Background
Google reCAPTCHA is a popular human-identify service in the world. It
protects website(API) from spam and abuse.
For now, the APISIX users who want to integrate the reCAPTCHA service in
their system, either write the plugin on their own or just leave it to the
backend microservices. Therefore, users have required the skills of plugin
development, or into a bad situation where the reCAPTCHA layer is spread to
multiple microservices.
Based on the pre context. It's will be great if APISIX has official
recaptcha plugin. Backend services can just focus on their core business
logic and take every request as if it were sent by humans.
Here is the code snippet of recaptcha plugin schema
local schema = {
type = "object",
properties = {
-- The secret key of the Google reCAPTCHA service.
recaptcha_secret_key = { type = "string" },
-- The list of APIs needs to be verified by reCAPTCHA.
apis = {
type = "array",
items = {
type = "object",
properties = {
-- The API path
path = { type = "string" },
-- The list of HTTP method
methods = { type = "array", items = { type = "string"
}, minItems = 1 },
-- The enum of captcha parameter source. Only header,
query are supported.
param_from = {
type = "string",
default = "header",
enum = { "header", "query" }
},
-- The name of captcha parameter.
param_name = { type = "string", default = "captcha" },
}
},
minItems = 1
},
-- The response of invalid recaptcha token.
response = {
type = "object",
properties = {
content_type = { type = "string", default =
"application/json; charset=utf-8" },
status_code = { type = "number", default = 400 },
body = { type = "string", default = '{"message": "invalid
captcha"}' }
}
},
},
additionalProperties = false,
required = { "recaptcha_secret_key" },
}
And the example of plugin config
{
"plugins": {
"recaptcha": {
"apis":[
{
"path":"/login",
"methods":[ "POST" ],
"param_from":"header",
"param_name":"captcha"
},
{
"path":"/users/*/active",
"methods":[ "POST" ],
"param_from":"query",
"param_name":"captcha"
}
],
"response":{
"content_type":"application/json; charset=utf-8",
"body":"{\"message\":\"invalid captcha\"}\n",
"status_code":400
},
"recaptcha_secret_key":"6LeIxAcTAAAAAGGXXXXXXXXXXXXXXXXXXX"
}
}
}
The process would be like this
1. client-side provides a recaptcha token(obtain from google JS SDK) when
invoking server API
2. the plugin determines whether to verify the request based on the
plugin apis configuration.
1. NO: request will continue
2. YES: retrieve the captcha parameter from the request, and verify
it to the google recaptcha api. allowing the request if token valid,
terminating the request if token invalid.
plugin document:
https://github.com/apache/apisix/blob/41db53714936bb8e1099f477e50973b494118718/docs/en/latest/plugins/recaptcha.md
