challenges: add refresh via JavaScript window.location

examples/forgejo.yml

@@ -147,7 +147,7 @@ rules:
       - name: 0
         action: check
         settings:
-          challenges: [js-pow-sha256, http-cookie-check]
+          challenges: [js-refresh, http-cookie-check]
       - name: 1
         action: check
         settings:
@@ -173,7 +173,7 @@ rules:
       - 'path.matches("^/[^/]+/[^/]+/archive/.*\\.(bundle|zip|tar\\.gz)") && ($is-generic-browser)'
     action: challenge
     settings:
-      challenges: [ js-pow-sha256 ]
+      challenges: [ js-refresh ]
 
   - name: allow-git-operations
     conditions:
@@ -242,11 +242,11 @@ rules:
       - name: 0
         action: check
         settings:
-          challenges: [preload-link, header-refresh, js-pow-sha256, http-cookie-check]
+          challenges: [preload-link, header-refresh, js-refresh, http-cookie-check]
       - name: 1
         action: check
         settings:
-          challenges: [ resource-load, js-pow-sha256, http-cookie-check ]
+          challenges: [ resource-load, js-refresh, http-cookie-check ]
 
   - name: standard-bots
     action: check
@@ -274,7 +274,7 @@ rules:
       # if DNSBL fails, check additional challenges
       fail: check
       fail-settings:
-        challenges: [js-pow-sha256, http-cookie-check]
+        challenges: [js-refresh, http-cookie-check]
 
   # Allow PUT/DELETE/PATCH/POST requests in general
   - name: non-get-request
@@ -321,7 +321,7 @@ rules:
   - name: standard-browser
     action: challenge
     settings:
-      challenges: [http-cookie-check, preload-link, meta-refresh, resource-load, js-pow-sha256]
+      challenges: [http-cookie-check, preload-link, meta-refresh, resource-load, js-refresh, js-pow-sha256]
     conditions:
       - '($is-generic-browser)'
 

examples/generic.yml

@@ -98,7 +98,7 @@ rules:
       - name: 0
         action: check
         settings:
-          challenges: [js-pow-sha256]
+          challenges: [js-refresh]
       - name: 1
         action: check
         settings:
@@ -122,12 +122,12 @@ rules:
       # if DNSBL fails, check additional challenges
       fail: check
       fail-settings:
-        challenges: [js-pow-sha256]
+        challenges: [js-refresh]
 
   - name: suspicious-fetchers
     action: check
     settings:
-      challenges: [js-pow-sha256]
+      challenges: [js-refresh]
     conditions:
       - 'userAgent.contains("facebookexternalhit/") || userAgent.contains("facebookcatalog/")'
 
@@ -170,7 +170,7 @@ rules:
   - name: standard-browser
     action: challenge
     settings:
-      challenges: [preload-link, meta-refresh, resource-load, js-pow-sha256]
+      challenges: [preload-link, meta-refresh, resource-load, js-refresh]
     conditions:
       - '($is-generic-browser)'
 

examples/snippets/challenge-js-refresh.yml

@@ -0,0 +1,6 @@
+challenges:
+  js-refresh:
+    # Challenges with a redirect via window.location (requires HTML parsing and JavaScript logic)
+    runtime: "refresh"
+    parameters:
+      refresh-via: "javascript"

lib/challenge/refresh/refresh.go

@@ -1,9 +1,12 @@
 package refresh
 
 import (
+	"encoding/json"
+	"fmt"
 	"git.gammaspectra.live/git/go-away/lib/challenge"
 	"github.com/goccy/go-yaml"
 	"github.com/goccy/go-yaml/ast"
+	"html/template"
 	"net/http"
 	"time"
 )
@@ -45,7 +48,17 @@ func FillRegistration(state challenge.StateInterface, reg *challenge.Registratio
 			return challenge.VerifyResultFail
 		}
 
-		if params.Mode == "meta" {
+		if params.Mode == "javascript" {
+			data, err := json.Marshal(uri.String())
+			if err != nil {
+				return challenge.VerifyResultFail
+			}
+			state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
+				"EndTags": []template.HTML{
+					template.HTML(fmt.Sprintf("<script type=\"text/javascript\">window.location = %s;</script>", string(data))),
+				},
+			})
+		} else if params.Mode == "meta" {
 			state.ChallengePage(w, r, state.Settings().ChallengeResponseCode, reg, map[string]any{
 				"MetaTags": []map[string]string{
 					{