peopleinside / fla-powcaptcha
Local Proof-of-Work CAPTCHA for Flarum – protect login, registration and password reset without any external service
Maintainers
Package info
github.com/PeopleInside/fla-powcaptcha
Language:TypeScript
Type:flarum-extension
pkg:composer/peopleinside/fla-powcaptcha
Requires
- php: >=8.1
- flarum/core: ^1.0 || ^2.0
- dev-main
- 2.3.x-dev
- 2.3
- 2.2.x-dev
- 2.2
- 2.1
- 2.0
- 1.9.x-dev
- 1.9
- 1.8
- 1.7
- 1.6
- 1.5
- 1.4
- 1.3
- 1.2
- 1.1
- 1.0
- dev-copilot/fix-security-issues-again
- dev-copilot/fix-security-issues
- dev-copilot/22-fix-captcha-issue
- dev-copilot/update-license-information
- dev-copilot/includi-licenza-json
- dev-copilot/improve-captcha-animation
- dev-copilot/fix-deprecation-warning
- dev-copilot/fix-powcaptcha-challenge-error
- dev-copilot/fix-captcha-frontend-issues
- dev-copilot/fix-captcha-issue
- dev-copilot/debug-console-errors
- dev-copilot/fix-admin-settings-display-issues
- dev-copilot/debug-pow-captcha-display
- dev-copilot/revise-captcha-code
This package is auto-updated.
Last update: 2026-05-16 09:01:09 UTC
README
A local Proof-of-Work CAPTCHA extension for Flarum that protects login, registration and password-reset forms without relying on any external service (no Cloudflare, no Google reCAPTCHA, no cookies).
How it works
- When an auth modal opens, the browser silently fetches a one-time challenge from the Flarum API.
- The browser solves a SHA-256 hash puzzle (finds a nonce N such that
SHA-256(challenge:N)starts with D hex zeros, where D is the configured difficulty). - The solution token
challenge:nonceis appended to the form submission. - The server verifies the solution and rejects the request if the check fails.
Bots must solve the same puzzle for every request; legitimate users complete it invisibly in the background (< 100 ms at the default difficulty).
Features
- 🔒 No external services – fully self-hosted
- ⚡ Invisible to users – solved automatically while they fill the form
- ⚙️ Configurable difficulty – 5 levels (< 1 ms → ~10 s)
- 🌓 Dark / light mode – widget adapts to Flarum's current theme
- 🌍 Italian & English – auto-detected; add more locales in
locale/ - 🔁 Replay-proof – each challenge is single-use (stored in Flarum's cache)
- ✅ Flarum 1.x and 2.x compatible
Requirements
| Dependency | Version |
|---|---|
| PHP | ≥ 8.1 |
| Flarum | ^1.0 or ^2.0 |
Screenshot
Disclaimer
This software is provided "AS IS", without any warranty. While it has been tested and reasonable efforts are made to ensure security and reliability, no guarantees are provided. As an open project, anyone may contribute or report issues, but this does not imply endorsement or liability from the maintainers.
You use this software entirely at your own risk. The authors and contributors are not liable for any damages, data loss, or unexpected behavior resulting from its use, modification, or distribution. Always review and test the code independently before deploying it in critical or production environments.
Installation
composer require peopleinside/fla-powcaptcha
Update
composer update peopleinside/fla-powcaptcha
How to remove
composer remove peopleinside/fla-powcaptcha
Then enable the extension in the Flarum admin panel.
Configuration
Go to Admin → Extensions → PoW CAPTCHA and choose:
| Setting | Default | Description |
|---|---|---|
| Enable on Login | ✓ | Protect the login form |
| Enable on Registration | ✓ | Protect the sign-up form |
| Enable on Password Reset | ✓ | Protect the forgot-password form |
| Difficulty | 3 – Standard (~100 ms) | SHA-256 leading-zero count (1–5) |
Development (for contributors only)
The extension is distributed with pre-compiled frontend assets (js/dist/*), so no JS build step is required to install or use it.
Security Notes
- Each challenge is valid for 5 minutes and is single-use (deleted after successful verification).
- The challenge is a 128-bit cryptographically random value; it cannot be guessed or forged.
- The server independently re-computes the SHA-256 hash to verify the solution.