Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

reCaptcha v3 with ColdFusion

I'm trying to integrate reCaptcha (v3) to a ColdFusion site. I'm not too hot on the CF syntax and currently I'm seemingly getting nothing back from the verify request on the server side.

Can anyone see anything obviously wrong and/or point me in the right direction please?

Client Side:

<script src='https://www.google.com/recaptcha/api.js?render=6..."></script>
<script>
    grecaptcha.ready(function() {
        grecaptcha.execute('6...', {action: 'contact'})
        .then(function(token) {
            $("#recaptchaToken").val(token);
        });
    });
</script>

I've got a hidden field recaptchaToken in my form and I can see the token value going in to it.

Server Side:

<cfhttp
  url="https://www.google.com/recaptcha/api/siteverify"
  method="POST"
  result="captchaResponse">
  <cfhttpparam
    type="formfield"
    name="secret"
    value='6...'
  />
  <cfhttpparam
    type="formfield"
    name="response"
    value='#form.recaptchaToken#'
  />
</cfhttp>

<cfdump var=#captchaResponse.filecontent# />

I'm getting a red box output titled object of java.io.ByteArrayOutputStream

I've tried to dump both captchaResponse and captchaResponse.filecontent to no avail.

I'm expecting data in the form of:

{
  "success": true|false,      // whether this request was a valid reCAPTCHA token for your site
  "score": number             // the score for this request (0.0 - 1.0)
  "action": string            // the action name for this request (important to verify)
  "challenge_ts": timestamp,  // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

Update

The solution seems to be as Alex suggested below:

<cfdump var=#toString(captchaResponse.filecontent)# />

This gives me a JSON string in the format expected so I can convert this to an object and complete the verification.

like image 403
scgough Avatar asked Jan 29 '19 23:01

scgough


1 Answers

Whenever cfhttp is not sure how to treat a response, the raw content stays untouched and is kept as Byte array. This usually indicates that the Content-Type header is not specified by the responding server or the content was only partially retrieved.

To force a string representation of the content, you can use toString() to convert the raw Byte array, e.g. toString(captchaResponse.filecontent). The function is quite robust and can also handle already converted strings, so it is usually safe to use.

However, there is something else to be aware of here. When using cfhttp without setting the throwOnError attribute to true (the default value is false), failed HTTP requests will still return a result, a crippled result. The struct will not contain the fileContent key and thus cause an exception at runtime. You might want to add error handling here, in case https://www.google.com/recaptcha/api/siteverify is not reachable or the accepted TLS protocol is not supported by your JRE. We had this issue with SNI and TLS 1.2 with a former version of ColdFusion, namely 8. Be warned.

like image 106
Alex Avatar answered Oct 13 '22 23:10

Alex