Gem will not fully work with reCAPTCHA v3

Question

Gem will not fully work with reCAPTCHA v3

Closed this issue 6 years ago · 5 comments

Hello.

Thanks for gem, but after investigation I found it really will not work as expected and only check that reCAPTCHA works inside rails application. Why?

reCAPTCHA v3 returns a score for each request without user friction. The score is based on interactions with your site and enables you to take an appropriate action for your site

Next move to "Site Verify Response" inside doc:

{
  "success": true|false,      // whether this request was a valid reCAPTCHA token for your site
  "score": number             // the score for this request (0.0 - 1.0)
  "action": string            // the action name for this request (important to verify)
  "challenge_ts": timestamp,  // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

So as we can see, success only mean that token is valid, nothing more. To check bot or human we need to check score, which between 0 and 1. Developer need to adjust inside codebase check for this score based on action (for example valid?(token, scope)).

Also we should check action, so hacker will not replace on frontend action to some another with lower score and pass verification.

Right now https://github.com/igorkasyanchuk/new_google_recaptcha/blob/master/lib/new_google_recaptcha/validator.rb#L9 only check that token is valid. Library will pass everyone with valid token.

Hope this will help to improve gem.

Answer 1 · 2018-12-25T22:06:02.000Z

@le0pard hmm, this is strange, I remember I got "false" when I was submitting form too fast. And "true" in case I was behaving like a human. Can you check the "dummy" app and see how it works for you?

And actually I was thinking about returning score (and even has this in TODO http://prntscr.com/lzhmxf)

Answer 2 · 2018-12-26T08:42:41.000Z

@igorkasyanchuk only in recaptcha V2 success mean human or not. In V3 it is only check valid token, because developer decide how big risk and need block action. Here video

https://youtu.be/tbvxFW4UJdU

Maybe submitting too fast just not give enough time for script

  grecaptcha.ready(function() {
      grecaptcha.execute('reCAPTCHA_site_key', {action: 'homepage'}).then(function(token) {
         ...
      });
  });

To get token for recaptcha (maybe in gem it just send request with empty token, because hidden input have nothing).

I already check on my own app - bots is not blocked, because system need block it's by score. Even score 0.1 still get valid token.

Answer 3 · 2018-12-26T10:56:38.000Z

@le0pard I see ... ok, do you want to make a PR into it? and maybe make score configurable (and with some default value)?

Answer 4 · 2018-12-26T11:25:40.000Z

@igorkasyanchuk sorry, but I already made solution into own system. And solution very specialized to app, I cannot extract it in gem (too deep integration to activerecord, actionmailer, etc).

Answer 5 · 2018-12-31T16:26:41.000Z

I made a PR: #6