cmd/anubis/static/js/main.mjs b/cmd/anubis/static/js/main.mjs
index ddad470..043f617 100644
--- a/cmd/anubis/static/js/main.mjs
+++ b/cmd/anubis/static/js/main.mjs
@@ -1,2 +1,2 @@
-(()=>{function l(n,s=5){return new Promise((i,t)=>{let o=URL.createObjectURL(new Blob(["(",w(),")()"],{type:"application/javascript"})),e=new Worker(o);e.onmessage=r=>{e.terminate(),i(r.data)},e.onerror=r=>{e.terminate(),t()},e.postMessage({data:n,difficulty:s}),URL.revokeObjectURL(o)})}function w(){return function(){let n=s=>{let i=new TextEncoder().encode(s);return crypto.subtle.digest("SHA-256",i.buffer).then(t=>Array.from(new Uint8Array(t)).map(o=>o.toString(16).padStart(2,"0")).join(""))};addEventListener("message",async s=>{let i=s.data.data,t=s.data.difficulty,o,e=0;do o=await n(i+e++);while(o.substring(0,t)!==Array(t+1).join("0"));e-=1,postMessage({hash:o,data:i,difficulty:t,nonce:e})})}.toString()}var h=(n="",s={})=>{let i=new URL(n,window.location.href);return Object.entries(s).forEach(t=>{let[o,e]=t;i.searchParams.set(o,e)}),i.toString()},m=n=>`/.within.website/x/cmd/anubis/static/img/${n}.webp`;(async()=>{let n=document.getElementById("status"),s=document.getElementById("image"),i=document.getElementById("title"),t=document.getElementById("spinner");n.innerHTML="Calculating...";let{challenge:o,difficulty:e}=await fetch("/.within.website/x/cmd/anubis/api/make-challenge",{method:"POST"}).then(a=>{if(!a.ok)throw new Error("Failed to fetch config");return a.json()}).catch(a=>{throw i.innerHTML="Oh no!",n.innerHTML=`Failed to fetch config: ${a.message}`,s.src=m("sad"),t.innerHTML="",t.style.display="none",a});n.innerHTML=`Calculating...<br/>Difficulty: ${e}`;let r=Date.now(),{hash:u,nonce:c}=await l(o,e),d=Date.now();i.innerHTML="Success!",n.innerHTML=`Done! Took ${d-r}ms, ${c} iterations`,s.src=m("happy"),t.innerHTML="",t.style.display="none",setTimeout(()=>{let a=window.location.href;window.location.href=h("/.within.website/x/cmd/anubis/api/pass-challenge",{response:u,nonce:c,redir:a,elapsedTime:d-r,difficulty:e})},2e3)})();})();
+(()=>{function l(n,s=5){return new Promise((i,e)=>{let o=URL.createObjectURL(new Blob(["(",w(),")()"],{type:"application/javascript"})),t=new Worker(o);t.onmessage=r=>{t.terminate(),i(r.data)},t.onerror=r=>{t.terminate(),e()},t.postMessage({data:n,difficulty:s}),URL.revokeObjectURL(o)})}function w(){return function(){let n=s=>{let i=new TextEncoder().encode(s);return crypto.subtle.digest("SHA-256",i.buffer).then(e=>Array.from(new Uint8Array(e)).map(o=>o.toString(16).padStart(2,"0")).join(""))};addEventListener("message",async s=>{let i=s.data.data,e=s.data.difficulty,o,t=0;do o=await n(i+t++);while(o.substring(0,e)!