代码之家  ›  专栏  ›  技术社区  ›  JarsOfJam-Scheduler

为什么Google ReCaptcha API允许错误的密钥和/或错误的用户令牌响应?

  •  0
  • JarsOfJam-Scheduler  · 技术社区  · 5 年前

    看看下面的代码。这是服务器端。正如你所看到的,我用错误的密钥和错误的用户令牌响应来调用Google ReCaptcha API。你知道吗?它奏效了!更确切地说:Google ReCaptcha API没有回答异常( 即。: 我的 catch 未达到)。为什么?这不是预期的行为,对吧?

    /**
     * Verifies a Recaptcha filled by the user in his Android app.
     * 1. Success: returns the JSON response
     * 2. Failure: throws the error
     **/
    exports.verifyRecaptcha = functions.https.onCall((data, context) => {
    
        const user_response_token = data.userResponseToken;
        if(user_response_token === null || user_response_token === '') {
            throw new functions.https.HttpsError('invalid-argument', 'The function must be called with an adequat user response token.');
        }
    
        const remote_url = 'https://recaptcha.google.com/recaptcha/api/siteverify';
        const secret = '<MY_REAL_SECRET_KEY>';  // Original value: 'https://www.google.com/recaptcha/api/siteverify';  #  Moises' value: https://recaptcha.google.com/recaptcha/api/siteverify
    
        var options = {
            method: 'POST',
            uri: remote_url,
            body: {secret: 'Foo', response: 'Bar'},
            // body: {secret: secret, response: user_response_token},
            json: true
        };
    
        return rp(options)
                .then(parsedBody => {
                    return {code: 'Success', message: 'You are actually a human (this msg is for test purposes).'};
                })
                .catch(error => {
                    throw new functions.https.HttpsError('unknown', error);
                });
    });
    

    下面是Android应用程序代码:

    final SafetyNetApi.RecaptchaTokenResponse response = task.getResult();
    assert response != null;
    final String userResponseToken = response.getTokenResult();
    if (!userResponseToken.isEmpty()) {
        final HashMap<String, String> the_data = new HashMap<>();
        the_data.put("userResponseToken", userResponseToken);
        FirebaseFunctions.getInstance()
                .getHttpsCallable("verifyRecaptcha")
                .call(the_data)
                .continueWith(new Continuation<HttpsCallableResult, Void>() {
                    @Override
                    public Void then(@NonNull final Task<HttpsCallableResult> task) {
                        if(context.isDestroyed() || context.isFinishing()) {
                            return null;
                        }
    
                        if(!task.isSuccessful()) {
                            Exception e = task.getException();
                            if (e instanceof FirebaseFunctionsException) {
                                FirebaseFunctionsException ffe = (FirebaseFunctionsException) e;
                                System.out.println(ffe.getMessage());
                            }
    
                            return null;
                        }
    
                        callback.onAsking();
                        return null;
                    }
                });
    } else {
        callback.onFailureUserResponseTokenIsEmpty();
    }
    
    0 回复  |  直到 5 年前
        1
  •  1
  •   greeble31    5 年前

    这个 docs 建议出现以下错误 invalid-input-secret / invalid-input-response 将出现在 error-codes 回应的领域。

    此信息不一定需要转换为HTTP错误代码(这会导致 catch 阻止执行);在这种情况下,谷歌显然希望支持多个同时发生的错误消息,而HTTP响应代码更多地与HTTP级别的协议行为有关。

    当我们查看文档时,我应该指出,你可能想参考 success 在假定您的用户是人类之前,请先输入字段。