Backwards compatible update to verify method

Author: rowan-m

ARCHITECTURE.md

@@ -1,15 +1,14 @@
 # Architecture
 
 The general pattern of usage is to instantiate the `ReCaptcha` class with your
-secret key, specify any additional validation rules, and then call
-`verifyAndValidate()` with the reCAPTCHA response and user's IP address. For
-example:
+secret key, specify any additional validation rules, and then call `verify()`
+with the reCAPTCHA response and user's IP address. For example:
 
 ```php
 <?php
 $recaptcha = new \ReCaptcha\ReCaptcha($secret);
 $resp = $recaptcha->setExpectedHostname('recaptcha-demo.appspot.com')
-                  ->verifyAndValidate($gRecaptchaResponse, $remoteIp);
+                  ->verify($gRecaptchaResponse, $remoteIp);
 if ($resp->isSuccess()) {
     // Verified!
 } else {

README.md

@@ -64,14 +64,14 @@ functionality into your frontend.
 This library comes in when you need to verify the user's response. On the PHP
 side you need the response from the reCAPTCHA service and secret key from your
 credentials. Instantiate the `ReCaptcha` class with your secret key, specify any
-additional validation rules, and then call `verifyAndValidate()` with the
-reCAPTCHA response and user's IP address. For example:
+additional validation rules, and then call `verify()` with the reCAPTCHA
+response and user's IP address. For example:
 
 ```php
 <?php
 $recaptcha = new \ReCaptcha\ReCaptcha($secret);
 $resp = $recaptcha->setExpectedHostname('recaptcha-demo.appspot.com')
-                  ->verifyAndValidate($gRecaptchaResponse, $remoteIp);
+                  ->verify($gRecaptchaResponse, $remoteIp);
 if ($resp->isSuccess()) {
     // Verified!
 } else {
@@ -93,16 +93,16 @@ The following methods are available:
 - `setChallengeTimeout($timeoutSeconds)`: set a timeout between the user passing
   the reCAPTCHA and your server processing it.
 
