Accept the action as a variable

Author: rowan-m

examples/recaptcha-v3-request-scores.php

@@ -88,10 +88,10 @@
         grecaptcha.ready(function() {
             document.querySelector('.step1').classList.remove('hidden');
             grecaptcha.execute('<?php echo $siteKey; ?>', {action: 'examples/v3scores'}).then(function(token) {
-                document.querySelector('.token').innerHTML = 'fetch(\'/recaptcha-v3-verify.php?token=\'' + token;
+                document.querySelector('.token').innerHTML = 'fetch(\'/recaptcha-v3-verify.php?action=examples/v3scores&token=\'' + token;
                 document.querySelector('.step2').classList.remove('hidden');
 
-                fetch('/recaptcha-v3-verify.php?token='+token).then(function(response) {
+                fetch('/recaptcha-v3-verify.php?action=examples/v3scores&token='+token).then(function(response) {
                     response.json().then(function(data) {
                         document.querySelector('.response').innerHTML = JSON.stringify(data, null, 2);
                         document.querySelector('.step3').classList.remove('hidden');

examples/recaptcha-v3-verify.php

@@ -40,9 +40,10 @@
 }
 
 // Effectively we're providing an API endpoint here that will accept the token, verify it, and return the action / score to the page
+// In production, always sanitize and validate the input you retrieve from the request.
 $recaptcha = new \ReCaptcha\ReCaptcha($secret);
 $resp = $recaptcha->setExpectedHostname($_SERVER['SERVER_NAME'])
-                  ->setExpectedAction('examples/v3scores')
+                  ->setExpectedAction($_GET['action'])
                   ->setScoreThreshold(0.5)
                   ->verify($_GET['token'], $_SERVER['REMOTE_ADDR']);
 header('Content-type:application/json');