laravel reCaptcha v3 处理分数回调
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/52334269/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
reCaptcha v3 handle score callback
提问by Victordb
I followed recaptcha v3 exampleand managed to make it return a callback with a score for a page, similar with their demo.
我遵循了recaptcha v3 示例并设法使其返回带有页面分数的回调,类似于他们的demo。
What I don't understand is how to handle the score that is returned.
我不明白的是如何处理返回的分数。
I understand that the success is based on the treshold. Using the github package the backend verification is returning json (fail or success) back to the frontend.Am I supposed to handle the fail or success in the front end using javascript?What if the browser has the javascript disabled?
我明白成功是建立在门槛上的。使用 github 包,后端验证将 json(失败或成功)返回给前端。我应该使用 javascript 处理前端的失败或成功吗?如果浏览器禁用了 javascript 怎么办?
I was thinking to use the recaptcha v3 on all the pages and block the users considered bots for an amount of time.
我想在所有页面上使用 recaptcha v3 并阻止用户认为机器人一段时间。
I am using laravel but I can't figure out how to handle the verification in the middleware, or somewhere else, in order to block the users if they don't have a token (javascript is disabled) or they are considered bots.
我正在使用 laravel,但我无法弄清楚如何在中间件或其他地方处理验证,以便在用户没有令牌(javascript 已禁用)或他们被视为机器人时阻止用户。
采纳答案by Marian
reCAPTCHA token should be validated server side. First of all, attach generated token into your form:
reCAPTCHA 令牌应在服务器端进行验证。首先,将生成的令牌附加到您的表单中:
grecaptcha.ready(function() {
grecaptcha.execute('{{env('RECAPTCHA_V3_PUBLIC_KEY')}}', {action: 'contactform'}).then(function(token) {
$('<input>').attr({
type: 'hidden',
name: 'g-recaptcha-response',
value: token
}).prependTo('.contact-form')
});
});
Then when you capture the input on you controller, you can use a custom form request:
然后,当您在控制器上捕获输入时,您可以使用自定义表单请求:
<?php
namespace App\Http\Requests;
use App\Rules\RecaptchaV3;
use Illuminate\Foundation\Http\FormRequest;
class ContactFormRequest extends FormRequest
{
public function rules()
{
$rules = [
'name' => 'required',
'email' => 'required|email',
'message' => 'required',
'g-recaptcha-response' => ['required', new RecaptchaV3],
];
return $rules;
}
...
}
g-recaptcha-responsefield is requiredso if users disable JS they will get an error when form input is validated.
g-recaptcha-response字段是required这样,如果用户禁用 JS,他们将在表单输入被验证时收到错误。
Next for g-recaptcha-responsewe apply a custom validation rule: RecaptchaV3.
接下来g-recaptcha-response我们应用自定义验证规则:RecaptchaV3。
Here's my implementation:
这是我的实现:
<?php
namespace App\Rules;
use GuzzleHttp\Client;
use Illuminate\Contracts\Validation\Rule;
class RecaptchaV3 implements Rule
{
public function passes($attribute, $value)
{
$client = new Client();
$response = $client->post('https://www.google.com/recaptcha/api/siteverify', [
'form_params' => [
'secret' => env('RECAPTCHA_V3_PRIVATE_KEY'),
'response' => $value,
'remoteip' => $_SERVER['REMOTE_ADDR'],
]
]);
$decoded = json_decode($response->getBody());
return $decoded->success;
}
public function message()
{
return "You didn't pass reCAPTCHA challenge!";
}
}
Next, in your controller use the above form request:
接下来,在您的控制器中使用上述表单请求:
public function processContactForm(ContactFormRequest $request)
{
...
}
Hope this helps.
希望这可以帮助。
回答by DA DENG
Unfortunately, recaptcha v3 does not have challenge methods, which means we need to handle the score threshold in our own server side.
不幸的是,recaptcha v3 没有挑战方法,这意味着我们需要在我们自己的服务器端处理分数阈值。
The best solution would be that apply both v2 and v3 together, e.g. if v3 fails threshold, then it pops up v2 challenge. The official site suggests to use 2-way authentication e.g. SMS. However, I don't think 70% of people would do it.
最好的解决方案是同时应用 v2 和 v3,例如,如果 v3 未达到阈值,则它会弹出 v2 挑战。官方网站建议使用 2 路身份验证,例如 SMS。但是,我不认为 70% 的人会这样做。
I have created a composer package for Laravel framework which supports score settings. You can check the source code in github recaptcha:
我为 Laravel 框架创建了一个支持分数设置的 composer 包。您可以在 github recaptcha 中查看源代码:
You can do score comparison for your own score handler.
您可以为自己的分数处理程序进行分数比较。
The basic usage would be like:
基本用法如下:
{!! GoogleReCaptchaV3::requireJs() !!}
<form method="POST" action="/verify">
@csrf
{!! GoogleReCaptchaV3::render('contact_us') !!}
<input type="submit" value="submit"> </form>
回答by Darryl E. Clarke
If JavaScript is disabled, reCAPTCHA doesn't work anyway and most form submissions will/should fail if bot protection is critical to you.
如果 JavaScript 被禁用,reCAPTCHA 无论如何都不起作用,如果机器人保护对您来说至关重要,那么大多数表单提交将/应该失败。
As for the score that V3 returns, it is entirely up to youhow you handle it.
至于V3返回的分数,就看你怎么处理了。
Generally this is handled on form validations. The with V3 you could require the g-response value to be greater than 0.8 or something to your liking. Exact implementation varies greatly by how your app is structured.
通常这是在表单验证上处理的。对于 V3,您可能需要 g-response 值大于 0.8 或您喜欢的值。确切的实现因您的应用程序的结构而异。
From the docs:reCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). Based on the score, you can take variable action in the context of your site.
来自文档:reCAPTCHA v3 返回一个分数(1.0 很可能是一个很好的交互,0.0 很可能是一个机器人)。根据分数,您可以在站点的上下文中采取可变的操作。
