recaptcha icon indicating copy to clipboard operation
recaptcha copied to clipboard

Published 20 hours ago verified publisher icon google

list of accepted hostnames instead of single hostname

Open slavino opened this issue 4 years ago • 6 comments
trafficstars

https://github.com/google/recaptcha/blob/f911286ad361c9fba1b422c07f040852c0c193a3/src/ReCaptcha/ReCaptcha.php#L169

Hello, it would make sense to have ability to provide list of accepted hostnames (comma or some other delimiter separated).

My use-case is that URL is separated into api.domain.com and web.domain.com and I would like to enable both domains to be valid via

$recaptcha
   ->setExpectedHostname("api.domain.com,web.domain.com")
   ->setExpectedAction('registration')
   ->setScoreThreshold(0.5)->...

slavino avatar Aug 23 '21 11:08 slavino

Did you manage to come up for a solution for this @slavino ? Do by the way believe that domain.com should cover subdomains as well out of the box. See https://developers.google.com/recaptcha/docs/domain_validation But in my and perhaps your case we want to use multiple custom domains so different TLDs.

jasperf avatar Sep 19 '21 05:09 jasperf

Did you manage to come up for a solution for this @slavino ? Do by the way believe that domain.com should cover subdomains as well out of the box. See https://developers.google.com/recaptcha/docs/domain_validation But in my and perhaps your case we want to use multiple custom domains so different TLDs.

Unfortunately not and I only made switch in my backend to check for proper subdomain.

slavino avatar Sep 19 '21 06:09 slavino

I think the right thing to do here would be to break up the verify() method in the library a bit and allow for more flexibility in validation rules. However, that's a bit of a rewrite. Here's a potential workaround that assumes you've got an array of your valid hostnames in $validHostnames and then just check the value in the response after the included library checks. I haven't actually run this, so… your mileage may vary, but I think you should be able to do something like this.

$recaptcha = new \ReCaptcha\ReCaptcha($secret);
$resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);

if ($resp->isSuccess() && in_array($resp->getHostname, $validHostnames)) {
    // Verified!
} else {
    $errors = $resp->getErrorCodes();
}

rowan-m avatar Oct 04 '21 09:10 rowan-m

I think the right thing to do here would be to break up the verify() method in the library a bit and allow for more flexibility in validation rules. However, that's a bit of a rewrite. Here's a potential workaround that assumes you've got an array of your valid hostnames in $validHostnames and then just check the value in the response after the included library checks. I haven't actually run this, so… your mileage may vary, but I think you should be able to do something like this.

$recaptcha = new \ReCaptcha\ReCaptcha($secret);
$resp = $recaptcha->verify($gRecaptchaResponse, $remoteIp);

if ($resp->isSuccess() && in_array($resp->getHostname, $validHostnames)) {
    // Verified!
} else {
    $errors = $resp->getErrorCodes();
}

You will end up in handling exception without proper modification - https://github.com/google/recaptcha/blob/ed5645e799e43afa9eb181f214dc52f22982682d/src/ReCaptcha/ReCaptcha.php#L168

slavino avatar Oct 04 '21 10:10 slavino

I don't think that should trigger if you haven't called setExpectedHostname() or am I missing something?

rowan-m avatar Oct 04 '21 10:10 rowan-m

You are right. The workaround should work.

slavino avatar Oct 04 '21 10:10 slavino