fix: expires with utc datetime

Author: ovx

altcha/altcha.py

@@ -9,6 +9,7 @@
 import urllib.parse
 from typing import Literal, TypedDict, cast, overload
 import datetime
+from datetime import timezone
 
 # Define algorithms
 SHA1: Literal["SHA-1"] = "SHA-1"
@@ -426,7 +427,16 @@ def create_challenge(
         salt_params = dict(urllib.parse.parse_qsl(salt_query))
 
     if options.expires:
-        salt_params["expires"] = str(int(time.mktime(options.expires.timetuple())))
+        expires = options.expires
+
+        if expires.tzinfo is None:
+            # Backward compatibility: assume naive datetimes are local time
+            timestamp = int(time.mktime(expires.timetuple()))
+        else:
+            # Aware datetimes: use true UTC timestamp
+            timestamp = int(expires.timestamp())
+
+        salt_params["expires"] = str(timestamp)
 
     if options.params:
         salt_params.update(options.params)
@@ -723,3 +733,14 @@ def solve_challenge(
             return Solution(n, took)
 
     return None
+
+def _normalize_expires(expires: datetime.datetime | None) -> datetime.datetime | None:
+    if expires is None:
+        return None
+
+    # Case 1: naive datetime → assume UTC (backward compatibility)
+    if expires.tzinfo is None:
+        return expires.replace(tzinfo=timezone.utc)
+
+    # Case 2: aware datetime (any timezone) → convert to UTC
+    return expires.astimezone(timezone.utc)

tests/test_altcha.py

@@ -129,6 +129,30 @@ def test_verify_solution_max_number(self):
         result, _ = verify_solution(payload_encoded, self.hmac_key, check_expires=False)
         self.assertTrue(result)
 
+    def test_verify_solution_expires_utc(self):
+        options = ChallengeOptions(
+            algorithm="SHA-256",
+            max_number=1000,
+            salt_length=16,
+            hmac_key=self.hmac_key,
+            salt="somesalt",
+            number=123,
+            expires=datetime.datetime.now(datetime.timezone.utc),
+        )
+        challenge = create_challenge(options)
+        payload = Payload(
+            algorithm="SHA-256",
+            challenge=challenge.challenge,
+            number=123,
+            salt=challenge.salt,
+            signature=challenge.signature,
+        )
+        payload_encoded = base64.b64encode(
+            json.dumps(payload.__dict__).encode()
+        ).decode()
+        result, _ = verify_solution(payload_encoded, self.hmac_key, check_expires=True)
+        self.assertFalse(result)
+
     def test_verify_solution_not_expired(self):
         options = ChallengeOptions(
             algorithm="SHA-256",