Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Method used for Recaptcha V3 no longer recommended #61

Open
matdave opened this issue Aug 30, 2023 · 4 comments
Open

Method used for Recaptcha V3 no longer recommended #61

matdave opened this issue Aug 30, 2023 · 4 comments

Comments

@matdave
Copy link
Contributor

matdave commented Aug 30, 2023

https://github.com/sepiariver/recaptchav2/blob/master/core/components/recaptchav2/elements/chunks/recaptchav3_html.chunk.tpl

The method currently used in the recaptchav3 chunk invokes the challenge immediately on page load. However, the recommendation is to invoke it on submit: https://developers.google.com/recaptcha/docs/v3#programmatically_invoke_the_challenge

The main issue is that invoking on page load is causing the token to expire prematurely on longer forms.
@sepiariver
Copy link
Owner

sepiariver commented Aug 30, 2023
edited
Loading

Hi @matdave

Thanks for reporting this and for all your efforts on open-source projects. I'm grateful for you and your work.

This particular issue has been raised and the "Trigger on user-initiated action" section of this blog post is meant to address it: https://sepiariver.com/modx/a-guide-to-recaptcha-v3-for-modx-cms/

TLDR;

The chunk enables customization of the script's behavior. If we override the default chunk we could make the wrong decision for a lot of implementations. Example: what event should we listen to? Does every single website have the same requirements for that?

The default chunk is meant as a guide and the page load event is reliably going to be there, if not reliably the best solution.

Perhaps additional Chunks could be added, which illustrate some options like those in the blog post. That said, including Chunks in packages tends to introduce other issues and I started to regret ever doing that lol

What do you think?

@matdave
Copy link
Contributor Author

matdave commented Aug 30, 2023
edited
Loading

I think a recaptchav3_submit.sample chunk would make sense. It could just be a sample submit button with the logic:

<script src="https://www.google.com/recaptcha/api.js?hl=[[++cultureKey]]"></script>
 <script>
   function onSubmit(token) {
     document.getElementById("[[+form_id]]").submit();
   }
 </script>
<button class="g-recaptcha" 
        data-sitekey="[[+site_key]]" 
        data-callback='onSubmit' 
        data-action='[[+action_key]]'>Submit</button>

Or something like that...

@sepiariver
Copy link
Owner

Yea adding that makes a ton of sense. I'll get it into the next batch of releases. I have a PR of yours to package up for CssSweet as well. I'm so sorry for the delays

@sepiariver
Copy link
Owner

@matdave just pushed some changes with a new 3.3.0 package. Unfortunately I haven't had a chance to test it out as Recaptcha won't load on my localhost (I suspect some very responsible self-signed SSL rejection on Google's part)

Do you have an implementation somewhere, on which the new Chunk can be tested?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sepiariver @matdave