Is there a plan to upgrade ReCaptcha support to v3 captcha?

[GoudekettingRM]

The new google recaptcha v3 had been available for a while now and I was wondering if there is a plan to integrate support for that when using the emailjs.send in the client.

[xr0master]

Hey. We have thought about this several times, and the problem is not technical.

The fact is that v3 has only a hidden captcha, which is why we do not yet see how the SDK can independently take the key and forward it to the server. That is, it will most likely require manual SDK integration with captcha.

Correspondingly, 2 problems appear. First, the complexity of the integration increases, many of our clients will experience problems with this increased complexity. Second, invisible captchas often give a low score, especially for users in incognito. We will simply be flooded with tickets: "nothing works".

We try to create the service to be very simple and intuitive. Starting with simple and open documentation and ending with the dashboard. And invisible captchas don't fit into this concept yet. If you have any ideas, we would love to hear from them.

P.S. I think that this year we will add feature flags, which will allow us to add invisible captcha v3 as an activated feature, which will be at the discretion of customers.

[GoudekettingRM]

Hi @xr0master , thanks for responding.

Even for an invisible captcha, the token has to get generated by a client somewhere. Seeing as for the v2 captcha emailjs.send already sends along the g-recaptcha-token I don't see why this would be an issue. The recaptcha secret is already needed for v2 and can be stored in the GUI on your website. The only thing that has to get added is, like you said the feature flag so that people can choose to use the v3 one (leave the v2 as default for those that want to use captcha before email sending). Then the only thing that the emailjs server has to do upon receiving a bunch of data for an email service with a v3 captcha set, is do a request to the google api: URL: https://www.google.com/recaptcha/api/siteverify METHOD: POST Which takes the recaptcha secret key that is already there and the token that already gets sent.

Second, invisible captchas often give a low score, especially for users in incognito. We will simply be flooded with tickets: "nothing works".

I don't recognize this problem, the apps I've built with the v3 captcha generally give back 0.9 scores and me and my colleague have found it difficult to spoof. That being said, you can give the users the option to set their threshold in the GUI. That threshold can then get used to interpret the returned score.

Obviously I'm not familiar with all aspects of your services and there might be things that I am overlooking, but I don't have the feeling that a lot has to change in the installable package, as the settings for which captcha a user would want to use and the corresponding secret key are in the emailjs backend/db. Please correct me if I'm wrong though.

[markdost]

Hi there, Sorry for jumping in here so late, but I would really like the option to have v3 as well. Or even if it is possible to have the v2 but then have the option to use the invisible one.