PHPackages                             bbysaeth/typo3-altcha - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. bbysaeth/typo3-altcha

ActiveTypo3-cms-extension[Security](/categories/security)

bbysaeth/typo3-altcha
=====================

TYPO3 form element for spam protection by utilizing the proof-of-work mechanism Altcha.

v1.0.1(1mo ago)924.2k↓21.9%6[2 issues](https://github.com/bbysaeth/typo3-altcha/issues)1GPL-2.0-or-laterJavaScriptCI passing

Since Jun 30Pushed 1mo ago2 watchersCompare

[ Source](https://github.com/bbysaeth/typo3-altcha)[ Packagist](https://packagist.org/packages/bbysaeth/typo3-altcha)[ Docs](https://github.com/bbysaeth/typo3-altcha)[ RSS](/packages/bbysaeth-typo3-altcha/feed)WikiDiscussions main Synced 3d ago

READMEChangelog (10)Dependencies (30)Versions (20)Used By (1)

TYPO3 Extension `ALTCHA`
========================

[](#typo3-extension-altcha)

This TYPO3 extension integrates ALTCHA Widget v3 into TYPO3 `ext:form`. It uses ALTCHA's proof-of-work approach to protect forms against spam and abuse without visual puzzles or tracking-based captcha techniques.

Features
--------

[](#features)

- ALTCHA Widget v3 form element for `ext:form`
- Customizable expiration time of challenges
- Local uncached challenge endpoint for cached TYPO3 forms
- Proxy endpoints for self-hosted ALTCHA or Sentinel setups
- Scheduler task for removing obsolete (expired and solved) challenges

Installation
------------

[](#installation)

Install this TYPO3 extension using [Composer](https://getcomposer.org):

```
composer require bbysaeth/typo3-altcha
```

Choose one integration method and update the database schema via the install tool:

- **Site Set (recommended, TYPO3 v13.4+)**: include `bbysaeth/typo3-altcha` in your site configuration.
- **Static Template (classic)**: add `Altcha Form Element` in your TypoScript template record.

This TYPO3 extension is licensed under the GNU General Public License Version 2 (GPLv2).

Configuration
-------------

[](#configuration)

### TypoScript Integration: Site Set or Static Template

[](#typoscript-integration-site-set-or-static-template)

This extension supports both TYPO3 integration approaches:

- **Site Set** via `Configuration/Sets/typo3-altcha/`
- **Classic static TypoScript template** via `Configuration/TypoScript/`

Do not load both at the same time. Use one method per site.

### Supported TYPO3 Versions

[](#supported-typo3-versions)

- `13.4 LTS`
- current `14.x` release line until `14.3 LTS` is available

### Extension Configuration

[](#extension-configuration)

`HMAC Secret Key (basic.hmac [string])`
HMAC secret key for challenge generation. If not defined, TYPO3's encryption key will be used.

### TypoScript Configuration Settings

[](#typoscript-configuration-settings)

The following TypoScript settings are available:

- `plugin.tx_altcha.minimumComplexity` *(integer)* – Minimum number for range of complexity
- `plugin.tx_altcha.maximumComplexity` *(integer)* – Cost used for local `PBKDF2/SHA-256` challenge generation
- `plugin.tx_altcha.expires` *(integer)* – Seconds after which the challenge expires
- `plugin.tx_altcha.widgetType` *(checkbox, switch, native)* – Select the widget control style
- `plugin.tx_altcha.hideAltchaLogo` *(bool)* – Hide the ALTCHA logo in the widget
- `plugin.tx_altcha.hideFooter` *(bool)* – Hide the ALTCHA footer text and link
- `plugin.tx_altcha.auto` *(Choose: disabled, onload, onfocus)* – Enable/Disable auto verify onload or onfocus

### Form Caching and Challenge Generation

[](#form-caching-and-challenge-generation)

**Important:** This extension automatically uses an uncached endpoint (`/?type=1768669000`) for local challenge generation to prevent form caching issues. This avoids reused challenges in cached forms and keeps ALTCHA Widget v3 compatible with TYPO3 page caching.