==Array(e+1).join("0"));t-=1,postMessage({hash:o,data:i,difficulty:e,nonce:t})})}.toString()}var h=(n="",s={})=>{let i=new URL(n,window.location.href);return Object.entries(s).forEach(e=>{let[o,t]=e;i.searchParams.set(o,t)}),i.toString()},m=n=>`/.within.website/x/cmd/anubis/static/img/${n}.webp`;(async()=>{let n=document.getElementById("status"),s=document.getElementById("image"),i=document.getElementById("title"),e=document.getElementById("spinner");n.innerHTML="Calculating...";let{challenge:o,difficulty:t}=await fetch("/.within.website/x/cmd/anubis/api/make-challenge",{method:"POST"}).then(a=>{if(!a.ok)throw new Error("Failed to fetch config");return a.json()}).catch(a=>{throw i.innerHTML="Oh no!",n.innerHTML=`Failed to fetch config: ${a.message}`,s.src=m("sad"),e.innerHTML="",e.style.display="none",a});n.innerHTML=`Calculating...<br/>Difficulty: ${t}`;let r=Date.now(),{hash:u,nonce:c}=await l(o,t),d=Date.now();i.innerHTML="Success!",n.innerHTML=`Done! Took ${d-r}ms, ${c} iterations`,s.src=m("happy"),e.innerHTML="",e.style.display="none",setTimeout(()=>{let a=window.location.href;window.location.href=h("/.within.website/x/cmd/anubis/api/pass-challenge",{response:u,nonce:c,redir:a,elapsedTime:d-r})},2e3)})();})();
 //# sourceMappingURL=main.mjs.map
diff --git a/cmd/anubis/static/js/main.mjs.br b/cmd/anubis/static/js/main.mjs.br
index 9676fd1..27625da 100644
--- a/cmd/anubis/static/js/main.mjs.br
+++ b/cmd/anubis/static/js/main.mjs.br
diff --git a/cmd/anubis/static/js/main.mjs.gz b/cmd/anubis/static/js/main.mjs.gz
index 4e2350c..868c622 100644
--- a/cmd/anubis/static/js/main.mjs.gz
+++ b/cmd/anubis/static/js/main.mjs.gz
diff --git a/cmd/anubis/static/js/main.mjs.map b/cmd/anubis/static/js/main.mjs.map
index 55e476d..d5b288f 100644
--- a/cmd/anubis/static/js/main.mjs.map
+++ b/cmd/anubis/static/js/main.mjs.map
@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../js/proof-of-work.mjs", "../../js/main.mjs"],
-  "sourcesContent": ["// https://dev.to/ratmd/simple-proof-of-work-in-javascript-3kgm\n\nexport function process(data, difficulty = 5) {\n  return new Promise((resolve, reject) => {\n    let webWorkerURL = URL.createObjectURL(new Blob([\n      '(', processTask(), ')()'\n    ], { type: 'application/javascript' }));\n\n    let worker = new Worker(webWorkerURL);\n\n    worker.onmessage = (event) => {\n      worker.terminate();\n      resolve(event.data);\n    };\n\n    worker.onerror = (event) => {\n      worker.terminate();\n      reject();\n    };\n\n    worker.postMessage({\n      data,\n      difficulty\n    });\n\n    URL.revokeObjectURL(webWorkerURL);\n  });\n}\n\nfunction processTask() {\n  return function () {\n    const sha256 = (text) => {\n      const encoded = new TextEncoder().encode(text);\n      return crypto.subtle.digest(\"SHA-256\", encoded.buffer).then((result) =>\n        Array.from(new Uint8Array(result))\n          .map((c) => c.toString(16).padStart(2, \"0\"))\n          .join(\"\"),\n      );\n    };\n\n    addEventListener('message', async (event) => {\n      let data = event.data.data;\n      let difficulty = event.data.difficulty;\n\n      let hash;\n      let nonce = 0;\n      do {\n        hash = await sha256(data + nonce++);\n      } while (hash.substring(0, difficulty) !