ezzarghili / recaptcha-go Goto Github PK

Allow for using semantic versioning with releases on gopkg.in to make releases's API more stable for users

There is should be > instead of >= in threshold comparison.

Reference:
https://github.com/google/recaptcha/blob/master/src/ReCaptcha/ReCaptcha.php#L180

add travis build to make sure the code builds and well lint.

V2 Verify does not work anymore, it did yesterday.. Unsure the issue.

2022/05/18 10:19:33 http: panic serving [::1]:59242: runtime error: invalid memory address or nil pointer dereference goroutine 34 [running]: net/http.(*conn).serve.func1() /usr/local/go/src/net/http/server.go:1825 +0xbf panic({0x900820, 0xd04eb0}) /usr/local/go/src/runtime/panic.go:844 +0x258 gopkg.in/ezzarghili/recaptcha-go%2ev4.(*ReCAPTCHA).confirm(0xd15ac0, {{0x0, 0x0}, {0xc000311c01, 0x1e4}, {0x0, 0x0}}, {0x0, {0x0, 0x0}, ...}) /home/alex/go/pkg/mod/gopkg.in/ezzarghili/[email protected]/recaptcha.go:134 +0x399 gopkg.in/ezzarghili/recaptcha-go%2ev4.(*ReCAPTCHA).Verify(...) /home/alex/go/pkg/mod/gopkg.in/ezzarghili/[email protected]/recaptcha.go:101 main.signup({0x7fb16060bdc8, 0xc00041e3c0}, 0xc0002c0a00) /home/**/**/**_backend/routes.go:32 +0x185 net/http.HandlerFunc.ServeHTTP(0xc0001145d0?, {0x7fb16060bdc8?, 0xc00041e3c0?}, 0xc000416b30?) /usr/local/go/src/net/http/server.go:2084 +0x2f github.com/go-chi/chi/v5.(*ChainHandler).ServeHTTP(0x8fcdc0?, {0x7fb16060bdc8?, 0xc00041e3c0?}, 0xc000281c85?) /home/alex/go/pkg/mod/github.com/go-chi/chi/[email protected]/chain.go:31 +0x2c github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc0001102a0, {0x7fb16060bdc8, 0xc00041e3c0}, 0xc0002c0a00) /home/alex/go/pkg/mod/github.com/go-chi/chi/[email protected]/mux.go:442 +0x216

DefaultTreshold typo appears 4 times, should be DefaultThreshold.

The README file contains some typos to missed parts of the example code

Also make use of the named return parameters in confirm function

I think it should be matching

Add support to reCAPTCHA v3 API with new threshold validation based on score

Should update test matrix for go versions to include v1.10.x and v1.11.x

For our use case we don't want to block users from signing up if recaptcha goes down or the server has trouble connecting to it for whatever reason. By adding another field to recaptcha.Error we could differentiate between the errors.

For example if we got this error we don't want to block the signup.

Err = &Error{msg: fmt.Sprintf("error posting to recaptcha endpoint: '%s'", err)}

Currently we would have to parse the msg to figure out what's wrong, I propose adding:

// Error custom error to pass ErrorCodes to user.
type Error struct {
	msg        string
	ErrorCodes []string
        RequestError bool
}

and setting that to true in these errors:

	response, err := r.client.PostForm(r.ReCAPTCHALink, formValues)
	if err != nil {
		Err = &Error{msg: fmt.Sprintf("error posting to recaptcha endpoint: '%s'", err), RequestError: true}
		return
	}
	defer response.Body.Close()
	resultBody, err := ioutil.ReadAll(response.Body)
	if err != nil {
		Err = &Error{msg: fmt.Sprintf("couldn't read response body: '%s'", err), RequestError: true}
		return
	}
	var result reCHAPTCHAResponse
	err = json.Unmarshal(resultBody, &result)
	if err != nil {
		Err = &Error{msg: fmt.Sprintf("invalid response body json: '%s'", err), RequestError: true}
		return
	}

Hello @ezzarghili,

What do you think about extending this package so the caller can pass in a http.Client instead of instantiating the default one in the New method?

I can create a PR for this feature if you're interested.

We're using recaptcha v2 checkbox and have "Verify the origin of reCAPTCHA solutions" turned on:

We're also checking the hostname in Go:

options := recaptcha.VerifyOption{}
options.Hostname = "example.domain.com"

For most verifications it's working but we do see a fair number of these errors:

invalid response hostname '', while expecting 'example.domain.com'

This is a bit odd to me since it looks like it's happening to normal users on our website. Any idea why this could happen?

Good work, clean and simple API and code base. Be nice to add tests and mocking out the google API.

Hi, thanks for this great repo!
Is there any chance I could use recaptcha.net instead of www.google.com to enable to use reCAPTCHA globally?
Thanks!

Requests are built for the Google API with the following code:

What happens when the user appends his own secret? It seems necessary to investigate the possibility of malicious users messing with this. Why can't we use Golang's url.Encode?

When the reCAPTCHA response contains an error code, the error code returned by (r *ReCAPTCHA) Verify is only accessible through the error message. For example, an error can be:

remote error codes: [missing-input-response]

It would be great to get an easy way to check what the error code is. Currently, one would have to deconstruct the string to know that the error code was missing-input-response.
One solution would be to create a custom error struct and return that instead when we get a remote error code.

type CaptchaError struct {
    msg    string
    errorCodes []string 
}

func (e *CaptchaError) Error() string { return e.msg }

Makes error codes easily readable for consumer.

Cleaning api for first release and use time.Duration where relevant instead of numbers