recaptcha 5.7.0 → 5.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec76ff47d12ef3388c2a45d56850272fff3675c9f59619a09b55c918f70b5494
-  data.tar.gz: 697f0a4d41ffab63c6eb5b7d7b81c1f5ac2b1305f27bb84b5fccc421bcd38e2c
+  metadata.gz: b4e91df77500a77804749d34ac9690c4ddc9a8cfa30af5f2eae6b51c3d0a0e02
+  data.tar.gz: 2fa166f38a4e39ee6b2244bdfc91991b3bfc6d65360c6dd2e846d584352e3aab
 SHA512:
-  metadata.gz: 51b3627583241aef9a99e2a3ed9c78091c87a92e87210749d38e9ccf0d418dbec455fd524d83210b8331be7064efac2be2308366b8288c574c53b84f6013333e
-  data.tar.gz: 8018c4668d7eef292e5908d609a7ebdd5cfbfb84b0c86a361dac36d3982cc075dc7e694c51639dd09eaf148cfd9536cecb12f6fa188ec72f87328e85976a4e22
+  metadata.gz: acfb0b7bf9d211b2571dfcd8ee5a8195dc149effee4a04fe609d116f869722e583f4a5737e7d21174f2ff3d0f08c1f73f845dd4859daa107500e272230562052
+  data.tar.gz: 8c64efbfd826ab4a817fdbd37ef8e199d6a7c661b0efc18f6e4c5b26aca45a4412c8c0b331772561fe478d1f88c88b1a0cc655471c3eb751883a767a852680cf

data/CHANGELOG.md

@@ -1,4 +1,9 @@
 ## Next
+* Gracefully handle invalid params
+* allow configuring response limit
+
+## 5.8.0
+* Add support for the enterprise API
 
 ## 5.7.0
 * french locale

data/README.md

@@ -68,6 +68,14 @@ export RECAPTCHA_SITE_KEY   = '6Lc6BAAAAAAAAChqRbQZcn_yyyyyyyyyyyyyyyyy'
 export RECAPTCHA_SECRET_KEY = '6Lc6BAAAAAAAAKN3DRm6VA_xxxxxxxxxxxxxxxxx'
 ```
 
+If you have an Enterprise API key:
+
+```shell
+export RECAPTCHA_ENTERPRISE            = 'true'
+export RECAPTCHA_ENTERPRISE_API_KEY    = 'AIzvFyE3TU-g4K_Kozr9F1smEzZSGBVOfLKyupA'
+export RECAPTCHA_ENTERPRISE_PROJECT_ID = 'my-project'
+```
+
 Add `recaptcha_tags` to the forms you want to protect:
 
 ```erb
@@ -159,16 +167,18 @@ you like.
 
 Some of the options available:
 
-| Option         | Description |
-|----------------|-------------|
-| `:model`       | Model to set errors.
-| `:attribute`   | Model attribute to receive errors. (default: `:base`)
-| `:message`     | Custom error message.
-| `:secret_key`  | Override the secret API key from the configuration.
-| `:timeout`     | The number of seconds to wait for reCAPTCHA servers before give up. (default: `3`)
-| `:response`    | Custom response parameter. (default: `params['g-recaptcha-response-data']`)
-| `:hostname`    | Expected hostname or a callable that validates the hostname, see [domain validation](https://developers.google.com/recaptcha/docs/domain_validation) and [hostname](https://developers.google.com/recaptcha/docs/verify#api-response) docs. (default: `nil`, but can be changed by setting `config.hostname`)
-| `:env`         | Current environment. The request to verify will be skipped if the environment is specified in configuration under `skip_verify_env`
+| Option                    | Description |
+|---------------------------|-------------|
+| `:model`                  | Model to set errors.
+| `:attribute`              | Model attribute to receive errors. (default: `:base`)
+| `:message`                | Custom error message.
+| `:secret_key`             | Override the secret API key from the configuration.
+| `:enterprise_api_key`     | Override the Enterprise API key from the configuration.
+| `:enterprise_project_id ` | Override the Enterprise project ID from the configuration.
+| `:timeout`                | The number of seconds to wait for reCAPTCHA servers before give up. (default: `3`)
+| `:response`               | Custom response parameter. (default: `params['g-recaptcha-response-data']`)
+| `:hostname`               | Expected hostname or a callable that validates the hostname, see [domain validation](https://developers.google.com/recaptcha/docs/domain_validation) and [hostname](https://developers.google.com/recaptcha/docs/verify#api-response) docs. (default: `nil`, but can be changed by setting `config.hostname`)
+| `:env`                    | Current environment. The request to verify will be skipped if the environment is specified in configuration under `skip_verify_env`
 
 
 ### `invisible_recaptcha_tags`
@@ -376,17 +386,19 @@ then you can either:
 2. write and specify a custom `callback` function. You may also want to pass `element: false` if you
    don't have a use for the hidden input element.
 
