fix: salt parameter splicing

Author: ovx

lib/altcha.rb

@@ -254,6 +254,7 @@ def self.create_challenge(options)
 
     salt = options.salt || random_bytes(salt_length).unpack1('H*')
     salt += "?#{URI.encode_www_form(params)}" unless params.empty?
+    salt += salt.end_with?('&') ? '' : '&'
 
     number = options.number || random_int(max_number)
 

spec/altcha_spec.rb

@@ -87,6 +87,25 @@
       expect(Altcha.verify_solution(payload, hmac_key, true)).to be true
     end
 
+    it 'fails to verify an incorrect solution with salt splicing' do
+      challenge_options_with_expires = Altcha::ChallengeOptions.new(
+        algorithm: algorithm,
+        expires: Time.now.to_i + 3600,
+        hmac_key: hmac_key,
+        salt: salt,
+        number: 123
+      ) 
+      challenge = Altcha.create_challenge(challenge_options_with_expires)
+      payload = {
+        algorithm: algorithm,
+        challenge: challenge.challenge,
+        number: 23,
+        salt: challenge.salt + '1',
+        signature: challenge.signature
+      }
+      expect(Altcha.verify_solution(payload, hmac_key, true)).to be false
+    end
+
     it 'fails to verify an incorrect solution' do
       payload = { algorithm: algorithm, challenge: 'wrong_challenge', number: number, salt: salt, signature: 'wrong_signature' }
       expect(Altcha.verify_solution(payload, hmac_key, false)).to be false
@@ -131,7 +150,7 @@
   describe '.solve_challenge' do
     it 'solves a challenge correctly' do
       challenge = Altcha.create_challenge(challenge_options)
-      solution = Altcha.solve_challenge(challenge.challenge, salt, algorithm, 10_000, 0)
+      solution = Altcha.solve_challenge(challenge.challenge, challenge.salt, algorithm, 10_000, 0)
       expect(solution).not_to be_nil
       expect(solution.number).to eq(number)
     end