Android reCAPTCHA: 验证用户响应:所有函数必须在客户端调用!我可以使用我的后端吗?

Android reCAPTCHA: Verifying the user's response: all the functions must be called client-side! Can I use my backend however?

我想验证我的 Android 用户的 reCAPTCHA。所以我正在阅读此文档:https://developers.google.com/recaptcha/docs/verify:

For Android library users, you can call the SafetyNetApi.RecaptchaTokenResult.getTokenResult() method to get response token if the status returns successful.

在这个函数的手册中,关于getTokenResult(https://developers.google.com/android/reference/com/google/android/gms/safetynet/SafetyNetApi.RecaptchaTokenResult.html#getTokenResult())的描述如下:

Gets the reCAPTCHA user response token, which must be validated by calling the siteverify method described in Verify the user's response.

siteverify函数的手册描述如下(https://developers.google.com/android/reference/com/google/android/gms/safetynet/SafetyNetClient.html#verifyWithRecaptcha(java.lang.String)):

Provides user attestation with reCAPTCHA.

If reCAPTCHA is confident that this is a real user on a real device it will return a token with no challenge. Otherwise it will provide a visual/audio challenge to attest the humanness of the user before returning a token.

我的问题

我想使用我的后端服务器 (Cloud Functions) 来验证 reCAPTCHA。但是,根据 Android 文档,上述所有功能似乎都放在客户端。事实上,siteverify 应该使用 getTokenResult 获得的令牌来调用,并且两者似乎都是 Android SecureNET ReCAPTCHA Android API...

不过,我觉得使用Cloud Functions会更安全!但是我可以使用我的后端吗?

编辑:在 Cloud Functions 中对 siteverify 的后端调用

exports.verifyRecaptcha = functions.https.onRequest((request, response) => {

    const user_response_token = request.query.user_response_token;
    if(user_response_token == '') {
        throw new functions.https.HttpsError('invalid-argument', 'The function must be called with an adequat user response token.');
    }
    
    const remote_url = 'https://www.google.com/recaptcha/api/siteverify';
    const secret = null;
    request.post({url: remote_url, form:{secret: secret, response: user_response_token}}, function(error, response, body) {
        if(error) {
            throw new functions.https.HttpsError('unknown', error);
        }

        if(!response.statusCode != 200) {
            throw new functions.https.HttpsError('unknown', 'Something went wrong. Status code: ' + response.statusCode + '.');
        }

        if(!body.success) {
            throw new functions.https.HttpsError('unknown', 'Unable to verify this captcha.');
        }

        return response;    
    });

});

您可以获取从 getTokenResult() 返回的令牌,将其发送到您的后端,并让您的后端调用 Web API 版本的 siteverify:

https://www.google.com/recaptcha/api/siteverify