Download the PHP package darkghosthunter/captchavel without Composer
On this page you can find all versions of the php package darkghosthunter/captchavel. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download darkghosthunter/captchavel
More information about darkghosthunter/captchavel
Files in darkghosthunter/captchavel
Package captchavel
Short Description Integrate reCAPTCHA into your Laravel application better than the Big G itself!
License MIT
Homepage https://github.com/darkghosthunter/captchavel
Informations about the package captchavel
Package superseded by Laragear/ReCaptcha
Captchavel
Integrate reCAPTCHA into your Laravel app better than the Big G itself!
It uses your Laravel HTTP Client async HTTP/2, making your app fast. You only need a couple of lines to integrate.
Requirements
- Laravel 8.x, or later
- PHP 8.0 or later
If you need support for old versions, consider sponsoring or donating.
Installation
You can install the package via Composer:
Set up
Add the reCAPTCHA keys for your site to the environment file of your project. You can add each of them for reCAPTCHA v2 checkbox, invisible, Android, and score.
If you don't have one, generate it in your reCAPTCHA Admin panel.
This allows you to check different reCAPTCHA mechanisms using the same application, in different environments.
Captchavel already comes with v2 keys for local development. For v3, you will need to create your own set of credentials.
Usage
Usage differs based on if you're using checkbox, invisible, or Android challenges, or the v3 score-driven challenge.
Checkbox, invisible and Android challenges
After you integrate reCAPTCHA into your frontend or Android app, set the Captchavel middleware in the POST
routes where a form with reCAPTCHA is submitted. The middleware will catch the g-recaptcha-response
input (you can change it later) and check if it's valid.
To declare the middleware, use the ReCaptcha
helper to ease your development pain:
ReCaptcha::checkbox()
for explicitly rendered checkbox challenges.ReCaptcha::invisible()
for invisible challenges.ReCaptcha::android()
for Android app challenges.
Laravel 8.69 or below need to cast the object as a string.
Remembering challenges
To avoid a form asking for challenges over and over again, you can "remember" the challenge for a given set of minutes. This can be enabled globally, but you may prefer to do it in a per-route basis.
Simple use the remember()
method to use the config defaults. It accepts the number of minutes to override the global parameter. Alternatively, rememberForever()
will remember the challenge forever.
You should use this in conjunction with the @unlesschallenged
directive in your Blade templates to render a challenge when the user has not successfully done one before.
Good places to remember a challenge for some minutes are forms which are expected to fail, or when you have multiple forms the user may jump between.
Changing the input name
You can change the input name from g-recaptcha-response
, which is the default, to anything using input()
.
Score-driven challenge
The reCAPTCHA v3 middleware works differently from v2. This response is always a success, but the challenge scores between 0.0
and 1.0
. Human-like interaction will be higher, while robots will score lower. The default threshold is 0.5
, but this can be changed globally or per-route.
To start using it, simply use the ReCaptcha::score()
method to your route.
Once the challenge has been received in your controller, you will have access to two methods from the Request class or instance: isHuman()
and isRobot()
, which return true
or false
:
You can also have access to the response from reCAPTCHA using the response()
method of the Captchavel
facade:
Threshold, action and input name
The middleware accepts three additional parameters using the middleware helper.
threshold()
: The value that must be above or equal to be considered human.action()
: The action name to optionally check against.input()
: The name of the reCAPTCHA input to verify.
When checking the action name, ensure your frontend action matches with the expected in the middleware.
Bypassing on authenticated users
Sometimes you may want to bypass reCAPTCHA checks when there is an authenticated user, or automatically receive it as a "human" on score-driven challenges, specially on recurrent actions or when the user already completes a challenge (like on logins).
To exclude authenticated user you can use forGuests()
, and specify the guards if necessary.
Then, in your blade files, you can easily skip the challenge with the @guest
or @auth
directives.
Faking reCAPTCHA scores
You can easily fake a reCAPTCHA response score in your local development by setting CAPTCHAVEL_FAKE
to true
.
This environment variable changes the reCAPTCHA Factory for a fake one, which will fake successful responses from reCAPTCHA, instead of resolving real challenges.
From there, you can fake a robot response by filling the is_robot
input in your form.
Frontend integration
Check the official reCAPTCHA documentation to integrate the reCAPTCHA script in your frontend, or inside your Android application.
You can use the captchavel()
helper to output the site key depending on the challenge version you want to render: checkbox
, invisible
, android
or score
(v3).
You can also retrieve the key using
android
for Android apps.
Advanced configuration
Captchavel is intended to work out-of-the-box, but you can publish the configuration file for fine-tuning the reCAPTCHA verification.
You will get a config file with this array:
Enable Switch
By default, Captchavel is disabled, so it doesn't check reCAPTCHA challenges, and on score-driven routes, it will always resolve as human interaction.
You can enable it with the CAPTCHAVEL_ENABLE
environment variable.
This can be handy to enable on some local or development environments to check real interaction using the included localhost test keys, which only work on localhost
.
When switched off, the reCAPTCHA v2 challenges are not validated in the Request input, so you can safely disregard any frontend script or reCAPTCHA tokens or boxes.
Fake responses
If Captchavel is fake v3-score responses from reCAPTCHA servers. For v2 challenges, setting this to true
bypasses the challenge verification.
This is automatically set to
true
when running unit tests.
Hostname and APK Package Name
If you are not verifying the Hostname or APK Package Name in your reCAPTCHA Admin Panel, may be because you use multiple hostnames or apps, you will have to issue them in the environment file.
When the reCAPTCHA response from the servers is retrieved, it will be checked against these values when present. In case of mismatch, a validation exception will be thrown.
Threshold
The default threshold to check against reCAPTCHA v3 challenges. Values equal or above will be considered "human".
If you're not using reCAPTCHA v3, or you're fine with the default, leave this alone. You can still override the default in a per-route basis.
Remember
Remembering the user once a V2 challenge is successful is disabled by default.
It's recommended to use a per-route basis "remember" if you expect only some routes to remember challenges, instead of the whole application.
This also control how many minutes to set the "remember". When zero, the "remember" will last until the session is destroyed or no longer valid.
Credentials
Here is the full array of reCAPTCHA credentials to use depending on the version. Do not change the array unless you know what you're doing.
Testing Score with Captchavel
On testing, when Captchavel is disabled or enabled but faked, routes set with the v2 middleware won't need to input the challenge in their body as it will be not verified.
reCAPTCHA v3 (score) responses Captchavel is disabled. This guarantees you can always access the response in your controller.
To modify the score in your tests, you should PHPUnit environment section. If you use another testing framework, refer to its documentation.
Alternatively, you can change the configuration before your unit test:
When faking challenges, there is no need to add any reCAPTCHA token or secrets in your tests.
When using reCAPTCHA v3 (score), you can fake a response made by a human or robot by simply using the fakeHuman()
and fakeRobot()
methods, which will score 1.0
or 0.0
respectively for all subsequent requests.
Fake responses don't come with actions, hostnames or APK package names, so these are not validated.
Faking Scores manually
Alternatively, fakeScore()
method will fake responses with any score you set.
Security
If you discover any security related issues, please email [email protected] instead of using the issue tracker.
License
The MIT License (MIT). Please see License File for more information.
All versions of captchavel with dependencies
ext-json Version *
illuminate/support Version ^8.0
illuminate/http Version ^8.0
illuminate/routing Version ^8.0
illuminate/container Version ^8.0
illuminate/events Version ^8.0
guzzlehttp/guzzle Version ^7.4.0