Google reCAPTCHA How to get user response and validate in the server side

Question

I am doing a Java  JSP   Servlet  web application  I understand that this question is technology-independent   I hope to use the latest Google reCAPTCHA service  I am playing with a Google reCAPTCHA example found here  https   developers google com recaptcha docs display config  lt html gt     lt head gt       lt title gt reCAPTCHA demo  Simple page lt  title gt        lt script src  quot https   www google com recaptcha api js quot  async defer gt  lt  script gt     lt  head gt     lt body gt       lt form action  quot   quot  method  quot POST quot  gt         lt div class  quot g-recaptcha quot  data-sitekey  quot my site key quot  gt  lt  div gt         lt br  gt         lt input type  quot submit quot  value  quot Submit quot  gt       lt  form gt     lt  body gt   lt  html gt   I am able to see the displayed recaptcha image as follows   When I check  quot I m not a robot quot   I get the following   As you can see  there is a Verify button and based on my tests  user response is sent to Google for verification  How can I get the user response so that I can verify user response in my own backend code  as suggested by Google at https   developers google com recaptcha docs verify   g-recaptcha-response POST parameter when the user submits the form on your site  On the server side  I can  by clicking on the  quot Submit quot  button  get user input from parameter  quot g-recaptcha-response quot  only when a user is verified successfully with Google first  Otherwise   quot g-recaptcha-response quot  is blank on the server side  This means that I can do server-side verification only after the client-side s verification success  If so  what is the point of doing another verification on the server-side  which is the option provided by Google reCAPTHA  Do I miss anything

User · Answer

A method I use in my login servlet to verify reCaptcha responses. Uses classes from the java.json package. Returns the API response in a JsonObject.

Check the success field for true or false

private JsonObject validateCaptcha(String secret, String response, String remoteip)
{
    JsonObject jsonObject = null;
    URLConnection connection = null;
    InputStream is = null;
    String charset = java.nio.charset.StandardCharsets.UTF_8.name();

    String url = "https://www.google.com/recaptcha/api/siteverify";
    try {            
        String query = String.format("secret=%s&response=%s&remoteip=%s", 
        URLEncoder.encode(secret, charset), 
        URLEncoder.encode(response, charset),
        URLEncoder.encode(remoteip, charset));

        connection = new URL(url + "?" + query).openConnection();
        is = connection.getInputStream();
        JsonReader rdr = Json.createReader(is);
        jsonObject = rdr.readObject();

    } catch (IOException ex) {
        Logger.getLogger(Login.class.getName()).log(Level.SEVERE, null, ex);
    }
    finally {
        if (is != null) {
            try {
                is.close();
            } catch (IOException e) {
            }

        }
    }
    return jsonObject;
}

User · Answer

The cool thing about the new Google Recaptcha is that the validation is now completely encapsulated in the widget  That means  that the widget will take care of asking questions  validating responses all the way till it determines that a user is actually a human  only then you get a g-recaptcha-response value  But that does not keep your site safe from HTTP client request forgery  Anyone with HTTP POST knowledge could put random data inside of the g-recaptcha-response form field  and foll your site to make it think that this field was provided by the google widget  So you have to validate this token  In human speech it would be like   Your Server  Hey Google  there s a dude that tells me that he s not a robot  He says that you already verified that he s a human  and he told me to give you this token as a proof of that  Google  Hmm    let me check this token    yes I remember this dude I gave him this token    yeah he s made of flesh and bone let him through  Your Server  Hey Google  there s another dude that tells me that he s a human  He also gave me a token  Google  Hmm    it s the same token you gave me last time    I m pretty sure this guy is trying to fool you  Tell him to get off your site   Validating the response is really easy  Just make a GET Request to https   www google com recaptcha api siteverify secret your secret amp response response string amp remoteip user ip address And replace the response string with the value that you earlier got by the g-recaptcha-response field  You will get a JSON Response with a success field  More information here  https   developers google com recaptcha docs verify Edit  It s actually a POST  as per documentation here

User · Answer

Here is complete demo code to understand client side and server side process  you can copy paste it and just replace google site key and google secret key    lt  php  if  empty   REQUEST               echo   lt pre gt    print r   REQUEST   die  END             post                  secret    gt   Your Secret key                response    gt    REQUEST  g-recaptcha-response                        ch   curl init             curl setopt  ch  CURLOPT URL  https   www google com recaptcha api siteverify            curl setopt  ch  CURLOPT POST  1           curl setopt  ch  CURLOPT POSTFIELDS  http build query  post            curl setopt  ch  CURLOPT RETURNTRANSFER  true             server output   curl exec  ch            curl close   ch           echo   lt pre gt    print r  server output   die  ss        gt   lt html gt     lt head gt       lt title gt reCAPTCHA demo  Explicit render for multiple widgets lt  title gt       lt script type  text javascript  gt        var site key    Your Site key         var verifyCallback   function response            alert response                  var widgetId1        var widgetId2        var onloadCallback   function                Renders the HTML element with id  example1  as a reCAPTCHA widget             The id of the reCAPTCHA widget is assigned to  widgetId1           widgetId1   grecaptcha render  example1                sitekey    site key             theme     light                      widgetId2   grecaptcha render document getElementById  example2                 sitekey    site key                     grecaptcha render  example3                sitekey    site key             callback    verifyCallback             theme     dark                            lt  script gt     lt  head gt     lt body gt       lt  -- The g-recaptcha-response string displays in an alert message upon submit  -- gt       lt form action  javascript alert grecaptcha getResponse widgetId1     gt         lt div id  example1  gt  lt  div gt         lt br gt         lt input type  submit  value  getResponse  gt       lt  form gt       lt br gt       lt  -- Resets reCAPTCHA widgetId2 upon submit  -- gt       lt form action  javascript grecaptcha reset widgetId2    gt         lt div id  example2  gt  lt  div gt         lt br gt         lt input type  submit  value  reset  gt       lt  form gt       lt br gt       lt  -- POSTs back to the page s URL upon submit with a g-recaptcha-response POST parameter  -- gt       lt form action     method  POST  gt         lt div id  example3  gt  lt  div gt         lt br gt         lt input type  submit  value  Submit  gt       lt  form gt       lt script src  https   www google com recaptcha api js onload onloadCallback amp render explicit          async defer gt       lt  script gt     lt  body gt   lt  html gt

User · Answer

Hi curious you can validate your google recaptcha at client side also 100  work for me to verify your google recaptcha just see below code  This code at the html body     lt div class  g-recaptcha  id  rcaptcha  style  margin-left  90px   data-sitekey  my key  gt  lt  div gt    lt span id  captcha  style  margin-left 100px color red    gt    This code put at head section on call get action this  method form button   function get action form     var v   grecaptcha getResponse    if v length    0        document getElementById  captcha   innerHTML  You can t leave Captcha Code empty       return false     if v length    0         document getElementById  captcha   innerHTML  Captcha completed       return true

[java] Google reCAPTCHA: How to get user response and validate in the server side?

Examples related to java

Examples related to javascript

Examples related to recaptcha