== Array(difficulty + 1).join('0'));\n\n      nonce -= 1; // last nonce was post-incremented\n\n      postMessage({\n        hash,\n        data,\n        difficulty,\n        nonce,\n      });\n    });\n  }.toString();\n}\n\n", "import { process } from './proof-of-work.mjs';\nimport { testVideo } from './video.mjs';\n\n// from Xeact\nconst u = (url = \"\", params = {}) => {\n  let result = new URL(url, window.location.href);\n  Object.entries(params).forEach((kv) => {\n    let [k, v] = kv;\n    result.searchParams.set(k, v);\n  });\n  return result.toString();\n};\n\nconst imageURL = (mood) => {\n  return `/.within.website/x/cmd/anubis/static/img/${mood}.webp`;\n};\n\n(async () => {\n  const status = document.getElementById('status');\n  const image = document.getElementById('image');\n  const title = document.getElementById('title');\n  const spinner = document.getElementById('spinner');\n  // const testarea = document.getElementById('testarea');\n\n  // const videoWorks = await testVideo(testarea);\n  // console.log(`videoWorks: ${videoWorks}`);\n\n  // if (!videoWorks) {\n  //   title.innerHTML = \"Oh no!\";\n  //   status.innerHTML = \"Checks failed. Please check your browser's settings and try again.\";\n  //   image.src = imageURL(\"sad\");\n  //   spinner.innerHTML = \"\";\n  //   spinner.style.display = \"none\";\n  //   return;\n  // }\n\n  status.innerHTML = 'Calculating...';\n\n  const { challenge, difficulty } = await fetch(\"/.within.website/x/cmd/anubis/api/make-challenge\", { method: \"POST\" })\n    .then(r => {\n      if (!r.ok) {\n        throw new Error(\"Failed to fetch config\");\n      }\n      return r.json();\n    })\n    .catch(err => {\n      title.innerHTML = \"Oh no!\";\n      status.innerHTML = `Failed to fetch config: ${err.message}`;\n      image.src = imageURL(\"sad\");\n      spinner.innerHTML = \"\";\n      spinner.style.display = \"none\";\n      throw err;\n    });\n\n  status.innerHTML = `Calculating...<br/>Difficulty: ${difficulty}`;\n\n  const t0 = Date.now();\n  const { hash, nonce } = await process(challenge, difficulty);\n  const t1 = Date.now();\n\n  title.innerHTML = \"Success!\";\n  status.innerHTML = `Done! Took ${t1 - t0}ms, ${nonce} iterations`;\n  image.src = imageURL(\"happy\");\n  spinner.innerHTML = \"\";\n  spinner.style.display = \"none\";\n\n  setTimeout(() => {\n    const redir = window.location.href;\n    window.location.href = u(\"/.within.website/x/cmd/anubis/api/pass-challenge\", { response: hash, nonce, redir, elapsedTime: t1 - t0, difficulty });\n  }, 2000);\n})();"],
