Search code examples
recaptcha-v3

Google's Recaptcha V3 - should I track the score, or suffice with the "success" being true?

Background: my website is pretty simple, containing a main page with a list of links (provided by 3rd party service) - each links pops up a file upload input with a submit button. In that popup I embedded the Recaptcha script, and verified the token upon file submission. Because of this multiple popup setup I chose V3 for zero user interactions with the verification mechanism.

Now, a question arise - how should I interpret Google's response from google.

Google documentation for V3 says:

reCAPTCHA learns by seeing real traffic on your site. For this reason, scores in a staging environment or soon after implementing may differ from production. As reCAPTCHA v3 doesn't ever interrupt the user flow, you can first run reCAPTCHA without taking action and then decide on thresholds by looking at your traffic in the admin console. By default, you can use a threshold of 0.5.

It is pretty clear to me, from this description, that the score is what matters - 0.0 for most likely bot, 1.0 for most likely human. So in my code, I check that success == true and score >= 0.5

However - none of the V3 examples I find online for server side validation pay any attention to the score. here are 3 of them. All three only check for the request being successful:

https://stackoverflow.com/a/54118106/3367818

https://stackoverflow.com/a/52633797/3367818

https://dzone.com/articles/adding-google-recaptcha-v3-to-your-laravel-app

Finally, my question is - is that a misconception of V3's mechanism, or is it me missing something?

Thanks.

Solution

  • To complement the answer of @BrettM...

    It depends on the way the verification is being handled.

    Using reCAPTCHA PHP client library:

    See code lines ReCaptcha::verify() line180-182

    • When setting the threshold: 
      $recaptcha = new Recaptcha($secret);
$response = $recaptcha
        ->setExpectedHostname($hostname)
        ->setExpectedAction($action)
        ->setScoreThreshold(.5)
        ->verify($token, $ip);
      $response->isSuccess() will return false when threshold is not met.
      $response->getErrors() will contain E_SCORE_THRESHOLD_NOT_MET
    • Without setting the threshold:
      $response->isSuccess() will return true, unless there are errors.
      $response->getScore() should now be checked.

    Without using reCAPTCHA PHP client library:

    Both $response['success'] and $response['score'] should be checked.