Login/Register
ReCaptcha V3 - what to do if validation failed?
Asked Answered
c#asp.net-mvcasp.net-corerecaptcha-v3.net-6.0
G

1

6

I have added invisible reCaptcha V3 to asp.net core 6.0 Angular SPA.

  1. Registration MVC page HTML:
  . . .
  <input type="hidden" name="captcha" id="captchaInput" value="" />
</form>

. . .

@section Scripts {
    <script src="https://www.google.com/recaptcha/api.js?render=@Configuration["Recaptcha:siteKey"]"></script>
    <script>
        grecaptcha.ready(function() {
            grecaptcha.execute('@Configuration["Recaptcha:siteKey"]', { action: 'contact' }).then(function (token) {
                $("#captchaInput").val(token);
            });
        });
    </script>

    <partial name="_ValidationScriptsPartial" />
}

CS

if (ModelState.IsValid)
{
  if (!await _captchaValidator.IsCaptchaPassedAsync(captcha))
    ModelState.AddModelError("captcha", "Captcha validation failed");

There is OIDC controller with reCaptcha validator injected.

Everything is working. Until the validation fails (for example low score).

User cannot proceed forward from this point.

I would expect captcha to become regular visible challenge.

I need a workable solution - how to give a user second chance to prove they arent a robot in case when reCaptcha v3 validation failed (for whatever reason).

credits to: https://github.com/Jarda29/GoogleReCaptcha.V3

Ginetteginevra answered 9/11, 2021 at 13:24 Comment(3)
Why give the robots a second chance? They are damned dirty robots. If you are insistent on such a suspicious user not being a robot, you could always fall back to captcha v2, or an alternative that does not just give you back a score, but requires some kind of interactivity such as "click all the airplanes" or "click all the parking meters and mailboxes that look like parking meters". If you had a custom idea in mind, I would challenge you to come up with ways that someone might script their way around it before implementing it, because they probably could.Octameter
I know all of it but just to clarify - when i was testing i had hit 0.45 somehow - and i am no robot. I do show error message but the captcha is on "register" page. if a person hits this wall - there is no way out. And I would like to capture every legitimate user. I dont care for scripting around that. Its not an online bank or anything. If you know how to mix v3 and v2 - please consider to post an answer. thanksGinetteginevra
@NickAcosta You may need to provide a redemption path if your software is in certain regulated industries.Eucharist
R
4

Think, there are a few questions here.

  1. What reCaptcha version (V2, V3) should I use?
  2. How to set up reCaptcha?
  3. What should a back-end return if reCaptcha failed?

So, ...

  1. Choose on your own and for your project. IMHO, core pros and cons are

  • for V2: only humans allowed (non-programming clicks only are working), the check is unavoidable and hard sometimes;

  • for V3: not only humans could pass it, but it also is not annoying. Both of these options are working. Just pick the best one for your project. And configure V3 if it was picked.

  1. Setup. V2 has no settings because due to its nature it is only for humans.V3 has a score for each request that evaluates a user's actions. A too low score gives false in success. That limit value for true or false should be set at https://g.co/recaptcha/admin/. This was doesn't require a code/config update. Otherwise, you can get the entire response object via Task<JObject> GetCaptchaResultDataAsync(string token) and process the object's score value on your own. The limit value should be changed manually in this case (code or config).

NB! During your site work, the value could change! It depends on users' behavior, their I-net speed, software, ...

NB! The initial gReCaptcha V3 score value is 0.5. You can play with it on the console.

  1. If the reCaptcha failed, then it, mostly, a bot. So no actual action is required. So it could be an ignore action - no response action at all. Let bots endlessly hit the wall. Especially, at V2. If V3 is in use, then you can suppose that it COULD be a user. You can return an error message or a 4XX code from the back-end. On the front-end, there could be the response handling that will fire the user notification - an error text about suspicious behavior.

P. S. For QA's there is a point to implement a passway to avoid the reCaptcha checks. Different builds/configs (QA manual) or endpoints/additional passwords (QA auto) to override or skip the await _captchaValidator.IsCaptchaPassedAsync(captcha) result.

Rossen answered 23/11, 2021 at 10:47 Comment(6)
thank you for the long answer. just to clarify - when i was testing i had hit 0.45 somehow - and i am no robot. I do show error message but the captcha is on "register" page. if a person hits this wall - there is no way out. I would like at that point to have full captcha challenge. can it be done with v3? if not shall i use mix of v3 for score and if it is low - make v2 call - if that - how?Ginetteginevra
BoppityBop, it is OK while test you can get a strange score. You are testing, don't read anything on the page, do direct fast clicks, ... It could look like a bot behavior. ;) That's why I wrote the 'NB!'s. The score is single for a site. If your site is fast, has minimal content then all scores will be low and gReCaptcha V3 score should be lowered also. Or if your login is fast then there is a point to do the custom score processing (#2). In any case, the V3 score is your bot protection. In the same way as user protection. You'll have to find its balanced value.Rossen
thank you but still I would like an answer on my question: "how user can prove they arent a robot in case when reCaptcha v3 validation failed (for whatever reason I chose to fail it)" - do I switch to v2? if yes then how. thats all I need to know (see my other comment under the question - I have my reasons). I edited the last line in the questionGinetteginevra
@BoppityBop, V3 has no explicit challenges - it is V2. Think, you can register your site on both of these services. I didn't meet a combination of them. IMHO, just pick one and go full ahead. But if you really want V3 + V2, then you'll need V2 registration, implementation on the front-end, it's conditional rendering (if the back-end responded with a fail), another endpoint request (it will check V2 result), ...Rossen
It really would help if you just wrote few lines of code to demo the idea of switching from v3 to v2. it would also be faster instead of writing bunch of comments with general ideas. I need code to be added to if (!await _captchaValidator.IsCaptchaPassedAsync(captcha)) as per the question text. JS for V2 would be greatly appreciated too..Ginetteginevra
The code V2 front-end examples are public: checkbox developers.google.com/recaptcha/docs/display, invisible developers.google.com/recaptcha/docs/invisible. The code back-end examples for V2/V3 are public also - developers.google.com/recaptcha/docs/verify.Rossen

© 2022 - 2024 — McMap. All rights reserved.