98
Views
10
Comments
hCaptcha in Outsystems
Question

Since ReCaptcha is moving to a pay model I have been asked to look into implementing hCaptcha in Outsystems.   Has anyone successfully done this?

https://docs.hcaptcha.com/configuration

Displaying the captcha via the UI seems relatively straight forward, but I'm running into problems with the server side verification.   the documentation states:


Do not send JSON data: the endpoint expects a standard URL-encoded form POST.

A simple test will look like this:

curl -d "response=CLIENT-RESPONSE&secret=YOUR-SECRET" -X POST https://hcaptcha.com/siteverify


When I try to consume the hcaptcha.com/siteverify method I cannot find any combination of inputs/values that result in a good test.   Everything returns 400 Bad Request, any suggestions?

mvp_badge
MVP
Rank: #2

Hi Josh,

For starters, increase the REST service's logging level, and check what you're sending. This goes a long way to discovering what goes wrong. If you have results from that and need more help, please report back.

Rank: #459

Thank you for the tip, I got pulled off to look at something else but I'll circle back to this.  (hopefully next week)

Rank: #459

I finally was able to circle back to this.   I have been able to successfully load the hcaptcha script and get the user interface to function properly.   

Now I'm getting to the step where I need to do the server side verification of the user response, but when I try to consume the API I am getting a 405 error.   I haven't built the submit logic yet in this OML because it seems like the logical first step is to set up the REST service and verify that I get a successful test response.   The secret in the attached OML GetSiteVerify method is not valid but the user response is a good example from what I'm seeing in the h-captcha-response element in Chrome DevTools.   

Any idea what I might be missing here?   I would expect to get a 200 response with success: false if my secret or response value was invalid, not a 405.

hCaptcha.oml

Rank: #459

When I review the documentation it states that the parameters must be passed in the form body.   I also tried the URL as you did above but got the same 400 error.   

When I run the application and complete the captcha I can see this in DevTools (obviously the response changes for each successful captcha): 

 h-captcha-response-0miimperfwq


https://docs.hcaptcha.com/#server

The endpoint expects a POST request with two parameters: your secret API key and the h-captcha-response token POSTed from your HTML page. You can optionally include the user's IP address as an additional security check. Do not send JSON data: the endpoint expects a standard URL-encoded form POST.

Do not use a GET request to call /siteverify. Use a POST request, and pass the parameters in the form body, not the URL.





Rank: #459

I removed the www and flipped the response/secret around in the body and now I'm getting a 200 response.  Thanks so much for the feedback, I think I'm almost home with this now.

Rank: #459

Once I get it all smoothed out I plan to.    It’s all a little hacky right now.

Rank: #459

So I think it's about 95% of the way there.   The only thing I'm not 100% sure about is how I'm having to set the siteKey in the HTML element.  I tried using a variable from the web block but it's never in scope when the page renders so that data-siteKey was always blank and the widget would not render.

I ended up creating a client variable and then using that to populate the data-siteKey and it works.   I'm new to reactive web/mobile so I wasn't sure if this is the proper way to accomplish this or if I'm missing something obvious.   


 

hCaptcha.oml