Add Support for reCAPTCHA v3

I‘m wondering how this should work. We can use captcha point name as action name...

This module does not provide a 2-factor login form that could be added when a score is low on login form. Adding a workflow logic to a score means this module becomes complex. We need to be able to add an individual score to every captcha point. And customizable actions based on score. If the score is bad the user does not need to select cats, dogs, signs. He cannot procceed and what should we do than??? There is nothing a human can solve to authorize as human manually.

A totally new and interresting approach, but very difficult to implement in generic way.

Patches welcome.

The API was released for general availability today. https://webmasters.googleblog.com/2018/10/introducing-recaptcha-v3-new-w...

Hello,

Any updates on this?

This may also solve #3012196: Spammers bypassing reCAPTCHA and log simply says "Unknown error"

Interested too.

There seems to be a new bot posting spam (mostly related to adult dating) that started a few weeks back that's bypassing Google v2 with ease. It'd be interesting if v3 can handles these or if a more proactive method like third-party filtering like Akismet or CleanTalk is needed; or to develop a vastly improved server-side validation / filtering system like Antispam Bee for WP.

It was a sad day when Mollom died

There seems to be a new bot posting spam (mostly related to adult dating) that started a few weeks back that's bypassing Google v2 with ease

Absolutely!
The site was being hit by up to 200 of those comments every day.

Details and logs posted on #3012196: Spammers bypassing reCAPTCHA and log simply says "Unknown error"
Unfortunately, the log entry simply says "Unknown Error" when it happens.

Have simply disabled anonymous commenting for now since this version no longer stops automated spam.

I saw that thread, but you will have to do some of the ground work investigating that.

i.e. It is very unlikely related, and probably due to some random obscure network issue or maybe an uncaught error back from Google.

You could test the following code and push this to the site that is having the issue, you may actually get a reason for the error. Re-open a separate new issue if the results are meaningful. Note code written has zero testing.

sites/all/modules/recaptcha/src/ReCaptcha/RequestMethod/Drupal7Post.php

    $response = drupal_http_request(self::SITE_VERIFY_URL, $options);

    watchdog('serenity1 debugging', 'Dumping from ReCaptcha/RequestMethod/Drupal7Post.php: <pre>' . var_export($response, TRUE) .  '</pre>', array(), WATCHDOG_DEBUG);

    return isset($response->data) ? $response->data : '';

i.e. the watchdog() bit is inserted

Logged to the watchdog table (assuming you have DB log enabled)

/admin/reports/dblog

Thank you for the code!
Appreciate the effort.

But the log entry is not the real issue.
As you said, it may not even be related.

The main issue logged there is that the reCaptcha module is no longer stopping automated spam, as you yourself have mentioned above.

The original issue description even had a note that upgrading to v3 may solve the problem.

Anyway, as mentioned, anonymous commenting has been disabled for now.
So the commenting feature no longer depends on the reCaptcha module to stop spam.

Will just wait for reCaptcha to be upgraded to v3.

I do not fully understand how the v3 API can help us protecting a page against abusive users. The new API does not block the bad user/robot/spammer entering the site. This means we need to implement a blocking mechanism on our own, what is the intention of this new API. There is no images like cats/dogs/signs that need to be solved anymore. I have no idea why we need this and what "other" factors we should use from Drupal side to improve detection.

Some websites tell us we can add a 2-factor or mobile number verification page to stop the spammers. We do not have such code yet and I'm not sure if such code may exists somewhere. The blocking backend may be very complex. What is the right solution for one site is not the right for another.

I have never implemented 2-factor authentication in Drupal yet. Has anyone else or does someone know if we can reuse or integrate with other modules around like https://www.drupal.org/project/tfa? I guess if there is a 2-factor module it may only show up based on static configuration like captcha module today and not based on an action we set. I will create a case with TFA to ask for this.

If have no idea what other things we can do to block an spammer other than 2-factor authentication. Please share your ideas if you have.