-Each of the `set`\*`()` methods return the `ReCaptcha` instance so you can chain them
-together. For example:
+Each of the `set`\*`()` methods return the `ReCaptcha` instance so you can chain
+them together. For example:
 
 ```php
 <?php
 $recaptcha = new \ReCaptcha\ReCaptcha($secret);
 $resp = $recaptcha->setExpectedHostname('recaptcha-demo.appspot.com')
                   ->setExpectedAction('homepage')
                   ->setScoreThreshold(0.5)
-                  ->verifyAndValidate($gRecaptchaResponse, $remoteIp);
+                  ->verify($gRecaptchaResponse, $remoteIp);
 
 if ($resp->isSuccess()) {
     // Verified!

examples/recaptcha-v2-checkbox-explicit.php

@@ -89,9 +89,9 @@
     // its use with URLs, then you can use the alternative request method instead.
     // This makes use of fsockopen() instead.
     //  $recaptcha = new \ReCaptcha\ReCaptcha($secret, new \ReCaptcha\RequestMethod\SocketPost());
-
     // Make the call to verify the response and also pass the user's IP address
-    $resp = $recaptcha->verify($_POST['g-recaptcha-response'], $_SERVER['REMOTE_ADDR']);
+    $resp = $recaptcha->setExpectedHostname($_SERVER['SERVER_NAME'])
+                      ->verify($_POST['g-recaptcha-response'], $_SERVER['REMOTE_ADDR']);
 
     if ($resp->isSuccess()):
         // If the response is a success, that's it!

examples/recaptcha-v2-checkbox.php

@@ -91,8 +91,8 @@
     //  $recaptcha = new \ReCaptcha\ReCaptcha($secret, new \ReCaptcha\RequestMethod\SocketPost());
 
     // Make the call to verify the response and also pass the user's IP address
-    $resp = $recaptcha->verify($_POST['g-recaptcha-response'], $_SERVER['REMOTE_ADDR']);
-
+    $resp = $recaptcha->setExpectedHostname($_SERVER['SERVER_NAME'])
+                      ->verify($_POST['g-recaptcha-response'], $_SERVER['REMOTE_ADDR']);
     if ($resp->isSuccess()):
         // If the response is a success, that's it!
         ?>

examples/recaptcha-v2-invisible.php

@@ -91,8 +91,8 @@
     //  $recaptcha = new \ReCaptcha\ReCaptcha($secret, new \ReCaptcha\RequestMethod\SocketPost());
 
     // Make the call to verify the response and also pass the user's IP address
-    $resp = $recaptcha->verify($_POST['g-recaptcha-response'], $_SERVER['REMOTE_ADDR']);
-
+    $resp = $recaptcha->setExpectedHostname($_SERVER['SERVER_NAME'])
+                      ->verify($_POST['g-recaptcha-response'], $_SERVER['REMOTE_ADDR']);
     if ($resp->isSuccess()):
         // If the response is a success, that's it!
         ?>

examples/recaptcha-v3-request-scores.php

@@ -81,29 +81,27 @@
     ?>
     <p>reCAPTCHA will provide a score for this request.</p>
     <ol id="recaptcha-steps">
-        <li>reCAPTCHA script it loading.</li>
+        <li class="step0">reCAPTCHA script loading</li>
+        <li style="display:none" class="step1"><kbd>grecaptcha.ready()</kbd> fired, calling <pre>grecaptcha.execute('<?php echo $siteKey; ?>', {action: 'homepage'})'</pre></li>
+        <li style="display:none" class="step2">Received token from reCAPTCHA service, sending to our backend with <kbd>fetch('/recaptcha-v3-verify.php?token='+<span class="token">123</span>)</kbd></li>
+        <li style="display:none" class="step3">Received response from our backend: <pre class="response">response</pre></li>
     </ol>
     <p><a href="/recaptcha-v3-request-scores.php">⟳ Try again</a></p>
 
     <script src="https://www.google.com/recaptcha/api.js?render=<?php echo $siteKey; ?>"></script>
     <script>
     const steps = document.getElementById('recaptcha-steps');
     grecaptcha.ready(function() {
-
-        const showSending = document.createElement('li');
-        showSending.appendChild(document.createTextNode('Calling grecaptcha.execute(\'*siteKey*\', {action: \'homepage\'})'));
-        steps.appendChild(showSending);
-
+        document.querySelector('.step1').style.display = 'list-item';
         grecaptcha.execute('<?php echo $siteKey; ?>', {action: 'homepage'}).then(function(token) {
-            
-            const showSending = document.createElement('li');
-            showSending.appendChild(document.createTextNode('Sending token to our backend to verify'));
-            steps.appendChild(showSending);
+            document.querySelector('.token').innerHTML = token;
+            document.querySelector('.step2').style.display = 'list-item';
 
             fetch('/recaptcha-v3-verify.php?token='+token).then(function(response) {
-                const showSending = document.createElement('li');
-                showSending.appendChild(document.createTextNode('Received verification from our backend'));
-                steps.appendChild(showSending);
+                response.json().then(function(data) {
+                    document.querySelector('.response').innerHTML = JSON.stringify(data);
+                    document.querySelector('.step3').style.display = 'list-item';
+                });
             });
         });
     });

examples/recaptcha-v3-verify.php

@@ -39,6 +39,8 @@
 
 // Effectively we're providing an API endpoint here that will accept the token, verify it, and return the action / score to the page
 $recaptcha = new \ReCaptcha\ReCaptcha($secret);
-$resp = $recaptcha->verify($_GET['token'], $_SERVER['REMOTE_ADDR']);
-header('Content-type:application/json');
+$resp = $recaptcha->setExpectedHostname($_SERVER['SERVER_NAME'])
+->setExpectedAction('homepage')
+                  ->setScoreThreshold(0.5)
+                  ->verify($_GET['token'], $_SERVER['REMOTE_ADDR']);header('Content-type:application/json');
 echo json_encode($resp->toArray());

src/ReCaptcha/ReCaptcha.php

@@ -125,7 +125,7 @@ public function __construct($secret, RequestMethod $requestMethod = null)
 
     /**
      * Calls the reCAPTCHA siteverify API to verify whether the user passes
-     * CAPTCHA test.
+     * CAPTCHA test and additionally runs any specified additional checks
      *
      * @param string $response The user response token provided by reCAPTCHA, verifying the user on your site.
