0

Following the instructions I get a valid token from my front end (can see in dev tools):

window.grecaptcha
  .execute(captchaPkey, { action: 'contact' })
  .then((token) => {
    // this is what I POST to my API

So in my React front end:

send = (event) => {
  event.preventDefault()
  this.setState({ busy: true })
  window.grecaptcha.ready(() => {
    window.grecaptcha
      .execute(captchaPkey, { action: 'contact' })
      .then((token) => {
        // successfully get token
        const payload = {
          token,
          name: this.state.name,
          to: this.props.to,
          email: this.state.email,
          message: this.state.message,
        }
        // now I'm sending the payload to my API
        // My API 
        update(`${api}/contact/`, {
          method: 'POST',
          body: JSON.stringify(payload)
        }, null)
          .then(data => {
            this.setState({ busy: false, result: 'Email sent' });
          })
          .catch(error => {
            this.setState({ busy: false, error: error.message });
          });
      })
  })
}

my API controller

async function verifyCaptcha(token) {
  return await axios.post('https://www.google.com/recaptcha/api/siteverify', {
    secret: process.env.CAPTCHA_PKEY,
    response: token
  })
}

async function contact({ token, to, name, email, message }) {
  const result = await verifyCaptcha(token)
  if (!result || !result.data || !result.data.success) {
    // always get an error here
    throw new Error('Invalid captcha')
  }
  let targetEmail = 'default@emailaddress'
  if (to !== 'admin') {
    const user = await User.findOne({ username: to }, { email }).exec()
    if (!user) {
      throw new Error('User does not exist')
    }
    targetEmail = user.email
  }

  // rest of send
}

On my API POST endpoint sends to https://www.google.com/recaptcha/api/siteverify with the body of:

{
   secret: process.env.CAPTCHA_PKEY,
   response: token
}

Yet I always get "missing-input-response", "missing-input-secret" error. Is this because v3 is new? Still bugs?

Mark Robson
  • 1,298
  • 3
  • 15
  • 40
  • The token is the g-recaptha-response right? – Juan Sep 02 '18 at 12:55
  • @Juan yeah, I've seen 'g-recaptha-response' mentioned, but is that earlier versions than v3? It is not on the v3 docco. I've updated my question with the front end function – Mark Robson Sep 02 '18 at 13:09
  • The v3 link you provided has a link to https://developers.google.com/recaptcha/docs/verify. There it mentions it. – Juan Sep 02 '18 at 13:14
  • @Juan I might be missing something, but isn't v3 different in that it verifies without having the user do anything? Therefore that link in the docco is irrelevant? – Mark Robson Sep 02 '18 at 13:25
  • I am not sure we are talking about the same thing, but your server still has to validate the recaptha. In fact the link of v3 says 'Make the request to verify the response token as with reCAPTCHA v2 or Invisible reCAPTCHA.' – Juan Sep 02 '18 at 13:31
  • @juan this is exactly what I'm doing. I've edited to include the front end and api controller – Mark Robson Sep 02 '18 at 14:10
  • In const payload = {} aren't you missing the token element name of the json object? Also the last element has a comma I don't remember if this language admits that. – Juan Sep 02 '18 at 14:17

1 Answers1

0

Realised in the documentation it states "post params" not post body haha.

Mark Robson
  • 1,298
  • 3
  • 15
  • 40