GithubHelp home page GithubHelp logo

Comments (5)

DethAriel avatar DethAriel commented on July 27, 2024

Hi, thanks for posting this!

Unfortunately, this is not under component's control (or yours, that being said). The checkbox only shows that Google reCAPTCHA thinks whomever resolved this is not a robot. Yet, you still have to perform a server-side check of the reCAPTCHA response to verify the captcha integrity.

Recaptcha API does not support modifying this behavior. You can find original recaptcha docs here.

from ng-recaptcha.

tsanborn19-zz avatar tsanborn19-zz commented on July 27, 2024

So what's the best way to handle having to wait for the server to send back a response? Seems weird that we would have to disable submit button until we get a response back.

from ng-recaptcha.

DethAriel avatar DethAriel commented on July 27, 2024

It's supposed that you submit the captcha response along with the values, e.g. for a login form the payload would be:

{
  "username": "...",
  "password": "...",
  "captcha": "..."
}

Otherwise if your endpoint /XXX only supports { username, password } input - captcha is not really doing anything (since one could simply submit to /XXX directly without having to solve the captcha).

Bottomline: captcha response should be submitted along with the values it is protecting

from ng-recaptcha.

tsanborn19-zz avatar tsanborn19-zz commented on July 27, 2024

Ah okay. Thanks for the response. We are only using client-side validation, which is why this is an issue for us. Appreciate the help though.

from ng-recaptcha.

DethAriel avatar DethAriel commented on July 27, 2024

This reCAPTCHA usage is concerning at the very least - as the docs state

The secret authorizes communication between your application backend and the reCAPTCHA server to verify the user's response. The secret needs to be kept safe for security purposes.

(emphasis added by me). So it's two options here - either you're not using "secret" key or you store it on the client-side. In first scenario you might as well omit the captcha altogether - your "good" users are only suffering from it, while the bad guys would just bypass it. The second scenario is pretty much the same.

I would strongly encourage you to investigate further into this matter

from ng-recaptcha.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.