Since ReCaptcha is moving to a pay model I have been asked to look into implementing hCaptcha in Outsystems.   Has anyone successfully done this?

https://docs.hcaptcha.com/configuration

Displaying the captcha via the UI seems relatively straight forward, but I'm running into problems with the server side verification.   the documentation states:


Do not send JSON data: the endpoint expects a standard URL-encoded form POST.

A simple test will look like this:

curl -d "response=CLIENT-RESPONSE&secret=YOUR-SECRET" -X POST https://hcaptcha.com/siteverify


When I try to consume the hcaptcha.com/siteverify method I cannot find any combination of inputs/values that result in a good test.   Everything returns 400 Bad Request, any suggestions?

Hi Josh,

For starters, increase the REST service's logging level, and check what you're sending. This goes a long way to discovering what goes wrong. If you have results from that and need more help, please report back.

Thank you for the tip, I got pulled off to look at something else but I'll circle back to this.  (hopefully next week)

I finally was able to circle back to this.   I have been able to successfully load the hcaptcha script and get the user interface to function properly.   

Now I'm getting to the step where I need to do the server side verification of the user response, but when I try to consume the API I am getting a 405 error.   I haven't built the submit logic yet in this OML because it seems like the logical first step is to set up the REST service and verify that I get a successful test response.   The secret in the attached OML GetSiteVerify method is not valid but the user response is a good example from what I'm seeing in the h-captcha-response element in Chrome DevTools.   

Any idea what I might be missing here?   I would expect to get a 200 response with success: false if my secret or response value was invalid, not a 405.

Hi Josh, 

I give a look at your oml that you sent and in the documentation. I try to adjust it and I test with 2 different approaches and got a different error:

1) I try to pass the parameters on the body in plain text or JSON format (recommended in the documentation) 


2) I try to pass the parameters in url (but is not recommended in the documentation) and got this response:


This error is returned because the response parameter (verification token) is invalid or malformed.

Can you please check this value ou generate a new one to test it and see if you got a response with 200 OK?


I hope it helps.


BR,

Luis


Josh Herron wrote:

I finally was able to circle back to this.   I have been able to successfully load the hcaptcha script and get the user interface to function properly.   

Now I'm getting to the step where I need to do the server side verification of the user response, but when I try to consume the API I am getting a 405 error.   I haven't built the submit logic yet in this OML because it seems like the logical first step is to set up the REST service and verify that I get a successful test response.   The secret in the attached OML GetSiteVerify method is not valid but the user response is a good example from what I'm seeing in the h-captcha-response element in Chrome DevTools.   

Any idea what I might be missing here?   I would expect to get a 200 response with success: false if my secret or response value was invalid, not a 405.



When I review the documentation it states that the parameters must be passed in the form body.   I also tried the URL as you did above but got the same 400 error.   

When I run the application and complete the captcha I can see this in DevTools (obviously the response changes for each successful captcha): 

 h-captcha-response-0miimperfwq


https://docs.hcaptcha.com/#server

The endpoint expects a POST request with two parameters: your secret API key and the h-captcha-response token POSTed from your HTML page. You can optionally include the user's IP address as an additional security check. Do not send JSON data: the endpoint expects a standard URL-encoded form POST.

Do not use a GET request to call /siteverify. Use a POST request, and pass the parameters in the form body, not the URL.





Hi again,

Can you test your response after complete the captcha with the correct secret and share the result?
Please note that you don't need www in the URL.


Josh Herron wrote:

When I review the documentation it states that the parameters must be passed in the form body.   I also tried the URL as you did above but got the same 400 error.   

When I run the application and complete the captcha I can see this in DevTools (obviously the response changes for each successful captcha): 

 h-captcha-response-0miimperfwq


https://docs.hcaptcha.com/#server

The endpoint expects a POST request with two parameters: your secret API key and the h-captcha-response token POSTed from your HTML page. You can optionally include the user's IP address as an additional security check. Do not send JSON data: the endpoint expects a standard URL-encoded form POST.

Do not use a GET request to call /siteverify. Use a POST request, and pass the parameters in the form body, not the URL.







I removed the www and flipped the response/secret around in the body and now I'm getting a 200 response.  Thanks so much for the feedback, I think I'm almost home with this now.

Great news!

Glad to help you :)

Will you public on forge as a component?


Josh Herron wrote:

I removed the www and flipped the response/secret around in the body and now I'm getting a 200 response.  Thanks so much for the feedback, I think I'm almost home with this now.



Once I get it all smoothed out I plan to.    It’s all a little hacky right now.

So I think it's about 95% of the way there.   The only thing I'm not 100% sure about is how I'm having to set the siteKey in the HTML element.  I tried using a variable from the web block but it's never in scope when the page renders so that data-siteKey was always blank and the widget would not render.

I ended up creating a client variable and then using that to populate the data-siteKey and it works.   I'm new to reactive web/mobile so I wasn't sure if this is the proper way to accomplish this or if I'm missing something obvious.