Umbraco forms not support updated Google Recaptcha

Google migrated all Recaptcha in a legacy format into Google Cloud API Security command centre.
While these still operate in the old way all new keys have to use the current V3 are in the new manner.

There is no site key and private key pair now. There is only a site key and a verification process step. The method is very similar in implementation but where ever the private key was used it is only the site key used.
Even the latest Umbraco forms appears to still not support this despite I seeing reports that even back in V9 people trying to use Google Cloud Enterprise version had issues with no real responses.

Implementing as the steps are outlined by Google with adding the key to Umbraco forms appsettings it does not work.
I have implemented the front end scripting component which passes and correctly gets response from google but the server side aspect in Umbraco forms fails to work.

Since this is now the standard way to make recaptcha keys Umbraco forms needs to support the new method.

Hi @thenexus00,

Please can you raise it as a feature request on the Forms issue tracker? We’ll then discuss it internally and see if we can add it to an upcoming sprint.

For anyone who’s just finding out about this now - here’s a good overview of the changes.

Hi Rick - just in case you missed it Liam updated the existing issue.

Thanks.
I have done a detailed breakdown on what the changes are etc.

I did and I hope that is enough info to help.

Is there any eta on this? At the moment the only solution looks to be not use the provided Recaptcha and code this manually.

For anyone needing a solution for this…

• I created an enterprise Recpatcha field and composer
• I created a workflow and composer
• My own Javascript
• Appsettings config options as they differ from previous

This has allowed me to get things working since….

• You have to do validation steps, there are no longer the sitekey and private key combo
• You have to do both the front end and back end validation process during form submit but also the validation of the recaptcha itself
• You have to have a google cloud API key in the process

Happy to share in a DM if people really need help.

Extra note:
The “Legacy” keys were migrated over and you can use them still if you are rebuilding a site for example but they have to had been V3 supported keys BEFORE they were migrated. If they were not then you can not use the latest recaptcha with those keys and you have to make a new one which runs this new process.

Have you used the score or checkbox based approach?

Wading through the typical Google documentation - some of it out of date - some of it AI bilge so might have some crossed wires.

What I was hoping to see in this upgrade is that if the user v3-style score fails there is an option to challenge the user with additional challenges - rather than just a hard fail. It looks like if I switch to the checkbox option that will happen - but wondered if you’d experimented with this?

Of course - all of this is the usual nightmare of trying to simulate the usecase of a low score failure which Google seems to point blank refuse to allow you to do / test.

I have some sites with Umbraco forms and some with recaptcha protecting custom forms so need a policy / approach.

Steve

I just made a brand new key in GCP.

If I go to the integration tab I see this message about integrating with 3rd party services (e.g. Umbraco), with a link to the legacy private key.

image1860×677 63.2 KB

image1832×1072 108 KB

If your integration is already running, the link is here:

image1982×577 55.2 KB

Worth noting too that the Enterprise API is a different implementation (with different billing implications), it’s not just the new way to use V3.

To that end, it should probably be implemented as a completely different field type.

Sorry for the slow reply, been very busy.

You are lucky you get that because I checked and 100% do not get this option with the new keys. In Either case that option (what ever causes you to get it and not me) that will likely not remain in place for long.

Sorry for the late reply, been so busy.

All the google interface stuff and the documentation is just a hot mess these days. Multiple documents on the same thing with some out of date and different information and I just hate all the UI stuff for all their dashboards.

As I mentioned I have a working custom workflow solution in place using the new stuff.

While Jason Elkin has shown he can get a legacy key I tried doing the same and 100% do not get this. There must be some legacy account use case for this but eventually if you are lucky to get that option it will eventually not be there.

When I have new accounts you only get the new key generation.

You still have a site key

You have to do this new pre-check from the source with Google as per the documentation to get a response back.

The Script URL is now this - https://www.google.com/recaptcha/enterprise.js?render=SITEKEY

<input type="hidden" id="@inputId" name="g-recaptcha-response" class="recaptcha-hidden-input" />
<div class="recaptcha-sitekey" data-sitekey="@siteKey"></div>

The Main Javascript component is similar but does differ

 await window.grecaptcha.enterprise.ready(async () => {

 const token = await window.grecaptcha.enterprise.execute(siteKey, { action: 'LOGIN' });

Server side now you just have:
https url of - recaptchaenterprise.googleapis.com/v1/projects/{projectId}/assessments?key={apiKey}

Your JSON package is basically:
token = token,
siteKey = siteKey,
expectedAction = “LOGIN”

And you get a response.