-Note that you cannot submit/verify the same response token more than once or you will get a
-`timeout-or-duplicate` error code. If you need reset the captcha and generate a new response token,
-then you need to call `grecaptcha.execute(…)` again. This helper provides a JavaScript method (for
-each action) named `executeRecaptchaFor{action}` to make this easier. That is the same method that
-is invoked immediately. It simply calls `grecaptcha.execute` again and then calls the `callback`
-function with the response token.
+Note that you cannot submit/verify the same response token more than once or you
+will get a `timeout-or-duplicate` error code. If you need reset the captcha and
+generate a new response token, then you need to call `grecaptcha.execute(…)` or
+`grecaptcha.enterprise.execute(…)` again. This helper provides a JavaScript
+method (for each action) named `executeRecaptchaFor{action}` to make this
+easier. That is the same method that is invoked immediately. It simply calls
+`grecaptcha.execute` or `grecaptcha.enterprise.execute` again and then calls the
+`callback` function with the response token.
 
 You will also get a `timeout-or-duplicate` error if too much time has passed between getting the
 response token and verifying it. This can easily happen with large forms that take the user a couple
 minutes to complete. Unlike v2, where you can use the `expired-callback` to be notified when the
-response expries, v3 appears to provide no such callback. See also
+response expires, v3 appears to provide no such callback. See also
 [1](https://github.com/google/recaptcha/issues/281) and
 [2](https://stackoverflow.com/questions/54437745/recaptcha-v3-how-to-deal-with-expired-token-after-idle).
 
@@ -446,7 +458,7 @@ According to https://developers.google.com/recaptcha/docs/v3#placement,
 
 > Note: You can execute reCAPTCHA as many times as you'd like with different actions on the same page.
 
-You will need to verify each action individually with separate call to `verify_recaptcha`.
+You will need to verify each action individually with a separate call to `verify_recaptcha`.
 
 ```ruby
 result_a = verify_recaptcha(action: 'a')
@@ -506,14 +518,20 @@ Recaptcha.configuration.skip_verify_env.delete("test")
 Recaptcha.configure do |config|
   config.site_key  = '6Lc6BAAAAAAAAChqRbQZcn_yyyyyyyyyyyyyyyyy'
   config.secret_key = '6Lc6BAAAAAAAAKN3DRm6VA_xxxxxxxxxxxxxxxxx'
+
   # Uncomment the following line if you are using a proxy server:
   # config.proxy = 'http://myproxy.com.au:8080'
+
+  # Uncomment the following lines if you are using the Enterprise API:
+  # config.enterprise = true
+  # config.enterprise_api_key = 'AIzvFyE3TU-g4K_Kozr9F1smEzZSGBVOfLKyupA'
+  # config.enterprise_project_id = 'my-project'
 end
 ```
 
 ### Recaptcha.with_configuration
 
-For temporary overwrites (not thread safe).
+For temporary overwrites (not thread-safe).
 
 ```ruby
 Recaptcha.with_configuration(site_key: '12345') do
@@ -533,6 +551,28 @@ recaptcha_tags site_key: '6Lc6BAAAAAAAAChqRbQZcn_yyyyyyyyyyyyyyyyy'
 verify_recaptcha secret_key: '6Lc6BAAAAAAAAKN3DRm6VA_xxxxxxxxxxxxxxxxx'
 ```
 
