Important Security Note
If you have previously set and used a static ALTCHA_HMAC_KEY, you must rotate this key as part of upgrading to this release.
Earlier versions of django-altcha accepted challenges that were generated without an expiration (expires) value.
This allowed older challenges to remain valid indefinitely.
As a result, any attacker with access to an old challenge could reuse it to bypass CAPTCHA validation.
To fully benefit from the security improvements in this release, you must also invalidate any existing challenges by rotating the HMAC key used to generate and verify them.
What's Changed
- Add support for altcha 0.2.0 by @tdruez in #8
- Add challenge expiration support by @tdruez in #7
- Add a AltchaChallengeView to allow
challengeurla setup by @tdruez in #9 - Add protection against replay attacks #10 by @tdruez in #11
- Bump version for 0.2.0 release by @tdruez in #12
Credits
- Special thanks to Alex Vandiver alexmv@zulip.com for reporting these issues.
Full Changelog: v0.1.3...v0.2.0