Browser engine integration?

[alcinnz]

Hi, I'm working on an NLnet-funded browser engine "Haphaestus" & I'd be keen to figure out with you how we can mCaptcha working in my browser engine.

The catch is that for several reasons I will not & cannot support JavaScript, so mCaptcha will need to be integrated directly into my webform engine "Bureaucromancy" as a new type. Thoughts?

[realaravinth]

Hello 👋

Thanks for reaching out, brower integration has been the ultimate goal of mCaptcha since WASM/JS can only be so fast :)

There are three ways three ways to go about this:

1. Haskell bindings to Rust implementation of mCaptcha/pow_sha256
2. C ABI compatible compilation of pow_sha256
3. Porting pow_sha256b to Haskell: I don't speak Haskell, so I can't help here. A JavaScript port of that library exists, should you find JavaScript more readable than Rust :)

I'm open to other ideas as well. Talk soon o/

[alcinnz]

I think it'd be simplest for you to offer me a C ABI (the simpler the better), I'm well practiced at language-binding those!

How about the markup? What new HTML tags should render to an mCaptcha?

[realaravinth]

I think it'd be simplest for you to offer me a C ABI (the simpler the better), I'm well practiced at language-binding those!

Great! I will configure pow_sha256 to compile to C ABI and get back to you. ETA: 2 weeks (school is keeping me busy at the moment 😅).

How about the markup? What new HTML tags should render to an mCaptcha?

I'm sorry, I don't know how to implement mCaptcha without JavaScript. Are you saying that we can get the same behavior with a new markup tag? If yes, that tag should

<Mcaptcha src="https://mcaptcha.example.org" sitekey="somesitekey" />

And should do the following:

1. Fetch PoW configuration. Example:

curl 'https://demo.mcaptcha.org/api/v1/pow/config' \ 
   -X POST  \
   -H 'Content-Type: application/json' \ 
   --data-raw '{"key":"pHy0AktWyOKuxZDzFfoaewncWecCHo23"}'

2. Generate PoW (will be implemented within pow_sha256)

3. Submit work for verification. Example:

curl 'https://demo.mcaptcha.org/api/v1/pow/verify'  \
   -X POST \
   -H 'Content-Type: application/json' \
   --data-raw '{"key":"pHy0AktWyOKuxZDzFfoaewncWecCHo23","string":"OmcyEfHiXJWfgGFX49PRcdrC3jSqayUd","nonce":58110,"result":"340279823978375858028160475878480141189","time":25,"worker_type":"wasm"}'

Response:

{"token":"AW5h4UgJBaqcbXKWGmi4DBFmxVT0gyYn"}

4. Authorization token (token from step 3's response) should be injected into the form that is protected by mCaptcha in a hidden input field:

<input id="mcaptcha__token" name="mcaptcha__token" required="" hidden="" value="AW5h4UgJBaqcbXKWGmi4DBFmxVT0gyYn">

A simple demo is available at https://showcase.mcaptcha.org, which should demonstrate the whole process.

[alcinnz]

Sounds perfect!

[alcinnz]

So that pow_sha256 function: Should I be responsible for parsing the JSON I get back from the config endpoint, or will it do so?

Either way this looks like it'd probably be a trivial language binding to write...

[realaravinth]

I seemed to have overlooked this thread, apologies!

pow_sha256 is low level only exposes a primitive API. The widget has to execute multiple statements to process the configuration and generate PoW. [pow_wasm](https://github.com/mCaptcha/pow_wasm] builds on top of pow_sha256 and exposes a higher-level API

But neither of these libraries parse JSON.