Captcha-reCAPTCHA-V3
view release on metacpan or search on metacpan
lib/Captcha/reCAPTCHA/V3.pm view on Meta::CPAN
sub new {
my $class = shift;
my $self = bless {}, ref $class || $class;
my %attr = @_;
# Initialize the values for API
$self->{sitekey} = $attr{sitekey} || ''; # No need to set sitekey in server-side
$self->{secret} = $attr{secret} || croak "missing param 'secret'";
$self->{query_name} = $attr{query_name} || 'g-recaptcha-response';
$self->{widget_api} = 'https://www.google.com/recaptcha/api.js';
$self->{verify_api} = 'https://www.google.com/recaptcha/api/siteverify';
return $self;
}
sub name {
my $self = shift;
return $self->{query_name} unless my $value = shift;
$self->{query_name} = $value;
}
sub sitekey {
my $self = shift;
return $self->{sitekey} unless my $value = shift;
$self->{sitekey} = $value;
}
# verifiers =======================================================================
sub verify {
my $self = shift;
my $response = shift;
croak "Extra arguments have been set." if @_;
if ( _has_curl() ) {
my $cmd = sprintf(
q{curl -sS -X POST %s -d secret=%s -d response=%s},
$self->{verify_api},
_shell_escape($self->{secret}),
_shell_escape($response),
);
my $json = `$cmd`or croak "Failed to execute curl command: $cmd";
return decode_json($json);
}elsif ( !_has_lwp_https() ) {
croak "LWP::UserAgent and LWP::Protocol::https are required to verify reCAPTCHA response.";
}
eval {
require LWP::UserAgent;
require LWP::Protocol::https;
} or croak "LWP::UserAgent and LWP::Protocol::https are required to verify reCAPTCHA response.";
my $ua = LWP::UserAgent->new;
my $res = $ua->post(
$self->{verify_api},{
secret => $self->{secret},
response => $response,
},
);
my $json = $res->decoded_content;
return decode_json($json);
}
sub deny_by_score {
my $self = shift;
my %attr = @_;
my $response = $attr{response} || croak "missing response token";
my $score = $attr{score} || 0.5;
croak "invalid score was set: $score" if $score < 0 or 1 < $score;
my $content = $self->verify($response);
if ( $content->{success} and $content->{score} == 1 || $content->{score} < $score ) {
unshift @{ $content->{'error-codes'} }, 'too-low-score';
$content->{success} = 0;
}
return $content;
}
sub verify_or_die {
my $self = shift;
my $content = $self->deny_by_score(@_);
return $content if $content->{success};
die 'fail to verify reCAPTCHA: ', $content->{'error-codes'}[0], "\n";
}
# aroud javascript =======================================================================
sub scriptURL {
my $self = shift;
my %attr = @_;
my $sitekey = $attr{sitekey} || $self->{sitekey} || croak "missing 'sitekey'";
return $self->{widget_api} . "?render=$sitekey";
}
sub scriptTag {
my $self = shift;
my %attr = @_;
my $sitekey = $attr{sitekey} || $self->{sitekey} || croak "missing 'sitekey'";
my $url = $self->scriptURL( sitekey => $sitekey );
return qq|<script src="$url" defer></script>|;
}
sub scripts {
my $self = shift;
my %attr = @_;
my $sitekey = $attr{sitekey} || $self->{sitekey} || croak "missing 'sitekey'";
my $simple = $self->scriptTag(@_);
my $id = $attr{'id'} or croak "missing the id for Form tag";
my $action = $attr{'action'} || 'homepage';
my $comment = $attr{'debug'} ? '' : '// ';
return <<"EOL";
$simple
<script defer>
let rf = document.getElementById("$id");
rf.onsubmit = function(event){
grecaptcha.ready(function() {
grecaptcha.execute('$sitekey', { action: '$action' }).then(function(token) {
${comment}console.log(token);
rf.insertAdjacentHTML('beforeend', '<input type="hidden" name="$self" value="' + token + '">');
rf.submit();
});
lib/Captcha/reCAPTCHA/V3.pm view on Meta::CPAN
sitekey => '__YOUR_SITEKEY__', # Optional
secret => '__YOUR_SECRET__', # Required
);
...
