search

UndefinedOffset / silverstripe-nocaptcha

A spam protector and form field using Google's reCAPTCHA v2 or optionally a foundation v3 implementation
BSD 3-Clause "New" or "Revised" License
31 stars 37 forks source link

recpatcha V3 does not show anything if score is too low #81

Closed sunnysideup closed 11 months ago

sunnysideup commented 1 year ago

recpatcha V3 does not show anything if score is too low - it just goes back to form. This would be very confusing and infuriating for any false positives (i.e. real submitters identified as spam).

MLindenhofer commented 1 year ago

We have the same problem. Are there any recommendations what we can do in the meanwhile?

elliot-sawyer commented 1 year ago

Have run into the same issue, debugging it now. The response I get back from Google is { "success": false, "error-codes": [ "invalid-input-response" ] }

$recaptchaResponse is an empty string, which may explain some things. The g-recaptcha-response variable is empty on in the form submission data

UndefinedOffset commented 1 year ago

Sorry everyone my bandwidth lately is fairly limited, happy to take a pull request of course if someone is interested in doing one up to address this. In theory it should be showing a message on the form (not the field) based on this line. Even in the case @elliot-sawyer mentions it should be showing a message saying that they need to answer the captcha (not great for v3 but still something).

elliot-sawyer commented 1 year ago

Switching back to v2 worked for me

elliot-sawyer commented 1 year ago

So I originally ran into this issue when a client provided me with a key for v3, when I was expecting v2. I switched the module over to v3, submitted a test form, and all was well - until recently. I'm not 100% sure what the issue is , but I suspect something changed fairly recently with the V3 submission code. Google Recaptcha (Enterprise? May not matter) offers me a slightly different Javascript snippet:

<script>
  function onClick(e) {
    e.preventDefault();
    grecaptcha.enterprise.ready(async () => {
      const token = await grecaptcha.enterprise.execute('...........', {action: 'LOGIN'});
      // IMPORTANT: The 'token' that results from execute is an encrypted response sent by
      // reCAPTCHA Enterprise to the end user's browser.
      // This token must be validated by creating an assessment.
      // See https://cloud.google.com/recaptcha-enterprise/docs/create-assessment
    });
  }
</script>

(note the "grecaptcha.enterprise.execute" line instead of "grecaptcha.execute"). The form submission that I observed being sent to Recaptcha was encrypted, so possibly the "grecaptcha.execute" version is sending an unencrypted payload when their server is expecting something encrypted? If that's the case, then maybe the "enterprise" version of Recaptcha is another variant that this module does not yet support?

I might dive into this a bit more if I get more billable time, but for now, getting a v2 key instead solves the issue for me

sunnysideup commented 11 months ago

Any updates on this issue?

UndefinedOffset commented 11 months ago

Sorry everyone I've been a bit busy with other things lately and haven't really had a chance to look too far into this. Theoretically there this block should be returning the validation error stating the score is too low. It's strange that it's showing absolutely nothing, are you being redirected back to fill the form again and it's simply not showing a message?

UndefinedOffset commented 11 months ago

Found the issue css was hiding it -_- I'll have a fix up shortly

UndefinedOffset commented 11 months ago

Fix released as 2.4.2, sorry everyone for the long delay :(

sunnysideup commented 11 months ago

Thank you for fixing it.