-  "mappings": "MAEO,SAASA,EAAQC,EAAMC,EAAa,EAAG,CAC5C,OAAO,IAAI,QAAQ,CAACC,EAASC,IAAW,CACtC,IAAIC,EAAe,IAAI,gBAAgB,IAAI,KAAK,CAC9C,IAAKC,EAAY,EAAG,KACtB,EAAG,CAAE,KAAM,wBAAyB,CAAC,CAAC,EAElCC,EAAS,IAAI,OAAOF,CAAY,EAEpCE,EAAO,UAAaC,GAAU,CAC5BD,EAAO,UAAU,EACjBJ,EAAQK,EAAM,IAAI,CACpB,EAEAD,EAAO,QAAWC,GAAU,CAC1BD,EAAO,UAAU,EACjBH,EAAO,CACT,EAEAG,EAAO,YAAY,CACjB,KAAAN,EACA,WAAAC,CACF,CAAC,EAED,IAAI,gBAAgBG,CAAY,CAClC,CAAC,CACH,CAEA,SAASC,GAAc,CACrB,OAAO,UAAY,CACjB,IAAMG,EAAUC,GAAS,CACvB,IAAMC,EAAU,IAAI,YAAY,EAAE,OAAOD,CAAI,EAC7C,OAAO,OAAO,OAAO,OAAO,UAAWC,EAAQ,MAAM,EAAE,KAAMC,GAC3D,MAAM,KAAK,IAAI,WAAWA,CAAM,CAAC,EAC9B,IAAKC,GAAMA,EAAE,SAAS,EAAE,EAAE,SAAS,EAAG,GAAG,CAAC,EAC1C,KAAK,EAAE,CACZ,CACF,EAEA,iBAAiB,UAAW,MAAOL,GAAU,CAC3C,IAAIP,EAAOO,EAAM,KAAK,KAClBN,EAAaM,EAAM,KAAK,WAExBM,EACAC,EAAQ,EACZ,GACED,EAAO,MAAML,EAAOR,EAAOc,GAAO,QAC3BD,EAAK,UAAU,EAAGZ,CAAU,IAAM,MAAMA,EAAa,CAAC,EAAE,KAAK,GAAG,GAEzEa,GAAS,EAET,YAAY,CACV,KAAAD,EACA,KAAAb,EACA,WAAAC,EACA,MAAAa,CACF,CAAC,CACH,CAAC,CACH,EAAE,SAAS,CACb,CCxDA,IAAMC,EAAI,CAACC,EAAM,GAAIC,EAAS,CAAC,IAAM,CACnC,IAAIC,EAAS,IAAI,IAAIF,EAAK,OAAO,SAAS,IAAI,EAC9C,cAAO,QAAQC,CAAM,EAAE,QAASE,GAAO,CACrC,GAAI,CAACC,EAAGC,CAAC,EAAIF,EACbD,EAAO,aAAa,IAAIE,EAAGC,CAAC,CAC9B,CAAC,EACMH,EAAO,SAAS,CACzB,EAEMI,EAAYC,GACT,4CAA4CA,CAAI,SAGxD,SAAY,CACX,IAAMC,EAAS,SAAS,eAAe,QAAQ,EACzCC,EAAQ,SAAS,eAAe,OAAO,EACvCC,EAAQ,SAAS,eAAe,OAAO,EACvCC,EAAU,SAAS,eAAe,SAAS,EAejDH,EAAO,UAAY,iBAEnB,GAAM,CAAE,UAAAI,EAAW,WAAAC,CAAW,EAAI,MAAM,MAAM,mDAAoD,CAAE,OAAQ,MAAO,CAAC,EACjH,KAAKC,GAAK,CACT,GAAI,CAACA,EAAE,GACL,MAAM,IAAI,MAAM,wBAAwB,EAE1C,OAAOA,EAAE,KAAK,CAChB,CAAC,EACA,MAAMC,GAAO,CACZ,MAAAL,EAAM,UAAY,SAClBF,EAAO,UAAY,2BAA2BO,EAAI,OAAO,GACzDN,EAAM,IAAMH,EAAS,KAAK,EAC1BK,EAAQ,UAAY,GACpBA,EAAQ,MAAM,QAAU,OAClBI,CACR,CAAC,EAEHP,EAAO,UAAY,kCAAkCK,CAAU,GAE/D,IAAMG,EAAK,KAAK,IAAI,EACd,CAAE,KAAAC,EAAM,MAAAC,CAAM,EAAI,MAAMC,EAAQP,EAAWC,CAAU,EACrDO,EAAK,KAAK,IAAI,EAEpBV,EAAM,UAAY,WAClBF,EAAO,UAAY,cAAcY,EAAKJ,CAAE,OAAOE,CAAK,cACpDT,EAAM,IAAMH,EAAS,OAAO,EAC5BK,EAAQ,UAAY,GACpBA,EAAQ,MAAM,QAAU,OAExB,WAAW,IAAM,CACf,IAAMU,EAAQ,OAAO,SAAS,KAC9B,OAAO,SAAS,KAAOtB,EAAE,mDAAoD,CAAE,SAAUkB,EAAM,MAAAC,EAAO,MAAAG,EAAO,YAAaD,EAAKJ,EAAI,WAAAH,CAAW,CAAC,CACjJ,EAAG,GAAI,CACT,GAAG",
+  "sourcesContent": ["// https://dev.to/ratmd/simple-proof-of-work-in-javascript-3kgm\n\nexport function process(data, difficulty = 5) {\n  return new Promise((resolve, reject) => {\n    let webWorkerURL = URL.createObjectURL(new Blob([\n      '(', processTask(), ')()'\n    ], { type: 'application/javascript' }));\n\n    let worker = new Worker(webWorkerURL);\n\n    worker.onmessage = (event) => {\n      worker.terminate();\n      resolve(event.data);\n    };\n\n    worker.onerror = (event) => {\n      worker.terminate();\n      reject();\n    };\n\n    worker.postMessage({\n      data,\n      difficulty\n    });\n\n    URL.revokeObjectURL(webWorkerURL);\n  });\n}\n\nfunction processTask() {\n  return function () {\n    const sha256 = (text) => {\n      const encoded = new TextEncoder().encode(text);\n      return