Android reCAPTCHA: 验证用户响应:所有函数必须在客户端调用!我可以使用我的后端吗?
Android reCAPTCHA: Verifying the user's response: all the functions must be called client-side! Can I use my backend however?
我想验证我的 Android 用户的 reCAPTCHA。所以我正在阅读此文档:https://developers.google.com/recaptcha/docs/verify:
For Android library users, you can call the SafetyNetApi.RecaptchaTokenResult.getTokenResult() method to get response token if the status returns successful.
在这个函数的手册中,关于getTokenResult(https://developers.google.com/android/reference/com/google/android/gms/safetynet/SafetyNetApi.RecaptchaTokenResult.html#getTokenResult())的描述如下:
Gets the reCAPTCHA user response token, which must be validated by calling the siteverify method described in Verify the user's response.
siteverify函数的手册描述如下(https://developers.google.com/android/reference/com/google/android/gms/safetynet/SafetyNetClient.html#verifyWithRecaptcha(java.lang.String)):
Provides user attestation with reCAPTCHA.
If reCAPTCHA is confident that this is a real user on a real device it will return a token with no challenge. Otherwise it will provide a visual/audio challenge to attest the humanness of the user before returning a token.
我的问题
我想使用我的后端服务器 (Cloud Functions) 来验证 reCAPTCHA。但是,根据 Android 文档,上述所有功能似乎都放在客户端。事实上,siteverify 应该使用 getTokenResult 获得的令牌来调用,并且两者似乎都是 Android SecureNET ReCAPTCHA Android API...
不过,我觉得使用Cloud Functions会更安全!但是我可以使用我的后端吗?
编辑:在 Cloud Functions 中对 siteverify 的后端调用
exports.verifyRecaptcha = functions.https.onRequest((request, response) => {
const user_response_token = request.query.user_response_token;
if(user_response_token == '') {
throw new functions.https.HttpsError('invalid-argument', 'The function must be called with an adequat user response token.');
}
const remote_url = 'https://www.google.com/recaptcha/api/siteverify';
const secret = null;
request.post({url: remote_url, form:{secret: secret, response: user_response_token}}, function(error, response, body) {
if(error) {
throw new functions.https.HttpsError('unknown', error);
}
if(!response.statusCode != 200) {
throw new functions.https.HttpsError('unknown', 'Something went wrong. Status code: ' + response.statusCode + '.');
}
if(!body.success) {
throw new functions.https.HttpsError('unknown', 'Unable to verify this captcha.');
}
return response;
});
});
您可以获取从 getTokenResult() 返回的令牌,将其发送到您的后端,并让您的后端调用 Web API 版本的 siteverify:
https://www.google.com/recaptcha/api/siteverify
我想验证我的 Android 用户的 reCAPTCHA。所以我正在阅读此文档:https://developers.google.com/recaptcha/docs/verify:
For Android library users, you can call the SafetyNetApi.RecaptchaTokenResult.getTokenResult() method to get response token if the status returns successful.
在这个函数的手册中,关于getTokenResult(https://developers.google.com/android/reference/com/google/android/gms/safetynet/SafetyNetApi.RecaptchaTokenResult.html#getTokenResult())的描述如下:
Gets the reCAPTCHA user response token, which must be validated by calling the siteverify method described in Verify the user's response.
siteverify函数的手册描述如下(https://developers.google.com/android/reference/com/google/android/gms/safetynet/SafetyNetClient.html#verifyWithRecaptcha(java.lang.String)):
Provides user attestation with reCAPTCHA.
If reCAPTCHA is confident that this is a real user on a real device it will return a token with no challenge. Otherwise it will provide a visual/audio challenge to attest the humanness of the user before returning a token.
我的问题
我想使用我的后端服务器 (Cloud Functions) 来验证 reCAPTCHA。但是,根据 Android 文档,上述所有功能似乎都放在客户端。事实上,siteverify 应该使用 getTokenResult 获得的令牌来调用,并且两者似乎都是 Android SecureNET ReCAPTCHA Android API...
不过,我觉得使用Cloud Functions会更安全!但是我可以使用我的后端吗?
编辑:在 Cloud Functions 中对 siteverify 的后端调用
exports.verifyRecaptcha = functions.https.onRequest((request, response) => {
const user_response_token = request.query.user_response_token;
if(user_response_token == '') {
throw new functions.https.HttpsError('invalid-argument', 'The function must be called with an adequat user response token.');
}
const remote_url = 'https://www.google.com/recaptcha/api/siteverify';
const secret = null;
request.post({url: remote_url, form:{secret: secret, response: user_response_token}}, function(error, response, body) {
if(error) {
throw new functions.https.HttpsError('unknown', error);
}
if(!response.statusCode != 200) {
throw new functions.https.HttpsError('unknown', 'Something went wrong. Status code: ' + response.statusCode + '.');
}
if(!body.success) {
throw new functions.https.HttpsError('unknown', 'Unable to verify this captcha.');
}
return response;
});
});
您可以获取从 getTokenResult() 返回的令牌,将其发送到您的后端,并让您的后端调用 Web API 版本的 siteverify:
https://www.google.com/recaptcha/api/siteverify