Score is always 0.8999999761581421, even for automated tests in @google-cloud/recaptcha-enterprise

[yossi-chen]

I've implemented the recaptcha enterprise widget on my site, but the score that returns from the assesment is always the same - 0.8999999761581421 even for my e2e tests which are running via playwright

Environment details

• which product (packages/*): "@google-cloud/recaptcha-enterprise": "^5.9.0",
• OS: Mac/Linux
• Node.js version: v16.18.1
• npm version: 8.19.2

Steps to reproduce

I'm using the code example from their integration example in the gcp console. The token is generated in the frontend.

const { RecaptchaEnterpriseServiceClient } = require('@google-cloud/recaptcha-enterprise');

class ReCaptchaService {
    async createAssessment({ ... }) {
        const credentials = ...
        const client = new RecaptchaEnterpriseServiceClient({ credentials });
        const projectPath = client.projectPath(projectID);

        const request = {
            assessment: {
                event: {
                    token,
                    siteKey: recaptchaKey,
                },
            },
            parent: projectPath,
        };

        const [response] = await client.createAssessment(request);

[danielbankhead]

Hmmm, this sounds like this is behaving as intended:

• https://cloud.google.com/recaptcha/docs/interpret-assessment-website#interpret_scores

Does this documentation help?

[i-am-arunkumar]

Having the same issue. Risk score is always 0.8999999761581421 even for guaranteed Bots which is spamming our forum. so how to make it work?

[danielbankhead]

@i-am-arunkumar hmmm, that's strange and I can see it being frustrating to handle. Did you review the documentation linked above? Outside from that, it may be worth contacting support: https://cloud.google.com/contact/

[i-am-arunkumar]

@i-am-arunkumar hmmm, that's strange and I can see it being frustrating to handle. Did you review the documentation linked above? Outside from that, it may be worth contacting support: https://cloud.google.com/contact/

Yes i reviewed the document. what I understood is that it requires realtime traffic to analyse the user interactions with the site. So I assume it may take some more time to identify the bots (it's been 10 days and now assessments giving few different scores eg. 0.3 and 0.69), so as a backup i am sending both challenge based v2 and score based v3 enterprise tokens to the backend, may be until the score based model becomes accurate.

[yossi-chen]

After trying many things, including annotating assessments as real or fraud - which didn't help - I've spoken with Google support. ReCaptcha Enterprise works by studying the user's behavior on the site after a prolonged period of time and a couple of user actions. Since the action I was trying to protect (enter email and press send) is the first action - there isn't enough data to make a smart decision... So they told me to use reCaptcha V2 of V3. If the users hang around enough time (no idea what this means though) on the page - then the enterprise version can work. Make sure that your automated tests don't activate the recaptcha because it will influence their learning...