Recaptcha token should not be retrieved on page load

I just tested #2 and it works great:

Without the patch:

• Submitting the form 2min after it's loaded caused it to fail antibot validation.

With the patch:

• Token is retrieved on submit; no need to submit before 2 min.
• A form submitted normally works.
• Double clicking of the submit button doesn't seem to break the submission, as previous submissions show as cancelled in DevTools.
• A form submitted via AJAX works.

Tested in Chrome 83.0.4103.61.

As for code review, just a minor coding standards find:

+++ b/js/recaptcha_v3.js
@@ -6,6 +6,51 @@
+    provisionRecaptchaTokenElements(self, false,function() {

", function"

Updated patch #2 along with the changes suggested in #3, please review.

EDIT: confirmed, the triggering element is missing from the POST'ed form data :/.

@casey, are you fully sure of that? non-AJAX forms are working fine for me with #2:

1. I get the invisible reCaptcha check triggered when I try to submit the form, *before* the actual form submission is triggered.
2. The form submission contains the correct POST data (copied from DevTools/Network):

name: a@b.com
pass: 123
form_build_id: form--hQMhWA...
form_id: my_form
captcha_sid: 9876
captcha_token: -hfYGt5z....SOME-STRING
captcha_response: 03AGdB...VERY-LONG-STRING

Let me take a stab at this; I'll try to replace the onSubmit handlers with the one to handle reCaptcha v3 validation, then restore the other handlers and do form.requestSubmit(trigger) in the callback.

Oh, didn't check compatibility at the beginning... :(.

Is there any way to resolve the reCaptcha v3 in a synchronous manner for browsers not supporting requestSubmit() and .submitter? if that's possible, then the submission blocks until the token is resolved, then just let the submission flow continue as normal; now, for this to work, I'm assuming that the form submission picks up the new data, set on-the-fly.

Alright, I managed to get 'op' parameter be preserved on non-AJAX submissions; I just injected a hidden input to mirror the submit button that was clicked, since formElement.submit() only ignores [type=submit] elements.

Quick checks on an AJAX submitted form showed it still working fine.

Tested on Chrome 83.

Updated patch to not assume a specific name attribute of the submit button.

@casey: although I considered your idea about refreshing the token every 60 seconds, I didn't try that approach since it would have required quite a big refactor of the patch. #17 was done trying to leverage the previous work as much as possible.

Thanks, applied.

Could we please also get this done on the D7 version?

I'll do a patch shortly backporting the #19 for D7 and upload here.

I can confirm #20 + #25 work for me, tested on D 8.9, in a form submitted via AJAX.