Open Closed

ABP reCaptcha #553


User avatar
0
nick.pham-mwp created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/

  • followed https://support.abp.io/QA/Questions/489/How-to-enable-reCaptcha-in-ABP but still have issues.
  • ABP Support recommended me to create another commercial support ticket for further help (e.g. some configuration, which is not listed on the original ticket, might be missing??).

Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

  • found a page https://docs.abp.io/en/commercial/latest/modules/account on 2FA and Social Logins.
    • maybe ABP reCaptcha could potentially be documented here too in near future
  • unfortunately, I could not find any documentation or (other) support ticket re ABP reCaptcha

Details:

  • ABP Framework version: v3.3.0
  • UI type: Angular and MVC (both Blazor and Razor)
  • Tiered (MVC) or Identity Server Seperated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:
    • followed exactly the steps documented in https://support.abp.io/QA/Questions/489/How-to-enable-reCaptcha-in-ABP.
      • Angular UI does not have reCaptcha options available
        • ABP Support confirmed this will be addressed in v4.0
      • Razor UI does have reCaptcha options available but I cannot set/clear any value at all in local environments.
        • My team is using Angular UI, therefore we do not have Razor UI in our (public/shared) test environment (with a registered domain and SSL certs and registered reCaptcha key-secret).
        • Maybe ABP Support can kindly please help me with this in this ticket as well, please.
      • Used Swagger API to set/clear reCaptcha options for now
      • I would like to emphasize this again: reCaptcha options are set via Swagger API for now, not via any UI
        • this is sort of a hack, I know, to make it work
        • maybe I miss to configure something while doing this?
    • Regardless of UI (Angular, Razor, Blazor all do not matter here I think), the login form comes from IdentityServer project. However, there is no way we can provide our answer there to bypass the ABP reCaptcha validation, either in our test or local environments, therefore, we cannot log in at all even though we provide the correct credentials
    • more details can be found in https://support.abp.io/QA/Questions/489/How-to-enable-reCaptcha-in-ABP

If something must be configured to make ABP reCaptcha work properly, could ABP Support please provide me with detailed steps and screenshots in their answer here and in the original ticket https://support.abp.io/QA/Questions/489/How-to-enable-reCaptcha-in-ABP so that everyone (else) can follow, please?

My apologies for bothering you many times on this easy feature, but I honest do not know how to make it all work properly.

Your kind help is greatly appreciated. Thanks.


10 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I use the application you provided. it works fine.

    See https://developers.google.com/recaptcha

    reCAPTCHA v3 helps you detect abusive traffic on your website without user interaction. Instead of showing a CAPTCHA challenge, reCAPTCHA v3 returns a score so you can choose the most appropriate action for your website.

    If you want captcha check box,you need to use version 2.

  • User Avatar
    0
    nick.pham-mwp created

    Hi @liangshiwei,

    You misunderstand my question.

    • If you can log in successfuly, great, but it is not the point.
    • Google ReCaptcha does NOT run when you can provide correct credentials
    • Google ReCaptcha only runs when you provide wrong credentials a few times (maybe 3 times)

    My question is why Google ReCaptcha is not visible for me to:

    • see their challenge
    • provide my answer(s) to their challenge
    • pass their validation

    When Google ReCaptcha is visible, it does not matter if I provide correct or wrong credentials. Google must validate my answer(s) to their own challenge first.

    • if I pass their validation
      • if I provide correct credentials
        • i can login
      • if I provide wrong credentials
        • i cannot login
    • if I do NOT pass their validation
      • I will see another challenge

    The issue here is Google ReCaptcha is not visible mate

      • In this test, I did not provide any captcha answer since there is NO way for me to do so
        • I can only provide the username and password, then click login
        • Google ReCaptcha validation failed obviously since there is NO ANSWER
        • Hence, the error message
      • In this test, where is the ReCaptcha checkbox????
        • the ReCaptcha checkbox does NOT exist. How can I check the box????????
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    See https://developers.google.com/recaptcha

    reCAPTCHA v3 helps you detect abusive traffic on your website without user interaction. Instead of showing a CAPTCHA challenge, reCAPTCHA v3 returns a score so you can choose the most appropriate action for your website.

    If you want captcha check box,you need to use version 2.

    But you are right, I will update the localization message.

  • User Avatar
    0
    nick.pham-mwp created

    Hi @liangshiwei,

    Thank you for your kind clarification.