my $content = $rc->verify($param{$rc});
unless ( $content->{'success'} ) {
# code for failing like below
die 'fail to verify reCAPTCHA: ', @{ $content->{'error-codes'} }, "\n";
}
=head1 DESCRIPTION
Captcha::reCAPTCHA::V3 is inspired from L<Captcha::reCAPTCHA::V2>
This one is especially for Google reCAPTCHA v3, not for v2 because APIs are so defferent.
=head2 Basic Usage
=head3 new( secret => I<secret>, [ sitekey => I<sitekey>, query_name => I<query_name> ] )
Requires only secret when constructing.
Now you can omit sitekey (from version 0.0.4).
You have to get them before running from L<here|https://www.google.com/recaptcha/intro/v3.html>.
my $rc = Captcha::reCAPTCHA::V3->new(
sitekey => '__YOUR_SITEKEY__', # Optional
secret => '__YOUR_SECRET__',
query_name => '__YOUR_QUERY_NAME__', # Optional
);
According to the official document, query_name defaults to 'g-recaptcha-response'
so if you changed it another, you have to set I<query_name> as same.
=head3 name([I<name>])
You can get/set I<query_name> after constuct the object from version 0.0.4
my $query_name = $rc->name(); # defaults to 'g-recaptcha-response'
$rc->name('captcha'); # the I<query_name> is now 'captcha'
and with overlording, you can get I<query_name> with just like below:
my $query_name = "$rc"; # means same with $rc->name();
=head3 verify( I<response> )
Requires just only response key being got from Google reCAPTCHA API.
B<DO NOT> add remote address. there is no function for remote address within reCAPTCHA v3.
my $content = $rc->verify($param{$rc});
The default I<query_name> is 'g-recaptcha-response' and it is stocked in constructor.
But now string-context provides you to get I<query_name> so we don't have to care about it.
The response contains JSON so it returns decoded value from JSON.
unless ( $content->{'success'} ) {
# code for failing like below
die 'fail to verify reCAPTCHA: ', @{ $content->{'error-codes'} }, "\n";
}
=head3 deny_by_score( response => I<response>, [ score => I<expected> ] )
reCAPTCHA v3 responses have score whether the request was by bot.
So this method provides evaluation by scores that 0.0~1.0(defaults to 0.5)
If the score was lower than what you expected, the verifying is fail
with inserting 'too-low-score' into top of the error-codes.
C<verify()> requires just only one argument because of compatibility for version 0.01.
In this method, the response pair SHOULD be set as a hash argument(score pair is optional).
=head2 Additional method for lazy(not sudgested)
=head3 verify_or_die( response => I<response>, [ score => I<score> ] )
This method is a wrapper of C<deny_by_score()>, the differense is dying imidiately when fail to verify.
=head3 scripts( id => I<ID>, [ debug => I<Boolen>, action => I<action> ] )
You can insert this somewhere in your E<lt>bodyE<gt> tag.
In ordinal HTMLs, you can set this like below:
print <<"EOL", scripts( id => 'MailForm' );
<form action="./" method="POST" id="MailForm">
<input type="hidden" name="name" value="value">
<button type="submit">send</button>
</form>
EOL
Then you might write less javascript lines.
From 0.0.4 you can set I<debug> flag in this method.
this is just comment-out the below but powerful.
//console.log(token);
=head1 NOTES
To test this module strictly,
there is a necessary to run javascript in test environment.
I have not prepared it yet.
So any L<PRs|https://github.com/worthmine/Captcha-reCAPTCHA-V3/pulls>
and L<Issues|https://github.com/worthmine/Captcha-reCAPTCHA-V3/issues> are welcome.
=head1 SEE ALSO
=over
=item L<Captcha::reCAPTCHA::V2>
( run in 3.234 seconds using v1.01-cache-2.11-cpan-600a1bdf6e4 )