+
+## hCaptcha support
+
+[hCaptcha](https://hcaptcha.com) is an alternative service providing reCAPTCHA API.
+
+To use hCaptcha:
+1. Set a site and a secret key as usual
+2. Set two options in `verify_url` and `api_service_url` pointing to hCaptcha API endpoints.
+3. Disable a response limit check by setting a `response_limit` to the negative or large enough value (reCAPTCHA is limited by 4000 characters).
+4. It is not required to change a parameter name as [official docs suggest](https://docs.hcaptcha.com/switch) because API handles standard `g-recaptcha` for compatibility.
+
+```ruby
+# config/initializers/recaptcha.rb
+Recaptcha.configure do |config|
+  config.site_key  = '6Lc6BAAAAAAAAChqRbQZcn_yyyyyyyyyyyyyyyyy'
+  config.secret_key = '6Lc6BAAAAAAAAKN3DRm6VA_xxxxxxxxxxxxxxxxx'
+  config.verify_url = 'https://hcaptcha.com/siteverify'
+  config.api_server_url = 'https://hcaptcha.com/1/api.js'
+  config.response_limit = -1
+end
+```
+
 ## Misc
  - Check out the [wiki](https://github.com/ambethia/recaptcha/wiki) and leave whatever you found valuable there.
  - [Add multiple widgets to the same page](https://github.com/ambethia/recaptcha/wiki/Add-multiple-widgets-to-the-same-page)

data/lib/recaptcha/adapters/controller_methods.rb

@@ -83,10 +83,12 @@ module Recaptcha
       # @return [String] A response token if one was passed in the params; otherwise, `''`
       def recaptcha_response_token(action = nil)
         response_param = params['g-recaptcha-response-data'] || params['g-recaptcha-response']
-        if response_param&.respond_to?(:to_h) # Includes ActionController::Parameters
-          response_param[action].to_s
+        response_param = response_param[action] if action && response_param.respond_to?(:key?)
+
+        if response_param.is_a?(String)
+          response_param
         else
-          response_param.to_s
+          ''
         end
       end
     end

data/lib/recaptcha/configuration.rb

@@ -31,11 +31,14 @@ module Recaptcha
   #
   class Configuration
     DEFAULTS = {
-      'server_url' => 'https://www.recaptcha.net/recaptcha/api.js',
-      'verify_url' => 'https://www.recaptcha.net/recaptcha/api/siteverify'
+      'free_server_url' => 'https://www.recaptcha.net/recaptcha/api.js',
+      'enterprise_server_url' => 'https://www.recaptcha.net/recaptcha/enterprise.js',
+      'free_verify_url' => 'https://www.recaptcha.net/recaptcha/api/siteverify',
+      'enterprise_verify_url' => 'https://recaptchaenterprise.googleapis.com/v1beta1/projects'
     }.freeze
 
-    attr_accessor :default_env, :skip_verify_env, :secret_key, :site_key, :proxy, :handle_timeouts_gracefully, :hostname
+    attr_accessor :default_env, :skip_verify_env, :proxy, :secret_key, :site_key, :handle_timeouts_gracefully, :hostname
+    attr_accessor :enterprise, :enterprise_api_key, :enterprise_project_id, :response_limit
     attr_writer :api_server_url, :verify_url
 
     def initialize #:nodoc:
@@ -45,8 +48,15 @@ module Recaptcha
 
       @secret_key = ENV['RECAPTCHA_SECRET_KEY']
       @site_key = ENV['RECAPTCHA_SITE_KEY']
+
+      @enterprise = ENV['RECAPTCHA_ENTERPRISE'] == 'true'
+      @enterprise_api_key = ENV['RECAPTCHA_ENTERPRISE_API_KEY']
+      @enterprise_project_id = ENV['RECAPTCHA_ENTERPRISE_PROJECT_ID']
+
       @verify_url = nil
       @api_server_url = nil
+
+      @response_limit = 4000
     end
 
     def secret_key!
@@ -57,12 +67,20 @@ module Recaptcha
       site_key || raise(RecaptchaError, "No site key specified.")
     end
 
+    def enterprise_api_key!
+      enterprise_api_key || raise(RecaptchaError, "No Enterprise API key specified.")
+    end
+
+    def enterprise_project_id!
+      enterprise_project_id || raise(RecaptchaError, "No Enterprise project ID specified.")
+    end
+
     def api_server_url
-      @api_server_url || DEFAULTS.fetch('server_url')
+      @api_server_url || (enterprise ? DEFAULTS.fetch('enterprise_server_url') : DEFAULTS.fetch('free_server_url'))
     end
 
     def verify_url
-      @verify_url || DEFAULTS.fetch('verify_url')
+      @verify_url || (enterprise ? DEFAULTS.fetch('enterprise_verify_url') : DEFAULTS.fetch('free_verify_url'))
     end
   end
 end