    Google ReCaptcha version 2 is working now. Much appreciated for your kind help.

    However, I would like to know more about how ABP integrate with Google ReCaptcha version 3 as well. I think ABP have tested it before according to your first 2 screenshots in ticket https://support.abp.io/QA/Questions/489/How-to-enable-reCaptcha-in-ABP.

    I have followed the documentation you gave me above:

    • https://developers.google.com/recaptcha/docs/v3

    I have not defined any action yet, and please correct me if I am wrong, I think I should not be blocked by the Google ReCaptcha version 3:

    • the score is good according to Google report
    • however, it still asks me to pass the challenge (which challenge??)

    Could you please show us how ABP did test the Google ReCaptcha version 3 before? I would love to learn more from you, please.

    Thank you.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    ABP uses the default threshold of 0.5, If the score is less than 0.5, you will get Incorrect captcha answer. if the captcha response is null, you will get Please check the reCAPTCHA box.

    However, the logic is correct, but the error message needs to be change. I will fix it in v 4.1.

  • User Avatar
    0
    nick.pham-mwp created

    Hi @liangshiwei,

    Thanks for your kind confirmation. I look forward to seeing the correct localisation messages in v4.1.

    may I ask other questions to be clear please:

    • I have not declared any actions on Google ReCaptcha version 3 yet, but the first time I loaded the captcha I got "Please check the reCAPTCHA box" (possibly due to null response) and subsequent login requests in the first hour using Google ReCaptcha version 3 resulted in "Incorrect captcha answer" (possibly due to score lower than 0.5). Does this mean this is the business logic already implemented by ABP? Can we customise this (and how can we) if we need to?
    • If I want to declare any actions on Google ReCaptcha version 3 in near future, will I have to declare actions for scores greater than 0.5? Because all scores less than 0.5 are rejected by ABP to show "Incorrect captcha answer" already.

    Please correct me if I am wrong. Your kind response is greatly appreciated, please.

    Thanks

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Your understanding is incorrect, action is the classification of verification. ABP has defined action.

    Login:

    Register:

    You can implement your own logic by customizing Module

  • User Avatar
    0
    nick.pham-mwp created

    Hi @liangshiwei,

    Thank you for your patience in correcting my understanding. I really appreciate your kind help.

    Can you please confirm where ABP declare the 2 actions login and register please?

    • Are those actions declared on ABP Google ReCaptcha version 3 profile settings (Google system)?
    • Or inside ABP Module(s) (ABP Framework).

    Can you please provide me with some more screenshots to see how those 2 actions are declared/configured by ABP please, if you do not mind?

    My apologies for keeping asking the same question, but as I mentioned a few times earlier, I have not declared any action in my Google ReCaptcha version 3 profile settings, so I think I should NOT see the "Incorrect captcha answer" (possibly due to score lower than 0.5) as per my screenshot above.

    • Your tests were all good because when you tested our website, you possibly received the score greater than 0.5 from Google already.
    • I understand the localization message will be corrected in v4.1. I am asking about the logic here for when scores are lower than 0.5 with no action declared on my Google profile.

    Maybe we can arrange a remote session so that I could get your visual help to clear my mind (I am a bit slow sorry), please?

    Thank you

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    ABP defines actions on the login and registration pages, but I don't think this is worth noting, it is just a captcha classification and nothing special.

    Abp use the reCAPTCHA libary, you can see the repo for more.

    I am asking about the logic here for when scores are lower than 0.5 with no action declared on my Google profile.

    Sorry, I don't understand what you mean.

    Yes , we can remote session. you can email to me, if you are free.

  • User Avatar
    0
    nick.pham-mwp created

    Hi @liangshiwei,

    Thank you so much for your time and kind help during the remote session today. Much appreciated.

    I have understood Google ReCaptcha version 3 and how it is implemented in ABP Framework now. Thank you.

    I just would like to capture what we agreed upon earlier re potential upcoming changes in future ABP releases here:

    • ABP currently supports 2FA and Email/Phone Verification but the 2 features are not integrated with Google ReCaptcha in ABP version 3.x.x.
    • ABP will adjust their callback, which currently throws the "Incorrect captcha answer" exception on low scores, to allow end-users to use 2FA (via either email, SMS, or authenticator) and Email/Phone Verification instead on low scores (even if the 2 features are not enforced by admin users).
    • ABP possibly would provide options to configure a custom callback for developers to handle low scores in future releases.

    Thanks

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38