PHPackages                             o3-shop/altcha-module - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. o3-shop/altcha-module

ActiveOxideshop-module[Security](/categories/security)

o3-shop/altcha-module
=====================

Altcha (self-hosted, proof-of-work) provider for the O3-Shop core CAPTCHA layer

00PHP

Since Jul 1Pushed yesterdayCompare

[ Source](https://github.com/o3-shop/altcha-module)[ Packagist](https://packagist.org/packages/o3-shop/altcha-module)[ RSS](/packages/o3-shop-altcha-module/feed)WikiDiscussions main Synced today

READMEChangelogDependenciesVersions (1)Used By (0)

O3-Shop Altcha CAPTCHA Module
=============================

[](#o3-shop-altcha-captcha-module)

Self-hosted, privacy-friendly [Altcha](https://altcha.org/) (proof-of-work) provider for the O3-Shop core CAPTCHA layer. No third-party calls, no tracking, no operator account — GDPR-clean by design.

The module ships **no forms, templates or blocks** — storefront widget rendering and the admin CAPTCHA screen live in O3-Shop core. This module contributes one CAPTCHA *provider* (plus a challenge endpoint and the self-hosted widget asset), wired in via the `oxid.captcha.provider` DI tag.

Requirements
------------

[](#requirements)

- **PHP 8.1+** (depends on [`altcha-org/altcha`](https://github.com/altcha-org/altcha-lib-php), which requires `php >= 8.1`).
- O3-Shop with the core pluggable CAPTCHA layer (`CaptchaProviderInterface` + `oxid.captcha.provider`).

Install
-------

[](#install)

```
composer require o3-shop/altcha-module
./vendor/bin/oe-console oe:module:activate o3altcha
```

Configure
---------

[](#configure)

In **Admin → CAPTCHA**: select **Altcha**, optionally adjust **Difficulty**(max random number; low ≈ 50000, medium ≈ 100000, high ≈ 500000). The per-shop HMAC secret is auto-generated on first use and never sent to the browser.

Because Altcha is proof-of-work and makes no third-party calls, it is **consent-exempt**: it is never gated by the core cookie-consent modes.

### Three modes

[](#three-modes)

Set **Mode** to select the operating mode (`local` is the default).

1. **This shop is the Altcha server (`local`, default).** Leave **Challenge URL** empty. The shop issues challenges at `index.php?cl=altcha_challenge`, signed with an auto-generated per-shop HMAC secret. No external network calls.
2. **External self-hosted Altcha server (`external`).** Set **Mode** to `external`, **Challenge URL**to your Altcha server's challenge endpoint, and **Shared HMAC secret** to the HMAC key that server signs with. The widget fetches challenges from your server; the shop still verifies solutions **locally** with the shared secret (no verify-time API call). The **Difficulty**setting applies only in mode 1 (in mode 2 the external server controls difficulty).

    > **Both fields are required for external mode.** If you set a Challenge URL but leave the Shared HMAC secret empty, the widget loads against the external server but the shop verifies with its own local secret, so every submission is rejected. The module logs a `WARNING` in this case — check the shop log if an external-mode form rejects all submissions.
3. **ALTCHA Sentinel (self-hosted bot-detection server).** Set **Mode** to `sentinel`, **Challenge URL**to your Sentinel challenge endpoint, and **Sentinel API-key secret** to the key secret. The widget talks to Sentinel; Sentinel returns a *signed verdict* which the shop verifies **locally** with `verifyServerSignature` (no verify-time API call), so Sentinel's bot/spam detection gates submissions.

    > **The Sentinel API-key secret is required for sentinel mode.** Without it the shop cannot verify Sentinel's signed response and every submission will be rejected. The module logs a `WARNING` in this case — check the shop log if a sentinel-mode form rejects all submissions.

Adding Altcha to a new form
---------------------------

[](#adding-altcha-to-a-new-form)

No module changes are needed. A form is protected automatically once:

1. its form-id is registered in the core `CaptchaFormRegistry`, and
2. its template calls `[{$oViewConf->getCaptchaWidget('')}]`, and
3. its controller calls `verifyForForm('', Registry::getRequest())` before processing.

When Altcha is the active provider, that form then renders the `` and verifies the posted `altcha` solution server-side.

How it works
------------

[](#how-it-works)

ClassRole`Provider\AltchaProvider`consent-exempt provider (`altcha`); renders ``, verifies the `altcha` field`Controller\AltchaChallengeController``cl=altcha_challenge` — JSON challenge endpoint (throttled, `no-store`)`Challenge\AltchaChallengeService`mints/verifies challenges via `altcha-org/altcha``Secret\HmacSecretProvider`per-shop HMAC secret (auto-generate / rotate)`Throttle\FixedWindowChallengeThrottle`per-IP challenge-issuance throttleLicense
-------

[](#license)

GPL-3.0

###  Health Score

20

↑

LowBetter than 13% of packages

Maintenance65

Regular maintenance activity

Popularity0

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity11

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

### Community

Maintainers

![](https://www.gravatar.com/avatar/53b105106ade5f151851db1839b344f7be04f17d881c49ca0f4da0867d5b2d82?d=identicon)[o3-shop](/maintainers/o3-shop)

---

Top Contributors

[![nlo-tronet](https://avatars.githubusercontent.com/u/206915827?v=4)](https://github.com/nlo-tronet "nlo-tronet (1 commits)")

### Embed Badge

![Health badge](/badges/o3-shop-altcha-module/health.svg)

```
[![Health](https://phpackages.com/badges/o3-shop-altcha-module/health.svg)](https://phpackages.com/packages/o3-shop-altcha-module)
```

###  Alternatives

[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k18.7M141](/packages/mews-purifier)[paragonie/ecc

PHP Elliptic Curve Cryptography library

24820.0k36](/packages/paragonie-ecc)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