data/lib/recaptcha/helpers.rb

@@ -174,7 +174,8 @@ module Recaptcha
 
     # v3
 
-    # Renders a script that calls `grecaptcha.execute` for the given `site_key` and `action` and
+    # Renders a script that calls `grecaptcha.execute` or
+    # `grecaptcha.enterprise.execute` for the given `site_key` and `action` and
     # calls the `callback` with the resulting response token.
     private_class_method def self.recaptcha_v3_inline_script(site_key, action, callback, id, options = {})
       nonce = options[:nonce]
@@ -185,8 +186,8 @@ module Recaptcha
           // Define function so that we can call it again later if we need to reset it
           // This executes reCAPTCHA and then calls our callback.
           function #{recaptcha_v3_execute_function_name(action)}() {
-            grecaptcha.ready(function() {
-              grecaptcha.execute('#{site_key}', {action: '#{action}'}).then(function(token) {
+            #{recaptcha_ready_method_name}(function() {
+              #{recaptcha_execute_method_name}('#{site_key}', {action: '#{action}'}).then(function(token) {
                 #{callback}('#{id}', token)
               });
             });
@@ -199,8 +200,8 @@ module Recaptcha
           // Returns a Promise that resolves with the response token.
           async function #{recaptcha_v3_async_execute_function_name(action)}() {
             return new Promise((resolve, reject) => {
-              grecaptcha.ready(async function() {
-                resolve(await grecaptcha.execute('#{site_key}', {action: '#{action}'}))
+             #{recaptcha_ready_method_name}(async function() {
+                resolve(await #{recaptcha_execute_method_name}('#{site_key}', {action: '#{action}'}))
               });
             })
           };
@@ -217,8 +218,8 @@ module Recaptcha
       <<-HTML
         <script#{nonce_attr}>
           function #{recaptcha_v3_execute_function_name(action)}() {
-            grecaptcha.ready(function() {
-              grecaptcha.execute('#{site_key}', {action: '#{action}'}).then(function(token) {
+            #{recaptcha_ready_method_name}(function() {
+              #{recaptcha_execute_method_name}('#{site_key}', {action: '#{action}'}).then(function(token) {
                 #{callback}('#{id}', token)
               });
             });
@@ -251,8 +252,9 @@ module Recaptcha
       recaptcha_v3_inline_script?(options)
     end
 
-    # Returns the name of the JavaScript function that actually executes the reCAPTCHA code (calls
-    # grecaptcha.execute). You can call it again later to reset it.
+    # Returns the name of the JavaScript function that actually executes the
+    # reCAPTCHA code (calls `grecaptcha.execute` or
+    # `grecaptcha.enterprise.execute`). You can call it again later to reset it.
     def self.recaptcha_v3_execute_function_name(action)
       "executeRecaptchaFor#{sanitize_action_for_js(action)}"
     end
@@ -296,6 +298,14 @@ module Recaptcha
       HTML
     end
 
+    def self.recaptcha_execute_method_name
+      Recaptcha.configuration.enterprise ? "grecaptcha.enterprise.execute" : "grecaptcha.execute"
+    end
+
+    def self.recaptcha_ready_method_name
+      Recaptcha.configuration.enterprise ? "grecaptcha.enterprise.ready" : "grecaptcha.ready"
+    end
+
     private_class_method def self.default_callback_required?(options)
       options[:callback] == 'invisibleRecaptchaSubmit' &&
       !Recaptcha.skip_env?(options[:env]) &&

data/lib/recaptcha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Recaptcha
-  VERSION = '5.7.0'
+  VERSION = '5.9.0'
 end

data/lib/recaptcha.rb

@@ -14,7 +14,6 @@ end
 
 module Recaptcha
   DEFAULT_TIMEOUT = 3
-  RESPONSE_LIMIT = 4000
 
   class RecaptchaError < StandardError
   end
@@ -56,15 +55,48 @@ module Recaptcha
   end
 
   def self.invalid_response?(resp)
-    resp.empty? || resp.length > RESPONSE_LIMIT
+    resp.empty? || resp.length > configuration.response_limit
   end
 