Nothing will work unless you do the pre-authorisation Login at least though. I had to make a bit of an extra Javascript post request on the site to get it going.

So for Umbraco forms….

• New backend method not using the site and secret process
• Some form of initial setup with the pre-authorisation done. What I said in Github was that it is probably a good time to introduce the forms setting dashboard and include this and can grow for global form configuration to be in there going forward.
• The fieldtype is with the score
• Slightly different Javascript and if updating that probably raw script not jQuery.

A seperate form field type like what I done for my custom solution called “reCaptcha V3 Enterprise” can just be added with a different process to keep the other legacy solutions in place as well.

Have you tried using my uCaptcha plugin?

Cloudflare turnstile is a much better system

This is in regards to Umbraco 16 and Umbraco forms 16. That package only goes up to Umbraco 13.

Version 6 works with 15+

Just had the same.. but seems there are a couple of ways to add recaptcha into the cloud console.. one way just got the new apiKey.. but other way see like Jason a way to get a legacy secret.. Though worringly the two areas don’t seem to align, and show the apikeys from either…

https://console.cloud.google.com/security/recaptcha
vs
https://console.cloud.google.com/apis/api/recaptchaenterprise.googleapis.com

I tried this, I tried to fudge it and I could not honestly get it to work.

My custom Enterprise google recaptcha field is working well though so I am happy to continue to use this until its officially updated in Umbraco forms.

Indeed.

I’m only using the “free” v3 API, not enterprise v1 - I think that’s the difference between what I and @thenexus00 are doing?

If you create (which I can at least) or migrate “free” v3 keys in GCP these will work in Umbraco Forms.

Enterprise v1 keys wont work - which is to be expected, it’s a different API and different implementation.

I do see an “Upgrade” button in reCAPTCHA in GCP… I wonder if I go down that route if it will force me into using the Enterprise API?

A screenshot of a reCAPTCHA security dashboard that welcomes Jason and prompts him to upgrade or create a key. At the top is a button that says "upgrade" it's been circled in yellow.1335×399 35.5 KB

What seems to be confusing (at least me) though is unless I’m mistaken google recaptcha enterprise api has been around since 2021 for better commercial implementation. v3 and v2 non api have sat alongside it since then too..

Is the only real change here that the recaptcha v3 (non enterprise) has been moved in GCP.. and it’s somewhat hidden by the fact google try to get you to create enterprise?

So not sure that umbraco foms will be updating the current v3 implementation as it’s still there and still works (for new and existing)
So maybe there might be a new Recaptcha enterprise uForms prpoerty to sit alongide the existing v2/v3 ones to match googles 3 offerings?

Google offers reCAPTCHA (v3 and v2) and reCAPTCHA Enterprise to help you protect your sites from fraudulent activities, spam, and abuse. To know more about the features of reCAPTCHA and reCAPTCHA Enterprise, see Comparison of features between reCAPTCHA versions.

Or perhaps I’m missing something around v3 captcha being legacy and slated for removal and replacement by recaptcha enterprise.
If anyone has that documentation and timelines I’d be very interested as that’s a few sites I need to go and touch

This is not exactly correct and I got clarification from Google support.

Consolidation:
The move is similar to google maps a few years ago. The move is intended to put it all under the API same roof.

Payment path:
Again, Similar to google maps and other google features they are working to a path where there are specific free use but it has to be under an account with card so warnings and billing can be applied for use passed the free limits.

Interface, issues and naming:
They admit that the UI and documentation is not fully reflecting the intended implementation. To support the legacy keys there are some work arounds to get old style keys. This is actually not intended. The naming with “Enterprise” is confusing they agreed but there is still free limit use.
They said as part of the evolution of reCaptcha the source verification stuff is what it will be going forward.
**
Any workarounds to even generate V2 keys is not intended so do not be surprised if you find all this locked down and I would not ignore the updated direction of reCaptcha.**