No additional configuration is required – the extension handles this automatically.

### Self-hosted ALTCHA Server

[](#self-hosted-altcha-server)

You can use a self-hosted Altcha server instead of local challenge generation. Configure the following TypoScript settings:

- `plugin.tx_altcha.challengeUrl` *(string)* – Challenge endpoint URL passed to the widget as `challenge`
- `plugin.tx_altcha.verifyUrl` *(string)* – Verification endpoint URL for server-side verification
- `plugin.tx_altcha.apiKey` *(string, optional)* – API key sent via headers (`Authorization: Bearer` and `X-Altcha-API-Key`)

**Using the Proxy Endpoints (Recommended)**

When both `challengeUrl` and `apiKey` are configured, the extension automatically uses built-in proxy endpoints that:

- Forward requests to your self-hosted server
- Attach the API key via HTTP headers (`Authorization: Bearer {apiKey}` and `X-Altcha-API-Key: {apiKey}`)
- Keep the API key secure (not exposed in frontend HTML)

**Direct URL Mode (Optional)**

If you set only `challengeUrl` without `apiKey`, the widget will connect directly to your server. This is suitable for same-origin servers using session cookies or public endpoints.

**Local Mode (Default)**

If neither `challengeUrl` nor `verifyUrl` are set, the extension uses:

- **Challenge generation**: Uncached endpoint (`/?type=1768669000`) that generates local `PBKDF2/SHA-256` challenges
- **Verification**: Server-side validation in PHP via `AltchaValidator` (no separate verification endpoint required)
- **Benefit**: Prevents form caching issues without requiring `USER_INT` configuration

Widget v3 Notes
---------------

[](#widget-v3-notes)

- The extension now uses the widget's `challenge` attribute instead of the removed `challengeurl` or `challengejson` attributes.
- Existing self-hosted integrations can continue to use the TypoScript settings `challengeUrl` and `verifyUrl`; the extension maps these settings to the v3 widget API internally.
- The extension exposes `widgetType` directly and passes `hideAltchaLogo` and `hideFooter` through the widget's `configuration` JSON.
- The extension does not currently expose advanced v3 algorithm configuration for local challenges. The initial local integration targets `PBKDF2/SHA-256`.
- Built-in ALTCHA themes are not wired yet, because they require additional theme CSS assets to be shipped and selected cleanly in TYPO3.

---

Customizing ALTCHA Texts
------------------------

[](#customizing-altcha-texts)

### 1. Create Your Own Partial

[](#1-create-your-own-partial)

Create a new file at the following location in your extension or site package:

```
EXT:my_extension/Resources/Private/Frontend/Partials/AltchaTranslations.html

```

Replace `my_extension` with the key of your sitepackage or custom extension.

### 2. Add YAML Configuration to Register Partial Path

[](#2-add-yaml-configuration-to-register-partial-path)

To let TYPO3 know about your new partial path, extend the YAML configuration of the Form Framework. In your sitepackage, add the following file:

**`Configuration/Form/Overrides/form_editor.yaml`**

```
TYPO3:
  CMS:
    Form:
      prototypes:
        standard:
          renderingOptions:
            partialRootPaths:
              20: "EXT:my_extension/Resources/Private/Frontend/Partials/"
```

> Your YAML file must be included in TypoScript with a key **higher than the one used by this extension (e.g. &gt; 125)** to ensure it overrides the default path.

In your TypoScript setup:

```
plugin.tx_form.settings.yamlConfigurations {
    125 = EXT:altcha/Configuration/Yaml/FormSetup.yaml
    200 = EXT:my_extension/Configuration/Form/Overrides/form_editor.yaml
}

```

This ensures that your own YAML is loaded **after** the one provided by Altcha.