   def self.verify_via_api_call(response, options)
+    if Recaptcha.configuration.enterprise
+      verify_via_api_call_enterprise(response, options)
+    else
+      verify_via_api_call_free(response, options)
+    end
+  end
+
+  def self.verify_via_api_call_enterprise(response, options)
+    site_key = options.fetch(:site_key) { configuration.site_key! }
+    api_key = options.fetch(:enterprise_api_key) { configuration.enterprise_api_key! }
+    project_id = options.fetch(:enterprise_project_id) { configuration.enterprise_project_id! }
+
+    query_params = { 'key' => api_key }
+    body = { 'event' => { 'token' => response, 'siteKey' => site_key } }
+    body['event']['expectedAction'] = options[:action] if options.key?(:action)
+    body['event']['userIpAddress'] = options[:remote_ip] if options.key?(:remote_ip)
+
+    reply = api_verification_enterprise(query_params, body, project_id, timeout: options[:timeout])
+    token_properties = reply['tokenProperties']
+    success = !token_properties.nil? &&
+      token_properties['valid'].to_s == 'true' &&
+      hostname_valid?(token_properties['hostname'], options[:hostname]) &&
+      action_valid?(token_properties['action'], options[:action]) &&
+      score_above_threshold?(reply['score'], options[:minimum_score])
+
+    if options[:with_reply] == true
+      return success, reply
+    else
+      return success
+    end
+  end
+
+  def self.verify_via_api_call_free(response, options)
     secret_key = options.fetch(:secret_key) { configuration.secret_key! }
     verify_hash = { 'secret' => secret_key, 'response' => response }
     verify_hash['remoteip'] = options[:remote_ip] if options.key?(:remote_ip)
 
-    reply = api_verification(verify_hash, timeout: options[:timeout])
+    reply = api_verification_free(verify_hash, timeout: options[:timeout])
     success = reply['success'].to_s == 'true' &&
       hostname_valid?(reply['hostname'], options[:hostname]) &&
       action_valid?(reply['action'], options[:action]) &&
@@ -105,7 +137,7 @@ module Recaptcha
     end
   end
 
-  def self.api_verification(verify_hash, timeout: nil)
+  def self.http_client_for(uri:, timeout: nil)
     timeout ||= DEFAULT_TIMEOUT
     http = if configuration.proxy
       proxy_server = URI.parse(configuration.proxy)
@@ -113,12 +145,28 @@ module Recaptcha
     else
       Net::HTTP
     end
+    instance = http.new(uri.host, uri.port)
+    instance.read_timeout = instance.open_timeout = timeout
+    instance.use_ssl = true if uri.port == 443
+
+    instance
+  end
+
+  def self.api_verification_free(verify_hash, timeout: nil)
     query = URI.encode_www_form(verify_hash)
     uri = URI.parse(configuration.verify_url + '?' + query)
-    http_instance = http.new(uri.host, uri.port)
-    http_instance.read_timeout = http_instance.open_timeout = timeout
-    http_instance.use_ssl = true if uri.port == 443
+    http_instance = http_client_for(uri: uri, timeout: timeout)
     request = Net::HTTP::Get.new(uri.request_uri)
     JSON.parse(http_instance.request(request).body)
   end
+
+  def self.api_verification_enterprise(query_params, body, project_id, timeout: nil)
+    query = URI.encode_www_form(query_params)
+    uri = URI.parse(configuration.verify_url + "/#{project_id}/assessments" + '?' + query)
+    http_instance = http_client_for(uri: uri, timeout: timeout)
+    request = Net::HTTP::Post.new(uri.request_uri)
+    request['Content-Type'] = 'application/json; charset=utf-8'
+    request.body = JSON.generate(body)
+    JSON.parse(http_instance.request(request).body)
+  end
 end

data/rails/locales/fr.yml

@@ -2,4 +2,4 @@ fr:
   recaptcha:
     errors:
       verification_failed: La vérification reCAPTCHA a échoué, veuillez essayer à nouveau.
-      recaptcha_unreachable: Oops, nous n'avons pas vu valider votre réponse reCAPTCHA. Veuillez essayer à nouveau.
+      recaptcha_unreachable: Oops, nous n'avons pas pu valider votre réponse reCAPTCHA. Veuillez essayer à nouveau.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: recaptcha
 version: !ruby/object:Gem::Version
-  version: 5.7.0
+  version: 5.9.0
 platform: ruby
 authors:
 - Jason L Perry
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-05 00:00:00.000000000 Z
+date: 2022-03-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -176,7 +176,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.3
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: Helpers for the reCAPTCHA API