ReCaptcha v3 not working anymore

fanmail · Post by **fanmail** » Sun Sep 06, 2020 8:39 am

Looks like reCAPTCHA has simply been turned off on the site at this point, when checking again just now.

I temporally removed the ReCapcha

Any idea?

ssl · Post by **ssl** » Sun Sep 06, 2020 8:43 am

Hi
As already said I am thinking of a problem with the configuration of reCAPTCHA

fanmail · Post by **fanmail** » Sun Sep 06, 2020 11:39 am

ssl · Post by **ssl** » Sun Sep 06, 2020 12:36 pm

Yes it is a question that I ask myself aloud in fact.
What can make reCAPTACHA v3 work on one forum in version 3.3.1 and not on another?
On my forum everything is OK, on yours not.

EA117 · Post by **EA117** » Sun Sep 06, 2020 6:26 pm

What is the premise here: Were your Google reCAPTCHA v3 keys working when entered into the reCAPTCHA v2 Invisible plugin of phpBB 3.3.0? And now that you've updated to phpBB 3.3.1 and its actual reCAPTCHA v3 plug-in, those same reCAPTCHA v3 keys do not work?

Or were your reCAPTCHA v3 keys working even after you upgraded to phpBB 3.3.1, but at some later point have now stopped working?

The API keys you get from Google are the main "configuration" aspect possible here. If you're still using reCAPTCHA v2 Invisible keys from phpBB 3.3.0, this would certainly be an unusual way for Google to be responding to an "incorrect API key" scenario. But is something you can verify or perhaps already know isn't actually the case.

I've never had to use the "Request domain:" option in the reCAPTCHA v3 plug-in, which exists in case the ability to connect to google.com is blocked. I don't expect you have that issue with where your server is located, but perhaps try reversing the state of whatever "Request domain:" is currently set to, to rule out or affirm whether this has any bearing on the symptom.

MarkDHamill · Post by **MarkDHamill** » Fri Oct 02, 2020 6:06 pm

I encountered this issue with a client. It seems that when using http and calling https, it introduced a cross-site scripting issue. The solution was to install a security certificate and force HTTPS by adding some code in the board's .htaccess file. I also changed the server settings to create https URLs and to use port 443.

EA117 · Post by **EA117** » Fri Oct 02, 2020 7:51 pm

Interesting, Mark. Thanks for calling that out. Using reCAPTCHA on an HTTP-only site hasn't been an issue in the past, so maybe we need to cast an eye over the Invisible & later v3 support to make sure some kind of dependency wasn't introduced unintentionally. Hmmm, I know I even used the v3 support on a local HTTP-only site when MrGoldy was working on the implementation, and didn't see this kind of fundamental failure.

Maybe identification of the involved web browser is important? Since "cross-site" or "cross security zone" would be a client-determined condition. e.g. We're not talking about an HTTPS connection made by the server-side /vendor/google/recaptcha/src/ReCaptcha/ReCaptcha.php versus the non-HHTPS client connection to the server. More like an HTTPS AJAX or other connection made by Google's Javascript on the client, versus the otherwise non-HTTP client connection to the phpBB server.

Will be interesting to see what we can figure out or duplicate on that.

MarkDHamill · Post by **MarkDHamill** » Fri Oct 02, 2020 7:57 pm

I added an issue in the tracker about this. Also another related one in that reCaptcha requires allow_url_open to be on, but it won't disable it if it's off.

asavage · Post by **asavage** » Fri Dec 18, 2020 7:49 pm

MarkDHamill wrote: ↑
Fri Oct 02, 2020 6:06 pm
I encountered this issue with a client. It seems that when using http and calling https, it introduced a cross-site scripting issue.

Thanks for posting this. I was going in circles today until you gave me this clue.

Latinus · Post by **Latinus** » Mon Dec 21, 2020 2:00 pm

MarkDHamill wrote: ↑
Fri Oct 02, 2020 7:57 pm
reCaptcha requires allow_url_open to be on,

this.

EA117 · Post by **EA117** » Mon Dec 21, 2020 2:23 pm

Latinus wrote: ↑
Mon Dec 21, 2020 2:00 pm

reCaptcha requires allow_url_open to be on,
this.

Just for clarity to anyone reading this: The reCAPTCHA v3 plug-in for phpBB 3.3.1 and later will happily work without allow_url_open enabled.

But the default setting for the reCAPTCHA v3 plug-in wants to use "POST" method, which would require allow_url_open to be enabled.

And the problem, for which a phpBB bug now exists, is that when the allow_url_open function is not enabled, the reCAPTCHA v3 plug-in continues to try and default to "POST" anyway.

Visiting the reCATCHA v3 plug-in configuration and choosing one of the other available methods besides "POST" will allow the reCAPTCHA v3 plug-in to succeed, even without allow_url_open enabled.

Future versions of phpBB should not allow the default "POST" method to remain selected during configuration when allow_url_open is not enabled.

MarkDHamill · Post by **MarkDHamill** » Mon Dec 21, 2020 4:46 pm

Thanks for the clarification. I wasn't aware a GET request would circumvent the issue.

advertisements