      * @param string $remoteIp The end user's IP address.
@@ -141,11 +141,50 @@ public function verify($response, $remoteIp = null)
 
         $params = new RequestParameters($this->secret, $response, $remoteIp, self::VERSION);
         $rawResponse = $this->requestMethod->submit($params);
-        return Response::fromJson($rawResponse);
+        $initialResponse = Response::fromJson($rawResponse);
+        $validationErrors = array();
+
+        if (isset($this->hostname) && strcasecmp($this->hostname, $initialResponse->getHostname()) !== 0) {
+            $validationErrors[] = self::E_HOSTNAME_MISMATCH;
+        }
+
+        if (isset($this->apkPackageName) && strcasecmp($this->apkPackageName, $initialResponse->getApkPackageName()) !== 0) {
+            $validationErrors[] = self::E_APK_PACKAGE_NAME_MISMATCH;
+        }
+
+        if (isset($this->action) && strcasecmp($this->action, $initialResponse->getAction()) !== 0) {
+            $validationErrors[] = self::E_ACTION_MISMATCH;
+        }
+
+        if (isset($this->threshold) && $this->threshold > $initialResponse->getScore()) {
+            $validationErrors[] = self::E_SCORE_THRESHOLD_NOT_MET;
+        }
+
+        if (isset($this->timeoutSeconds)) {
+            $challengeTs = strtotime($initialResponse->getChallengeTs());
+
+            if ($challengeTs > 0 && time() - $challengeTs > $this->timeoutSeconds) {
+                $validationErrors[] = self::E_CHALLENGE_TIMEOUT;
+            }
+        }
+
+        if (empty($validationErrors)) {
+            return $initialResponse;
+        }
+
+        return new Response(
+            false,
+            array_merge($initialResponse->getErrorCodes(), $validationErrors),
+            $initialResponse->getHostname(),
+            $initialResponse->getChallengeTs(),
+            $initialResponse->getApkPackageName(),
+            $initialResponse->getScore(),
+            $initialResponse->getAction()
+        );
     }
 
     /**
-     * Provide a hostname to match against in verifyAndValidate()
+     * Provide a hostname to match against in verify()
      * This should be without a protocol or trailing slash, e.g. www.google.com
      *
      * @param string $hostname Expected hostname
@@ -158,7 +197,7 @@ public function setExpectedHostname($hostname)
     }
 
     /**
-     * Provide an APK package name to match against in verifyAndValidate()
+     * Provide an APK package name to match against in verify()
      *
      * @param string $apkPackageName Expected APK package name
      * @return ReCaptcha Current instance for fluent interface
@@ -170,7 +209,7 @@ public function setExpectedApkPackageName($apkPackageName)
     }
 
     /**
-     * Provide an action to match against in verifyAndValidate()
+     * Provide an action to match against in verify()
      * This should be set per page.
      *
      * @param string $action Expected action
@@ -183,7 +222,7 @@ public function setExpectedAction($action)
     }
 
     /**
-     * Provide a threshold to meet or exceed in verifyAndValidate()
+     * Provide a threshold to meet or exceed in verify()
      * Threshold should be a float between 0 and 1 which will be tested as response >= threshold.
      *
      * @param float $threshold Expected threshold
@@ -196,7 +235,7 @@ public function setScoreThreshold($threshold)
     }
 
     /**
-     * Provide a timeout in seconds to test against the challenge timestamp in verifyAndValidate()
+     * Provide a timeout in seconds to test against the challenge timestamp in verify()
      *
      * @param int $timeoutSeconds Expected hostname
      * @return ReCaptcha Current instance for fluent interface
@@ -206,56 +245,4 @@ public function setChallengeTimeout($timeoutSeconds)
         $this->timeoutSeconds = $timeoutSeconds;
         return $this;
     }
-
-    /**
-     * Calls the reCAPTCHA siteverify API to verify whether the user passes
-     * CAPTCHA test and additionally runs any specified additional checks
-     *
-     * @param string $response The user response token provided by reCAPTCHA, verifying the user on your site.
-     * @param string $remoteIp The end user's IP address.
-     * @return Response Response from the service.
-     */
-    public function verifyAndValidate($response, $remoteIp = null)
-    {
-        $initialResponse = $this->verify($response, $remoteIp);
-        $validationErrors = array();
-
-        if (isset($this->hostname) && strcasecmp($this->hostname, $initialResponse->getHostname()) !== 0) {
-            $validationErrors[] = self::E_HOSTNAME_MISMATCH;
-        }
-
-        if (isset($this->apkPackageName) && strcasecmp($this->apkPackageName, $initialResponse->getApkPackageName()) !== 0) {
-            $validationErrors[] = self::E_APK_PACKAGE_NAME_MISMATCH;
-        }
-
-        if (isset($this->action) && strcasecmp($this->action, $initialResponse->getAction()) !== 0) {
-            $validationErrors[] = self::E_ACTION_MISMATCH;
-        }
-
-        if (isset($this->threshold) && $this->threshold > $initialResponse->getScore()) {
-            $validationErrors[] = self::E_SCORE_THRESHOLD_NOT_MET;
-        }
-
-        if (isset($this->timeoutSeconds)) {
-            $challengeTs = strtotime($initialResponse->getChallengeTs());
-
-            if ($challengeTs > 0 && time() - $challengeTs > $this->timeoutSeconds) {
-                $validationErrors[] = self::E_CHALLENGE_TIMEOUT;
-            }
-        }
-
-        if (empty($validationErrors)) {
-            return $initialResponse;
-        }
-
-        return new Response(
-            false,
-            array_merge($initialResponse->getErrorCodes(), $validationErrors),
-            $initialResponse->getHostname(),
-            $initialResponse->getChallengeTs(),
-            $initialResponse->getApkPackageName(),
-            $initialResponse->getScore(),
-            $initialResponse->getAction()
-        );
-    }
 }