0

I am sending a username, password and the h-captcha-response token to express via a login form. The username and password are being sent fine from the form, without single quotes, the h-captcha-response ( which is formulated by hcaptcha and sent back to the web form and is sent also) is being sent with enclosing single quotes and the hcaptcha middleware ( express-hcaptcha ) sees no token. Response from the middleware is ....

Error: bad request - no token provided in body

I am using https://github.com/vastus/express-hcaptcha

When I dump the req I am seeing that the h-captcha-response is enclosed in single quotes. I believe this may have to do with the form input that is being sent to express is not being set to application/json but that’s a guess since I am new to node/express.

The applicable part of the req dump is below and followed by the node/express info. Can someone point me in the correct direction ? Many thanks JW

req dump ( via console.log )

————-
<snip>
….
….
body:
   { username: ‘xxxx’,
     password: ‘xxxx’,
     'h-captcha-response': ‘xxxxxxxxxxxxxx’ },
  _body: true,
  length: undefined,
….
….
<snip>

Appropriate parts of the js file —————

const http = require('http');
const mysql = require('mysql');
const express = require('express');
const session = require('express-session');
const cors = require('cors');
const hcaptcha = require('express-hcaptcha');

//hcaptcha secret key
const SECRET = “xxxxxx”; 

var bodyParser = require('body-parser');

var connection = mysql.createConnection({
…..<snip>
});

const path = require('path');
const app = express();

app.use(cors());
app.use(bodyParser.json());
app.set("view engine","hbs");

app.use(bodyParser.urlencoded({extended : true}));


//create app server
var server = app.listen(3000,  "0.0.0.0", function () {
  var host = server.address().address
  var port = server.address().port
});

app.post('/verify', hcaptcha.middleware.validate(SECRET), (req, res) => {
  res.json({message: 'verified!', hcaptcha: req.hcaptcha});
});
Jane Wilkie
  • 1,703
  • 3
  • 25
  • 49
  • 1
    Have you tried `console.log`ging the `h-captcha-response`? – code Jul 01 '21 at 18:28
  • That's what the req dump is ( voted u up.. thanks! ) .... I'll clarify in the question. Thanks! – Jane Wilkie Jul 01 '21 at 18:30
  • Can you reformat the code? It's hard to read. – code Jul 01 '21 at 18:33
  • 1
    can you rename your 'h-captcha-response' to "token" and see if it works? if you see https://github.com/vastus/express-hcaptcha/blob/master/index.js validate method, it get token from req.body.token. so it should fix your issue. – Ilesh Patel Jul 01 '21 at 18:35
  • Thanks Illesh. Renaming to token doesn't fix the issue. I might just go ahead and install axios to send the call manually. – Jane Wilkie Jul 01 '21 at 19:31
  • 1
    The single quotes is just how node prints a string inside an object. If you `console.log(req.body['hcaptcha-response'])` you won't see them. – leitning Jul 02 '21 at 00:15
  • @leitning, I learned something tremendous from your response. I had been trying to find a way to access the h-captcha-response var when all I knew was req.body.xxx way and not the way to access via the brackets. – Jane Wilkie Jul 02 '21 at 14:24

1 Answers1

1

The key 'h-captcha-response' is enclosed in quotes because that's the only way you can create an object key containing special characters (- in this case) in javascript:

const bad = { a-b: '' }
            // ^ Parsing error: unexpected token, expected ","

const good = { 'a-b': '' } // no error

And while node is not creating an object here but just logging it into the console it still respects common js syntax.

As for the error: Error: bad request - no token provided in body. It's happening because express-hcaptcha middleware expects the field named token. If the field as absent or evaluated to the falsy value you're getting the error you can observe now.

If you're sending data as application/x-www-form-urlencoded then to fix the issue you have to change the name attribute of the captcha field in your html form from h-captcha-response to token.

If you're sending data as json then do the same renaming to the key of the sending json object.

aleksxor
  • 7,535
  • 1
  • 22
  • 27