From fb14079ada81af9cfb182ee35bd19b1542535a66 Mon Sep 17 00:00:00 2001
From: mrkubax10 <mrkubax10@onet.pl>
Date: Wed, 29 Apr 2026 23:01:10 +0200
Subject: [PATCH] Send challenge page if client didn't verify yet

---
 mod_webgate.c | 44 +++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 41 insertions(+), 3 deletions(-)

diff --git a/mod_webgate.c b/mod_webgate.c
index 24185ed..eb0a08c 100644
--- a/mod_webgate.c
+++ b/mod_webgate.c
@@ -25,7 +25,7 @@ static bool check_user_agent_exception(request_rec* r) {
 	return apr_table_get(r->headers_in, "Git-Protocol");
 }
 
-static char* generate_token(apr_pool_t* pool) {
+static const char* generate_token(apr_pool_t* pool) {
 	char rnd[32];
 	apr_generate_random_bytes(rnd, sizeof(rnd));
 	char rnd_md5[APR_MD5_DIGESTSIZE];
@@ -39,9 +39,47 @@ static char* generate_token(apr_pool_t* pool) {
 
 // Generates new token and sets HTTP cookie containing it then presents client with challenge
 static void handle_challenge(request_rec* r) {
-	char* generated = generate_token(r->pool);
+	const char* const generated = generate_token(r->pool);
 	ap_cookie_write(r, TOKEN_COOKIE_NAME, generated, NULL, 0, r->headers_out, NULL);
-	ap_rprintf(r, "Token: %s\n", generated);
+
+	// Send challenge page beginning
+	ap_set_content_type(r, "text/html");
+	ap_rvputs(r, "<!DOCTYPE HTML>"
+		"<html lang=\"en\">"
+		"<head>"
+		"<title>mod_webgate</title>"
+		"</head>"
+		"<body>"
+		"<h5>mod_webgate: Please select appropriate option</h5>", NULL);
+
+	static const char* OPTION_STRINGS[] = {
+		"<a href=\"/fail\">I would like to access this server</a><br>",
+		"<a href=\"/success\">I would not like to access this server</a><br>",
+	};
+	unsigned char option_order[] = {
+		1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0
+	};
+
+	// Randomize options order
+	for(size_t i = 0; i<sizeof(option_order); i++) {
+		char swap_index;
+		apr_generate_random_bytes(&swap_index, 1);
+		swap_index%=sizeof(option_order);
+		if(swap_index==0)
+			swap_index = 1;
+		// Temporary value for swap
+		unsigned char temp = option_order[1];
+		option_order[1] = option_order[swap_index];
+		option_order[swap_index] = temp;
+	}
+
+	// Send options
+	for(size_t i = 0; i<sizeof(option_order); i++)
+		ap_rvputs(r, OPTION_STRINGS[option_order[i]], NULL);
+
+	// Finish page
+	ap_rvputs(r, "</body>"
+		"</html>", NULL);
 }
 
 static int request_check_handler(request_rec* r) {