Re: [Proposal] reCAPTCHA plugin: restrict access to an upstream service by verifying request captcha token to the Google reCAPTCHA service

[李玉升]

Hi, Jintao.

Do you mean supporting both header and query at the same time, rather than
one of them? e.g. read from header first, if it does not exist, fallback to
query?

On Wed, Mar 9, 2022 at 4:32 PM Jintao Zhang <zhangjin...@apache.org> wrote:

> > How about parameter_source?
> I prefer to be consistent with other configurations in APISIX's plugins,
> such as using `header`, `query`, etc.
>
> YuanSheng Wang <membp...@apache.org> 于2022年3月9日周三 13:39写道：
>
> > > {
> > >     "plugins": {
> > >         "recaptcha": {
> > >             "apis":[
> > >                 {
> > >                     "path":"/login",
> > >                     "methods":[ "POST" ],
> > >                     "param_from":"header",
> > >                     "param_name":"captcha"
> >
> > can we use this project? https://github.com/api7/lua-resty-expr
> >
> > `lua-resty-expr` should be simpler.
> >
> >
> > On Tue, Mar 8, 2022 at 7:41 PM 李玉升 <leeys....@gmail.com> wrote:
> >
> > > Background
> > > Google reCAPTCHA is a popular human-identify service in the world. It
> > > protects website(API) from spam and abuse.
> > >
> > >
> > >
> > > For now, the APISIX users who want to integrate the reCAPTCHA service
> in
> > > their system, either write the plugin on their own or just leave it to
> > the
> > > backend microservices. Therefore, users have required the skills of
> > plugin
> > > development, or into a bad situation where the reCAPTCHA layer is
> spread
> > to
> > > multiple microservices.
> > >
> > >
> > >
> > > Based on the pre context. It's will be great if APISIX has official
> > > recaptcha plugin. Backend services can just focus on their core
> business
> > > logic and take every request as if it were sent by humans.
> > >
> > >
> > >
> > > Here is the code snippet of recaptcha plugin schema
> > >
> > > local schema = {
> > >     type = "object",
> > >     properties = {
> > >         -- The secret key of the Google reCAPTCHA service.
> > >         recaptcha_secret_key = { type = "string" },
> > >         -- The list of APIs needs to be verified by reCAPTCHA.
> > >         apis = {
> > >             type = "array",
> > >             items = {
> > >                 type = "object",
> > >                 properties = {
> > >                 -- The API path
> > >                     path = { type = "string" },
> > >                     -- The list of HTTP method
> > >                     methods = { type = "array", items = { type =
> "string"
> > > }, minItems = 1 },
> > >                     -- The enum of captcha parameter source. Only
> header,
> > > query are supported.
> > >                     param_from = {
> > >                         type = "string",
> > >                         default = "header",
> > >                         enum = { "header", "query" }
> > >                     },
> > >                     -- The name of captcha parameter.
> > >                     param_name = { type = "string", default = "captcha"
> > },
> > >                 }
> > >             },
> > >             minItems = 1
> > >         },
> > >         -- The response of invalid recaptcha token.
> > >         response = {
> > >             type = "object",
> > >             properties = {
> > >                 content_type = { type = "string", default =
> > > "application/json; charset=utf-8" },
> > >                 status_code = { type = "number", default = 400 },
> > >                 body = { type = "string", default = '{"message":
> "invalid
> > > captcha"}' }
> > >             }
> > >         },
> > >
> > >     },
> > >     additionalProperties = false,
> > >     required = { "recaptcha_secret_key" },
> > > }
> > >
> > >
> > >
> > >
> > > And the example of plugin config
> > >
> > > {
> > >     "plugins": {
> > >         "recaptcha": {
> > >             "apis":[
> > >                 {
> > >                     "path":"/login",
> > >                     "methods":[ "POST" ],
> > >                     "param_from":"header",
> > >                     "param_name":"captcha"
> > >                 },
> > >                 {
> > >                     "path":"/users/*/active",
> > >                     "methods":[ "POST" ],
> > >                     "param_from":"query",
> > >                     "param_name":"captcha"
> > >                 }
> > >             ],
> > >             "response":{
> > >                 "content_type":"application/json; charset=utf-8",
> > >                 "body":"{\"message\":\"invalid captcha\"}\n",
> > >                 "status_code":400
> > >             },
> > >             "recaptcha_secret_key":"6LeIxAcTAAAAAGGXXXXXXXXXXXXXXXXXXX"
> > >         }
> > >     }
> > > }
> > >
> > >
> > >
> > >
> > > The process would be like this
> > > 1.   client-side provides a recaptcha token(obtain from google JS SDK)
> > when
> > > invoking server API
> > > 2.   the plugin determines whether to verify the request based on the
> > > plugin apis configuration.
> > >      1.   NO:  request will continue
> > >      2.   YES: retrieve the captcha parameter from the request, and
> > verify
> > > it to the google recaptcha api. allowing the request if token valid,
> > >  terminating the request if token invalid.
> > >
> > >
> > > plugin document:
> > >
> > >
> >
> https://github.com/apache/apisix/blob/41db53714936bb8e1099f477e50973b494118718/docs/en/latest/plugins/recaptcha.md
> > >
> >
> >
> > --
> >
> > *MembPhis*
> > My GitHub: https://github.com/membphis
> > Apache APISIX: https://github.com/apache/apisix
> >
>