---

### Available Translation Keys

[](#available-translation-keys)

You can define any of the following keys inside your `AltchaTranslations.html`:

- `ariaLinkLabel`
- `enterCode`
- `enterCodeAria`
- `error`
- `expired`
- `footer`
- `getAudioChallenge`
- `label`
- `loading`
- `reload`
- `verify`
- `verificationRequired`
- `verified`
- `verifying`
- `waitAlert`

---

### Example with Static Texts

[](#example-with-static-texts)

**`EXT:my_extension/Resources/Private/Frontend/Partials/AltchaTranslations.html`:**

```

```

---

### Example with TYPO3 Localization

[](#example-with-typo3-localization)

If you want to use TYPO3’s localization, add the relevant labels to your `locallang.xlf`.

**Partial Example:**

```

```

---

License
-------

[](#license)

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

###  Health Score

50

—

FairBetter than 95% of packages

Maintenance87

Actively maintained with recent releases

Popularity37

Limited adoption so far

Community19

Small or concentrated contributor base

Maturity49

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 78.7% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~38 days

Recently: every ~30 days

Total

19

Last Release

43d ago

Major Versions

v0.6.3 → v1.0.02026-04-17

### Community

Maintainers

![](https://www.gravatar.com/avatar/32caa737b89e86881a58a6a43963c3cdcafa1911b248cadf412b74261b85a523?d=identicon)[bbysaeth](/maintainers/bbysaeth)

---

Top Contributors

[![bbysaeth](https://avatars.githubusercontent.com/u/158752370?v=4)](https://github.com/bbysaeth "bbysaeth (37 commits)")[![Danny-HPH](https://avatars.githubusercontent.com/u/78362634?v=4)](https://github.com/Danny-HPH "Danny-HPH (3 commits)")[![schliesser](https://avatars.githubusercontent.com/u/11655823?v=4)](https://github.com/schliesser "schliesser (3 commits)")[![offlineBlogger](https://avatars.githubusercontent.com/u/97961093?v=4)](https://github.com/offlineBlogger "offlineBlogger (2 commits)")[![lleicher-sg](https://avatars.githubusercontent.com/u/210725148?v=4)](https://github.com/lleicher-sg "lleicher-sg (1 commits)")[![woemar](https://avatars.githubusercontent.com/u/42969992?v=4)](https://github.com/woemar "woemar (1 commits)")

---

Tags

recaptchaspamcaptchaAbusebottypo3spam protectionproof-of-workALTCHA

###  Code Quality

Static AnalysisPHPStan

Type Coverage Yes

### Embed Badge

![Health badge](/badges/bbysaeth-typo3-altcha/health.svg)

```
[![Health](https://phpackages.com/badges/bbysaeth-typo3-altcha/health.svg)](https://phpackages.com/packages/bbysaeth-typo3-altcha)
```

###  Alternatives

[pagemachine/typo3-formlog

Form log for TYPO3

23238.6k8](/packages/pagemachine-typo3-formlog)[friendsoftypo3/content-blocks

TYPO3 CMS Content Blocks - Content Types API | Define reusable components via YAML

103519.9k53](/packages/friendsoftypo3-content-blocks)[eliashaeussler/typo3-form-consent

Extension for TYPO3 CMS that adds double opt-in functionality to EXT:form

1595.5k](/packages/eliashaeussler-typo3-form-consent)[netresearch/rte-ckeditor-image

Image support in CKEditor for the TYPO3 ecosystem - by Netresearch

611.1M8](/packages/netresearch-rte-ckeditor-image)[web-vision/wv_deepltranslate

DeepL Translate (CORE) - This extension provides option to translate content element, and TCA record texts to DeepL supported languages.

33304.3k](/packages/web-vision-wv-deepltranslate)[web-vision/deepltranslate-core

DeepL Translate (CORE) - This extension provides option to translate content element, and TCA record texts to DeepL supported languages.

33142.5k8](/packages/web-vision-deepltranslate-core)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
