Update to support reCAPTCHA v3
NightJar opened this issue · 1 comments
Released October 2018:
https://webmasters.googleblog.com/2018/10/introducing-recaptcha-v3-new-way-to.html
Implementation docs:
https://developers.google.com/recaptcha/docs/v3
I think in context of protecting form submissions (which is the scope of this module), ReCAPTCHA v3 is actually worse than v2. With v2, we've got explicit "I'm not a robot" verification, or the better "Invisible" alternative which uses signals in the request combined with Google smarts, and only sometimes prompts for user verification.
The v3 API just allows you to send "actions" such as "submitting contact form", and you get back a score. If that score indicates a bot, it's up to site devs to make the next step: There is no built-in explicit verification. Since this module doesn't know anything about the site context, e.g. to trigger a login or MFA, or is designed to record other user actions (separate from form submissions).
v3 still needs server-side "site verification", which is bundled into this module - but that's just a simple POST request, so hardly worth supporting an endpoint that's separate from form submissions. If you want custom handling of verification scores (e.g. put a form submission into a moderation queue), I think it's worth building that into your own form submission logic. Adding this flow handling to a simple form field and "spam protector" would bloat the code and actually make it harder to follow then inlining it into your own form submission handling.
Overall, I think it's a bit confusing that Google called this v3, it's an evolved but separate use case that puts more responsibility back on the site dev. In my view, that's incompatible with the goals of this module. So I'm closing this request.
/cc @UndefinedOffset You might be interested in this rationale for https://github.com/UndefinedOffset/silverstripe-nocaptcha - maybe you decide differently :)