hCaptcha in Outsystems

Since ReCaptcha is moving to a pay model I have been asked to look into implementing hCaptcha in Outsystems.   Has anyone successfully done this?


Displaying the captcha via the UI seems relatively straight forward, but I'm running into problems with the server side verification.   the documentation states:

Do not send JSON data: the endpoint expects a standard URL-encoded form POST.

A simple test will look like this:

curl -d "response=CLIENT-RESPONSE&secret=YOUR-SECRET" -X POST https://hcaptcha.com/siteverify

When I try to consume the hcaptcha.com/siteverify method I cannot find any combination of inputs/values that result in a good test.   Everything returns 400 Bad Request, any suggestions?

Rank: #2

Hi Josh,

For starters, increase the REST service's logging level, and check what you're sending. This goes a long way to discovering what goes wrong. If you have results from that and need more help, please report back.

Rank: #459

Thank you for the tip, I got pulled off to look at something else but I'll circle back to this.  (hopefully next week)

Rank: #459

I finally was able to circle back to this.   I have been able to successfully load the hcaptcha script and get the user interface to function properly.   

Now I'm getting to the step where I need to do the server side verification of the user response, but when I try to consume the API I am getting a 405 error.   I haven't built the submit logic yet in this OML because it seems like the logical first step is to set up the REST service and verify that I get a successful test response.   The secret in the attached OML GetSiteVerify method is not valid but the user response is a good example from what I'm seeing in the h-captcha-response element in Chrome DevTools.   

Any idea what I might be missing here?   I would expect to get a 200 response with success: false if my secret or response value was invalid, not a 405.


Rank: #459

When I review the documentation it states that the parameters must be passed in the form body.   I also tried the URL as you did above but got the same 400 error.   

When I run the application and complete the captcha I can see this in DevTools (obviously the response changes for each successful captcha): 



The endpoint expects a POST request with two parameters: your secret API key and the h-captcha-response token POSTed from your HTML page. You can optionally include the user's IP address as an additional security check. Do not send JSON data: the endpoint expects a standard URL-encoded form POST.

Do not use a GET request to call /siteverify. Use a POST request, and pass the parameters in the form body, not the URL.

Rank: #459

I removed the www and flipped the response/secret around in the body and now I'm getting a 200 response.  Thanks so much for the feedback, I think I'm almost home with this now.

Rank: #459

Once I get it all smoothed out I plan to.    It’s all a little hacky right now.

Rank: #459

So I think it's about 95% of the way there.   The only thing I'm not 100% sure about is how I'm having to set the siteKey in the HTML element.  I tried using a variable from the web block but it's never in scope when the page renders so that data-siteKey was always blank and the widget would not render.

I ended up creating a client variable and then using that to populate the data-siteKey and it works.   I'm new to reactive web/mobile so I wasn't sure if this is the proper way to accomplish this or if I'm missing something obvious.