Client Side:
grecaptcha.ready(function() {
grecaptcha.execute('6Le4oroZABBXXIQCQkAYCXYSekNQnWExTeNUBZ-B', {action: 'submit'}).then(function(token) {
$scope.userData['repatcha_token'] = token
$http.post('/api/user/login', {
userData: $scope.userData
}).then(function (res) {
//CODE
});
Server side:
router.post('/login', (req, res) => {
let userData = req.body.userData;
request.post({
url:'https://www.google.com/recaptcha/api/siteverify',
form: {
secret:'6Le4oroZABBXXIQCQkAYCXYSekNQnWExTeNUBZ-B',
response:userData.repatcha_token
}},
function(err,httpResponse,body){
let myBody = JSON.parse(body)
if(!myBody.success){
return res.status(400).json({
"message": "Re-captcha failed",
"success": false
});
}
in my login API I am getting
{ success: false, 'error-codes': [ 'invalid-input-secret' ] }
From client-side token is getting generated but on the server-side, it is not getting verified. What secret should be used?
should the secret key used on the server-side same as the site key on client-side? or they are different?
When you create recaptcha keys, you will get two parts, a site key and a secret key. You should use the site key on the client side, and need to provide the secret key when verifying on the server side. It looks like you're using the same key in both places, but I can't tell from looking if it's your site or secret key.