Who will start implementing this?

Hello,

For Drupal 7 there already is a module handling v3 for recaptcha here

How should we proceed: try to port that module(i've already created an issue for it) or update the current D8 ?

Thanks,

That is an interresting idea. Let's integrate the logic than. We should just think how we can also have a 2-factor auth if someone needs it.

@hass Looking at the "recaptcha_v3" module, it appears that Google is taking a far less obtrusive approach to captcha in v3.

Google has a LOT of data that can detect human vs bot and they leverage that first, then give the developers the ability create their own scoring system second if Google is too aggressive or not aggressive enough for your needs. It also allows the developers to create different captcha scoring based on the form, instead of "one size fits all" like v2 does and v3 is completely hidden from the user.

Regarding the recaptcha_v3 module, it does a nice job of handing off verification failure to another captcha method and in my case, I used the v2 version (this module). I simply created two different "sites" when I registered for keys and used v3 for one, v2 for the other, then have both the v2 & v3 modules setup on my Drupal site.

I'm coming off of Botcha which was killing ajax on my form, so I'm new to this but yes, I believe the v3 of recaptcha is the way to go with a fallback to v2. Hopefully you can find some good info on why v3 "is the way to go" and make some sound decisions on how to handle it here. :-) Maybe I'm completely off in my interpretation of what's going on under the hood, but I have a feeling that Google is using their AI systems to do a better job of detecting behavior instead of simply watching ignorant factors of "how quickly the form was filled out" or "did they submit a hidden value".

I know that v3 gives smarter control.

The only issue is - if the score limit is hit - you need to give the real user a chance to authenticate. The Google score can be wrong and Google is often wrong.

This authentication need to be safe against bots as otherwise a bot can solve the question easily. Switching to 2-factor auth is the safest solution and the fallback to recaptcha v2 is also acceptable. Without v2 I have no idea how to secure it, but who cares - this works. Lets go with it.

Personally I think "offering options" could well be a next step. Akismet, for example, does very little except deciding spam or ham. I think you can choose to have comments added into a moderated queue or deleted outright, but that's about it (that was why Mollom was such a nice edition to the ecosystem; it allowed for an "unsure" state to show a captcha). The "MVP" for this feature I'd say is a threshold for the score that needs to be met for the submission to be accepted.

Maybe for the logic part, and taking more complex decisions, some sort of Rules integration makes sense. Another option could be to have upper and lower limits for what is considered "unsure", and then show an actual captcha. Some sort of verification based on TFA technologies could be interesting, but that actually sounds like something that could be an option for "an actual captcha". All the existing TFA options are geared towards logins, so I'm not sure how easy it would be to bend those into a CAPTCHA-like behaviour.

"Needs backport to D7" tag is misleading considering we don't have the feature in D8 yet.

Just had a client ask for recaptcha V3, any idea when it might be supported?

So based on the conversation the error I'm having
"ERROR for site owner: Invalid key type"
is related to reCaptcha v3 not being supported yet.
Isn't it?

Since the Google reCAPTCHA v3 is entirely a different API and works totally differently from reCAPTCHA v2. Therefore it totally make sense to create a separate module for reCAPTCHA v3 which should have dependency only on CAPTCHA module but reCAPTCHA v2 can be used as a fallback challenge if Google returns low score. I ended up porting this module to D8 https://www.drupal.org/project/recaptcha_v3 rather patching the existing reCAPTCHA module. please check and give reviews.

idk, this makes perfect sense to me, even if an upgrade path is impossible

branch x.x-2.x => captcha 2.x
branch x.x-3.x => captcha 3.x

#3012196: Spammers bypassing reCAPTCHA and log simply says "Unknown error" continues to persist.

Spammers seem to be able to bypass recaptcha V2 with ease.

This seems to be a common problem, and there are reports that recaptcha V3 is even less effective than V2.

Not sure what the solution is.