Closed qyl27 closed 4 years ago
TLDR; Yes (see below for a long-winded explanation) - Use this package for server-side validation and create your own client side implementation. If you use a front-end library such as React check the relevant package manager for reCAPTCHA clients.
Since you need to use the same site key for the client and server component, I would suggest setting up an API endpoint that exposes your site key for your views. DO NOT expose the secret key as this should never be available to users.
When a user submits a request to an endpoint protected by Google reCAPTCHA there are two things that happen. Firstly, the client side reCAPTCHA widget is invoked in one of two ways:
A request is made to the reCAPTCHA API and magic Google algorithms will rate the likely hood that the requestor is a bot. If Google believes the request was initiated by a bot then a challenge box may appear such as 'Select the boxes with traffic lights'. Once Google is satisfied that the requestor is a user a code is returned to the reCAPTCHA widget.
This code should then be sent to your controller endpoint along with the rest of the form data. You need to make sure the code is genuine; this is done by sending the code back to (from your controller) Google along with your site key and your secret key. Google will then approve or reject the validation. If the validation passes, the request did not come from a bot and you are good to go.
reCAPTCHA Docs:
Glad to get your answer, Thank you.
I want to use this library in a webapi project. It use json to post data at http request body. But seems this library cannot use as this way, any suggestions?