cmd/anubis: forbid bypassing auth by faking the challenge difficulty

This fixes a trivial auth bypass where a user requests a challenge,
formulates any nonce they want (such as 42069), and then passes the
challenge with difficulty zero.

This was fixed by not using the difficulity the client specified and
instead using the fixed difficulty at the server level. The difficulty
has also been encoded into the challenge in 7bd7b209f4f1.

Thanks to Coral Pink for finding this and reporting it over email.

Signed-off-by: Xe Iaso <me@xeiaso.net>

0 files changed, 0 insertions, 0 deletions