Search code examples
recaptchaverificationinvisible-recaptcha

Do I need to verify the result for Google Invisible reCaptcha

I am following the instructions on this page to implement the invisible recaptcha. Everything works great, but how do I know it is working? Is there a way to force a false to test it?

Also, The documentation is not clear on the above page, but some places have additional code to verify the users "response" (it's invisible so i'm not sure what the response is here) - so do I need to add additional back end logic to hit this endpoint with the invisible reCaptcha resulting token and my secret key?

What happens when the user clicks submit on the invisible recaptcha? What is done in the API to return the token? What is the token for? What does the siteverify api then do to determine its a person? Why isnt additional verification needed when the reCAPTCHA V2 (visible click one) is used?

Solution

  • After some testing it looks like you could just do the front end part. The data callback function is not called until google is sure you are a person, if google is not sure then it loads the "select which tiles have a thing in them" reCaptcha to be sure. Once the reCaptcha api is sure that it is a person, the data callback function is fired - at that time you can do further validation to ensure that the token you received during the callback is the one that google actually sent and not a bot trying to fool you by hitting your callback funct - so from there you do server side processing for further validation. Below is an example of a C# ashx handler - and ajax for the validation

    function onTestSubmit(token) {  
        $.ajax({
            type: "POST",
            url: "testHandler.ashx",
            data: { token: token },
            success: function (response) {
                if (response == "True") {
                    //do stuff to submit form
                }
            }
        });            
    }

    And the ashx

        public class testHandler : IHttpHandler {

    public void ProcessRequest (HttpContext context) {
        context.Response.ContentType = "text/plain";
        string token = context.Request.Form["token"];
        bool isCaptchaValid = ReCaptcha.Validate(token);

        context.Response.Write(isCaptchaValid.ToString());
    }


    public bool IsReusable {
        get {
            return false;
        }
    }

    }

    public class ReCaptcha
    {
        private static string URL = 
    "https://www.google.com/recaptcha/api/siteverify?secret={0}&response={1}";
        private static string SECRET = "shhhhhhhhhhhhhhSecretTOken"; 

        public bool Success { get; set; }
        public List<string> ErrorCodes { get; set; }

        public static bool Validate(string encodedResponse)
        {
        if (string.IsNullOrEmpty(encodedResponse)) return false;
        var client = new System.Net.WebClient();
        var googleReply = client.DownloadString(string.Format(URL, SECRET, encodedResponse));
        var serializer = new System.Web.Script.Serialization.JavaScriptSerializer();
        var reCaptcha = serializer.Deserialize<ReCaptcha>(googleReply);
        return reCaptcha.Success;
    }
}