crypto.subtle.digest(\"SHA-256\", encoded.buffer).then((result) =>\n        Array.from(new Uint8Array(result))\n          .map((c) => c.toString(16).padStart(2, \"0\"))\n          .join(\"\"),\n      );\n    };\n\n    addEventListener('message', async (event) => {\n      let data = event.data.data;\n      let difficulty = event.data.difficulty;\n\n      let hash;\n      let nonce = 0;\n      do {\n        hash = await sha256(data + nonce++);\n      } while (hash.substring(0, difficulty) !== Array(difficulty + 1).join('0'));\n\n      nonce -= 1; // last nonce was post-incremented\n\n      postMessage({\n        hash,\n        data,\n        difficulty,\n        nonce,\n      });\n    });\n  }.toString();\n}\n\n", "import { process } from './proof-of-work.mjs';\nimport { testVideo } from './video.mjs';\n\n// from Xeact\nconst u = (url = \"\", params = {}) => {\n  let result = new URL(url, window.location.href);\n  Object.entries(params).forEach((kv) => {\n    let [k, v] = kv;\n    result.searchParams.set(k, v);\n  });\n  return result.toString();\n};\n\nconst imageURL = (mood) => {\n  return `/.within.website/x/cmd/anubis/static/img/${mood}.webp`;\n};\n\n(async () => {\n  const status = document.getElementById('status');\n  const image = document.getElementById('image');\n  const title = document.getElementById('title');\n  const spinner = document.getElementById('spinner');\n  // const testarea = document.getElementById('testarea');\n\n  // const videoWorks = await testVideo(testarea);\n  // console.log(`videoWorks: ${videoWorks}`);\n\n  // if (!videoWorks) {\n  //   title.innerHTML = \"Oh no!\";\n  //   status.innerHTML = \"Checks failed. Please check your browser's settings and try again.\";\n  //   image.src = imageURL(\"sad\");\n  //   spinner.innerHTML = \"\";\n  //   spinner.style.display = \"none\";\n  //   return;\n  // }\n\n  status.innerHTML = 'Calculating...';\n\n  const { challenge, difficulty } = await fetch(\"/.within.website/x/cmd/anubis/api/make-challenge\", { method: \"POST\" })\n    .then(r => {\n      if (!r.ok) {\n        throw new Error(\"Failed to fetch config\");\n      }\n      return r.json();\n    })\n    .catch(err => {\n      title.innerHTML = \"Oh no!\";\n      status.innerHTML = `Failed to fetch config: ${err.message}`;\n      image.src = imageURL(\"sad\");\n      spinner.innerHTML = \"\";\n      spinner.style.display = \"none\";\n      throw err;\n    });\n\n  status.innerHTML = `Calculating...<br/>Difficulty: ${difficulty}`;\n\n  const t0 = Date.now();\n  const { hash, nonce } = await process(challenge, difficulty);\n  const t1 = Date.now();\n\n  title.innerHTML = \"Success!\";\n  status.innerHTML = `Done! Took ${t1 - t0}ms, ${nonce} iterations`;\n  image.src = imageURL(\"happy\");\n  spinner.innerHTML = \"\";\n  spinner.style.display = \"none\";\n\n  setTimeout(() => {\n    const redir = window.location.href;\n    window.location.href = u(\"/.within.website/x/cmd/anubis/api/pass-challenge\", { response: hash, nonce, redir, elapsedTime: t1 - t0 });\n  }, 2000);\n})();"],
