Reroll latest patch to latest version
Reroll latest patch to latest version of reCAPTCHA module
Merge request reports
Activity
76 ]; 77 78 $form['general']['enterprise_project_id'] = [ 79 '#type' => 'textfield', 80 '#title' => $this->t('Project ID'), 81 '#default_value' => $config->get('enterprise_project_id'), 82 '#description' => $this->t('The ID of the Google Cloud project for which the reCAPTCHA Enterprise API is enabled.'), 83 '#states' => [ 84 'visible' => [ 85 ':input[name="recaptcha_use_enterprise"]' => [ 86 'checked' => TRUE, 87 ], 88 ], 89 ], 90 ]; 91 I think this needs to expose the option for the admin user to specify the bot likelihood score that's appropriate for their site. Google's documentation says the default is anything >= 0.5 is human.
$form['general']['recaptcha_is_human_score'] = [ '#type' => 'textfield', '#title' => $this->t('ReCAPTCHA v3 Google Human Score Threshold'), '#description' => $this->t('ReCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). By default, a threshold of 0.5 or more is human. See https://developers.google.com/recaptcha/docs/v3#interpreting_the_score'), '#maxlength' => 255, '#size' => 64, '#default_value' => $config->get('recaptcha_is_human_score'), ];
- src/ReCaptcha/Enterprise.php 0 → 100644
79 'event' => [ 80 'token' => $recaptcha_response, 81 'siteKey' => $site_key, 82 'userIpAddress' => $ip_address, 83 ], 84 ]), 85 'http_errors' => FALSE, 86 ]; 87 88 $request = $this->httpClient->post($url, $options); 89 90 if ($request->getStatusCode() == 200) { 91 $api_response = Json::decode($request->getBody()); 92 $hostname = $api_response['tokenProperties']['hostname'] ?? ''; 93 $api_response_valid = $api_response['tokenProperties']['valid'] ?? FALSE; 94 if ($api_response_valid) { In addition to checking if the
$api_response['tokenProperties']['valid'] == true
, this needs to check the bot score to effectively block bots.Something like this:
if ($api_response_valid && $this->isHumanScore($score)) {
/** * reCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). * Based on the score, you can take variable action in the context of your site. * reCAPTCHA learns by seeing real traffic on your site. * For this reason, scores in a staging environment or soon after implementing may differ from production. * By default, you can use a threshold of 0.5. * https://developers.google.com/recaptcha/docs/v3#interpreting_the_score */ private function isHumanScore(float $score) : bool { return $score >= (float) $config->get('recaptcha_is_human_score') ?? 0.5; }
changed this line in version 4 of the diff
2 2 secret_key: '' 3 3 verify_hostname: false 4 4 use_globally: false 5 use_enterprise: false 6 enterprise_project_id: '' recaptcha_is_human_score: 0.5
Edited by Wesley Musgrove
16 16 use_globally: 17 17 type: boolean 18 18 label: 'Use reCAPTCHA globally' 19 use_enterprise: 20 type: boolean 21 label: 'Use reCAPTCHA Enterprise' 22 enterprise_project_id: 23 type: string 24 label: 'Enterprise project ID' recaptcha_is_human_score: type: float label: 'Bot likelihood score'
Edited by Wesley Musgrove
124 145 ->set('secret_key', $form_state->getValue('recaptcha_secret_key')) 125 146 ->set('verify_hostname', $form_state->getValue('recaptcha_verify_hostname')) 126 147 ->set('use_globally', $form_state->getValue('recaptcha_use_globally')) 148 ->set('use_enterprise', $form_state->getValue('recaptcha_use_enterprise')) 149 ->set('enterprise_project_id', $form_state->getValue('enterprise_project_id')) added 1 commit
- cf902c3d - Adapt JS API functions for reCAPTCHA enterprise
245 254 return FALSE; 246 255 } 247 256 257 /** 258 * Implements hook_page_attachments(). 259 */ 260 function recaptcha_page_attachments(array &$attachments) { 261 $config = \Drupal::config('recaptcha.settings'); 262 $attachments['#attached']['library'][] = 'recaptcha/recaptcha'; This hook is going to load the
recaptcha/recaptcha
library on every page, even pages where there is no v2 captcha widget being generated/rendered. So for performance reasons of loading an unnecessary script on all pages, I think thishook_page_attachments
needs to be removed. ThedrupalSettings
should be placed where therecaptcha/recaptcha
library is already being attached, namely in therecaptcha_captcha
function like this:$captcha['form']['recaptcha_widget'] = [ '#markup' => '<div' . new Attribute($attributes) . '></div>', '#suffix' => $noscript, '#attached' => [ 'library' => [ 'recaptcha/recaptcha', 'recaptcha/google.recaptcha_' . \Drupal::service('language_manager')->getCurrentLanguage()->getId(), ], 'drupalSettings' => [ 'recaptcha' => [ 'use_enterprise' => $config->get('use_enterprise'), ], ], ], '#cache' => [ 'tags' => ['library_info'], 'contexts' => ['languages'], ], ];
Edited by Wesley Musgrove
4 4 dependencies: 5 5 - core/drupal 6 6 - core/jquery 7 - core/drupalSettings mentioned in merge request !41