search

aliencube / ReCaptcha.NET

This provides a .NET wrapper library for Google reCaptcha
https://www.google.com/recaptcha
MIT License
7 stars 0 forks source link

How to implement secure token functionality? #3

Open xantari opened 9 years ago

xantari commented 9 years ago

Google has this feature with recaptcha:

https://developers.google.com/recaptcha/docs/secure_token

However I only find the way to do this with Google's java code, and a PHP example:

PHP: https://github.com/slushie/recaptcha-secure-token/blob/1.0.0/lib/ReCaptchaToken.php

Java: https://github.com/google/recaptcha-java/tree/master/appengine

Unable to get a properly generated secure token using .NET so far...

Thoughts?

justinyoo commented 9 years ago

Hi, @xantari

Thanks for your feedback.

There are many ways to encrypt/decrypt secure tokens. As you can see, both PHP and Java uses Base64 encoding and AES encyrption/decryption approach. I don't think this is the only way for encrypting/decrypting tokens. You can implement your own encryption/decryption method.

data-stoken is just an attribute and its value can be any value encrypted by any encryption method. If you want to find a good encryption/decryption library, https://github.com/aliencube/CryptoService can be an option, if you like.

Cheers,

xantari commented 9 years ago

I was able to implement this after several hours of experimentation. Googles recaptcha 2.0 requires very specific encryption requirements and hashing of the secret key for them to verify the secure token. You can take a look at my working implementation here which is based off of their Java published example:

https://github.com/xantari/RecaptchaV2.NET

justinyoo commented 9 years ago

Thanks, @xantari

So, as far as I understood your work correctly, Google reCaptcha uses the very specific hashing and encrypting method. Is that right? Actually, when I firstly wrote this code, there was no statement for that. It's probably added later on (or I might overlook that bits).

Could you fork, add yours and send me a PR so that I can merge it? If you don't want to do so, then I'll do it anyway.

Cheers,

xantari commented 9 years ago

Hi Justinyoo,

The secure token functionality of the recaptcha API is only for those who want to use one sitekey and secretkey amongst many sites (rather than tied to a single domain).

As far as merging it, i think you might be in a better position to do this, just look at the call chain for the GetSecureTokenHtml function in the code and you can copy the relevant bits of code from there.

Enjoy!