+  "mappings": "MAEO,SAASA,EAAQC,EAAMC,EAAa,EAAG,CAC5C,OAAO,IAAI,QAAQ,CAACC,EAASC,IAAW,CACtC,IAAIC,EAAe,IAAI,gBAAgB,IAAI,KAAK,CAC9C,IAAKC,EAAY,EAAG,KACtB,EAAG,CAAE,KAAM,wBAAyB,CAAC,CAAC,EAElCC,EAAS,IAAI,OAAOF,CAAY,EAEpCE,EAAO,UAAaC,GAAU,CAC5BD,EAAO,UAAU,EACjBJ,EAAQK,EAAM,IAAI,CACpB,EAEAD,EAAO,QAAWC,GAAU,CAC1BD,EAAO,UAAU,EACjBH,EAAO,CACT,EAEAG,EAAO,YAAY,CACjB,KAAAN,EACA,WAAAC,CACF,CAAC,EAED,IAAI,gBAAgBG,CAAY,CAClC,CAAC,CACH,CAEA,SAASC,GAAc,CACrB,OAAO,UAAY,CACjB,IAAMG,EAAUC,GAAS,CACvB,IAAMC,EAAU,IAAI,YAAY,EAAE,OAAOD,CAAI,EAC7C,OAAO,OAAO,OAAO,OAAO,UAAWC,EAAQ,MAAM,EAAE,KAAMC,GAC3D,MAAM,KAAK,IAAI,WAAWA,CAAM,CAAC,EAC9B,IAAKC,GAAMA,EAAE,SAAS,EAAE,EAAE,SAAS,EAAG,GAAG,CAAC,EAC1C,KAAK,EAAE,CACZ,CACF,EAEA,iBAAiB,UAAW,MAAOL,GAAU,CAC3C,IAAIP,EAAOO,EAAM,KAAK,KAClBN,EAAaM,EAAM,KAAK,WAExBM,EACAC,EAAQ,EACZ,GACED,EAAO,MAAML,EAAOR,EAAOc,GAAO,QAC3BD,EAAK,UAAU,EAAGZ,CAAU,IAAM,MAAMA,EAAa,CAAC,EAAE,KAAK,GAAG,GAEzEa,GAAS,EAET,YAAY,CACV,KAAAD,EACA,KAAAb,EACA,WAAAC,EACA,MAAAa,CACF,CAAC,CACH,CAAC,CACH,EAAE,SAAS,CACb,CCxDA,IAAMC,EAAI,CAACC,EAAM,GAAIC,EAAS,CAAC,IAAM,CACnC,IAAIC,EAAS,IAAI,IAAIF,EAAK,OAAO,SAAS,IAAI,EAC9C,cAAO,QAAQC,CAAM,EAAE,QAASE,GAAO,CACrC,GAAI,CAACC,EAAGC,CAAC,EAAIF,EACbD,EAAO,aAAa,IAAIE,EAAGC,CAAC,CAC9B,CAAC,EACMH,EAAO,SAAS,CACzB,EAEMI,EAAYC,GACT,4CAA4CA,CAAI,SAGxD,SAAY,CACX,IAAMC,EAAS,SAAS,eAAe,QAAQ,EACzCC,EAAQ,SAAS,eAAe,OAAO,EACvCC,EAAQ,SAAS,eAAe,OAAO,EACvCC,EAAU,SAAS,eAAe,SAAS,EAejDH,EAAO,UAAY,iBAEnB,GAAM,CAAE,UAAAI,EAAW,WAAAC,CAAW,EAAI,MAAM,MAAM,mDAAoD,CAAE,OAAQ,MAAO,CAAC,EACjH,KAAKC,GAAK,CACT,GAAI,CAACA,EAAE,GACL,MAAM,IAAI,MAAM,wBAAwB,EAE1C,OAAOA,EAAE,KAAK,CAChB,CAAC,EACA,MAAMC,GAAO,CACZ,MAAAL,EAAM,UAAY,SAClBF,EAAO,UAAY,2BAA2BO,EAAI,OAAO,GACzDN,EAAM,IAAMH,EAAS,KAAK,EAC1BK,EAAQ,UAAY,GACpBA,EAAQ,MAAM,QAAU,OAClBI,CACR,CAAC,EAEHP,EAAO,UAAY,kCAAkCK,CAAU,GAE/D,IAAMG,EAAK,KAAK,IAAI,EACd,CAAE,KAAAC,EAAM,MAAAC,CAAM,EAAI,MAAMC,EAAQP,EAAWC,CAAU,EACrDO,EAAK,KAAK,IAAI,EAEpBV,EAAM,UAAY,WAClBF,EAAO,UAAY,cAAcY,EAAKJ,CAAE,OAAOE,CAAK,cACpDT,EAAM,IAAMH,EAAS,OAAO,EAC5BK,EAAQ,UAAY,GACpBA,EAAQ,MAAM,QAAU,OAExB,WAAW,IAAM,CACf,IAAMU,EAAQ,OAAO,SAAS,KAC9B,OAAO,SAAS,KAAOtB,EAAE,mDAAoD,CAAE,SAAUkB,EAAM,MAAAC,EAAO,MAAAG,EAAO,YAAaD,EAAKJ,CAAG,CAAC,CACrI,EAAG,GAAI,CACT,GAAG",
   "names": ["process", "data", "difficulty", "resolve", "reject", "webWorkerURL", "processTask", "worker", "event", "sha256", "text", "encoded", "result", "c", "hash", "nonce", "u", "url", "params", "result", "kv", "k", "v", "imageURL", "mood", "status", "image", "title", "spinner", "challenge", "difficulty", "r", "err", "t0", "hash", "nonce", "process", "t1", "redir"]
 }
diff --git a/cmd/anubis/static/js/main.mjs.zst b/cmd/anubis/static/js/main.mjs.zst
index 83e5e35..3f27a9e 100644
--- a/cmd/anubis/static/js/main.mjs.zst
+++ b/cmd/anubis/static/js/main.mjs.zst