From 4ff58d6fd51463135a5543cacefbb9a406913388 Mon Sep 17 00:00:00 2001
From: Joe Corall <jjc223@lehigh.edu>
Date: Wed, 4 Jun 2025 11:03:50 -0400
Subject: [PATCH 1/2] code cleanup

---
 main.go | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/main.go b/main.go
index f5aeeb6..407cc94 100644
--- a/main.go
+++ b/main.go
@@ -282,19 +282,12 @@ func (bc *CaptchaProtect) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	challengeOnPage := bc.ChallengeOnPage()
 	if challengeOnPage && req.Method == http.MethodPost {
 		response := req.FormValue(bc.captchaConfig.key + "-response")
-		if response == "" {
-			if !slices.Contains(bc.config.ProtectHttpMethods, req.Method) {
-				bc.next.ServeHTTP(rw, req)
-				return
-			}
-		} else {
+		if response != "" {
 			statusCode := bc.verifyChallengePage(rw, req, clientIP)
 			log.Info("Captcha challenge", "clientIP", clientIP, "method", req.Method, "path", req.URL.Path, "status", statusCode, "useragent", req.UserAgent())
 			return
 		}
-	}
-
-	if req.URL.Path == bc.config.ChallengeURL {
+	} else if req.URL.Path == bc.config.ChallengeURL {
 		switch req.Method {
 		case http.MethodGet:
 			destination := req.URL.Query().Get("destination")

From 1921da6ceb1b70e80e25248adc4c992c9716eacc Mon Sep 17 00:00:00 2001
From: Joe Corall <jjc223@lehigh.edu>
Date: Wed, 4 Jun 2025 11:14:13 -0400
Subject: [PATCH 2/2] do not read form values

---
 main.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/main.go b/main.go
index 407cc94..e8cc7c1 100644
--- a/main.go
+++ b/main.go
@@ -281,8 +281,7 @@ func (bc *CaptchaProtect) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	clientIP, ipRange := bc.getClientIP(req)
 	challengeOnPage := bc.ChallengeOnPage()
 	if challengeOnPage && req.Method == http.MethodPost {
-		response := req.FormValue(bc.captchaConfig.key + "-response")
-		if response != "" {
+		if req.URL.Query().Get("challenge") != "" {
 			statusCode := bc.verifyChallengePage(rw, req, clientIP)
 			log.Info("Captcha challenge", "clientIP", clientIP, "method", req.Method, "path", req.URL.Path, "status", statusCode, "useragent", req.UserAgent())
 			return