CreaCaptcha

Engine
in package

Wraps the bundled ALTCHA library for the WordPress plugin.

Table of Contents

Constants

PRESETS  = ['pbkdf2' => ['low' => ['cost' => 3000, 'min' => 5, 'max' => 30], 'medium' => ['cost' => 6000, 'min' => 10, 'max' => 60], 'high' => ['cost' => 15000, 'min' => 20, 'max' => 120]], 'argon2id' => ['low' => ['cost' => 1, 'min' => 5, 'max' => 40], 'medium' => ['cost' => 2, 'min' => 10, 'max' => 80], 'high' => ['cost' => 3, 'min' => 20, 'max' => 160]]]
Difficulty presets per algorithm: PoW cost + counter range [min, max].

Methods

create_challenge()  : array<string, mixed>
Builds a fresh challenge as a JSON-serialisable array.
issue_signed_payload()  : string
Issues a fresh, server-solved ALTCHA payload — base64 string that `Engine::verify()` will accept exactly once. Used by the code-challenge verify endpoint (Modul 15) to substitute the user's original PoW payload (which carried a data.ccode marker and would be rejected by verify()'s bypass guard) with a clean payload that has no data.ccode.
verify()  : bool
Verifies a base64-encoded ALTCHA payload and enforces single use.
verify_structural()  : bool
Verifies a base64 ALTCHA payload structurally — same checks as `verify()` minus the single-use replay guard. Used by the code- challenge verify endpoint (Modul 15), which must not consume the incoming payload because the user may retry on wrong code.
algorithm()  : DeriveKeyInterface
The derive-key algorithm instance for the configured algorithm.
algorithm_for_name()  : DeriveKeyInterface
Maps a challenge algorithm name to a derive-key instance.
algorithm_key()  : string
Effective algorithm key — falls back to pbkdf2 when argon2id is selected but ext-sodium is unavailable.
altcha()  : Altcha
Builds the underlying ALTCHA object with both HMAC secrets.
difficulty_key()  : string
Normalises the configured difficulty.

Constants

PRESETS

Difficulty presets per algorithm: PoW cost + counter range [min, max].

private mixed PRESETS = ['pbkdf2' => ['low' => ['cost' => 3000, 'min' => 5, 'max' => 30], 'medium' => ['cost' => 6000, 'min' => 10, 'max' => 60], 'high' => ['cost' => 15000, 'min' => 20, 'max' => 120]], 'argon2id' => ['low' => ['cost' => 1, 'min' => 5, 'max' => 40], 'medium' => ['cost' => 2, 'min' => 10, 'max' => 80], 'high' => ['cost' => 3, 'min' => 20, 'max' => 160]]]

Erstkalibrierung (Spec §7) — bei Bedarf nach dem DDEV-Solve-Zeit-Test an dieser einen Stelle nachjustieren.

Methods

create_challenge()

Builds a fresh challenge as a JSON-serialisable array.

public create_challenge() : array<string, mixed>
Return values
array<string, mixed>

issue_signed_payload()

Issues a fresh, server-solved ALTCHA payload — base64 string that `Engine::verify()` will accept exactly once. Used by the code-challenge verify endpoint (Modul 15) to substitute the user's original PoW payload (which carried a data.ccode marker and would be rejected by verify()'s bypass guard) with a clean payload that has no data.ccode.

public issue_signed_payload() : string

Returns the empty string on internal error (no payload issued).

Return values
string

verify()

Verifies a base64-encoded ALTCHA payload and enforces single use.

public verify(string $payload_b64) : bool
Parameters
$payload_b64 : string

The base64 payload from the altcha form field.

Return values
bool

verify_structural()

Verifies a base64 ALTCHA payload structurally — same checks as `verify()` minus the single-use replay guard. Used by the code- challenge verify endpoint (Modul 15), which must not consume the incoming payload because the user may retry on wrong code.

public verify_structural(string $payload_b64) : bool

NOTE: also skips the parameters.data.ccode reject filter — the code-verify handler explicitly EXPECTS that field to be present.

Parameters
$payload_b64 : string

The base64 payload from the widget.

Return values
bool

algorithm()

The derive-key algorithm instance for the configured algorithm.

private algorithm() : DeriveKeyInterface
Return values
DeriveKeyInterface

algorithm_for_name()

Maps a challenge algorithm name to a derive-key instance.

private algorithm_for_name(string $name) : DeriveKeyInterface
Parameters
$name : string
Return values
DeriveKeyInterface

algorithm_key()

Effective algorithm key — falls back to pbkdf2 when argon2id is selected but ext-sodium is unavailable.

private algorithm_key() : string
Return values
string

altcha()

Builds the underlying ALTCHA object with both HMAC secrets.

private altcha() : Altcha
Return values
Altcha

difficulty_key()

Normalises the configured difficulty.

private difficulty_key(array<string, mixed> $settings) : string
Parameters
$settings : array<string, mixed>

Plugin settings.

Return values
string 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results