2

I'm working with RecaptchaV2, and using it as a first-step validation for authentication to my software. The authentication process typically looks like this:

Enter user ID > Validate recaptcha > Perform further authentication (configurable, e.g. passsword + 2fa)

Ideally, I would like to be able to detect user failure when performing the recpatcha, and perform a temporary lockout of the IP address or User ID when the user has failed too many times. It seems, however, that Recaptcha does not have a callback for failure cases, and only provides a "data-callback" parameter which is called on success. All validation seems to be entirely encapsulated within the widget, and my code is never informed of the status of the validation until it's successful.

My code is basically just the example from the documentation (https://developers.google.com/recaptcha/docs/display#auto_render), with some additional fanciness to automatically submit the form on the page when the recaptcha is completed. Here's the rough outline:

<div style="text-align: center" id="g-recaptcha-container">
    <div class="g-recaptcha" data-sitekey="secret-site-key" data-callback="recaptcha2_success" style="display: inline-block"></div>
</div>

And my javascript:

function recaptcha2_success(response) {

    var proceed = document.getElementById('g-recaptcha-proceed');
    var form = document.getElementsByName('login-form');

    // display the loading message
    if (proceed !== undefined) {
        proceed.style.display = 'block';
    }
    // submit the main form
    if (form.length > 0) {
        form[0].submit();
    }
}

Does anyone have any suggestions? I can't find anything relevant in the developer documentation.

Sean Heintz
  • 21
  • 2
  • Possible duplicate of [Google ReCAPTCHA how to make required?](http://stackoverflow.com/questions/29612879/google-recaptcha-how-to-make-required) – colecmc Jun 09 '16 at 16:55
  • See my answer here it may help you. http://stackoverflow.com/a/37733209/5190589 – Ryan89 Jun 09 '16 at 18:22
  • Thanks for taking the time to reply, colecmc and Ryan89. The linked submissions are actually the opposite of what I want. The form itself contains **only** the reCaptcha widget. Once the user has interacted with the widget, the form is automatically submitted. The issue is that the reCaptcha widget only calls out to my Javascript on _successful_ validation, not on _failure_. This prevents me from being able to detect the failure and perform a lockout. – Sean Heintz Jun 09 '16 at 20:51
  • As far as I know, the only way you can detect a failure of the captcha would be to submit your form and then either POST["g-recaptcha-response"] will not be set, meaning it was not completed, or if the response from google returns a value other than success then you can redirect back to your captcha page to handle that. There is also this post I found where the recaptcha is submitted with AJAX so no new page is loaded, it might be of use. http://stackoverflow.com/questions/30006081/recaptcha-2-0-with-ajax – Ryan89 Jun 10 '16 at 12:22

1 Answers1

0

You don't have to do anything with captcha element in callback function. response object is not empty when captcha is correct:

function recaptcha2_success(response) {
    if (response.length > 0){
        alert("success!")
    }
}
FakeJoe
  • 5
  • 4