This is also a point worth considering.
We can listen to what other people have to say.
李玉升 <leeys....@gmail.com> 于2022年3月10日周四 17:25写道:
> I think I'll add json_body and form_body for parameter_source in the next
> stage. It's not good for performance If we retrieve the captcha parameter
> from supported sources each by each(especially json_body). I strongly do
> not recommend this.
>
> On Thu, Mar 10, 2022 at 4:07 PM Jintao Zhang <zhangjintao9...@gmail.com>
> wrote:
>
> > Right! This keeps it consistent with other plugin configurations.
> >
> > 李玉升 <leeys....@gmail.com> 于2022年3月10日周四 12:14写道:
> >
> > > Hi, Jintao.
> > >
> > > Do you mean supporting both header and query at the same time, rather
> > than
> > > one of them? e.g. read from header first, if it does not exist,
> fallback
> > to
> > > query?
> > >
> > > On Wed, Mar 9, 2022 at 4:32 PM Jintao Zhang <zhangjin...@apache.org>
> > > wrote:
> > >
> > > > > How about parameter_source?
> > > > I prefer to be consistent with other configurations in APISIX's
> > plugins,
> > > > such as using `header`, `query`, etc.
> > > >
> > > > YuanSheng Wang <membp...@apache.org> 于2022年3月9日周三 13:39写道:
> > > >
> > > > > > {
> > > > > > "plugins": {
> > > > > > "recaptcha": {
> > > > > > "apis":[
> > > > > > {
> > > > > > "path":"/login",
> > > > > > "methods":[ "POST" ],
> > > > > > "param_from":"header",
> > > > > > "param_name":"captcha"
> > > > >
> > > > > can we use this project? https://github.com/api7/lua-resty-expr
> > > > >
> > > > > `lua-resty-expr` should be simpler.
> > > > >
> > > > >
> > > > > On Tue, Mar 8, 2022 at 7:41 PM 李玉升 <leeys....@gmail.com> wrote:
> > > > >
> > > > > > Background
> > > > > > Google reCAPTCHA is a popular human-identify service in the
> world.
> > It
> > > > > > protects website(API) from spam and abuse.
> > > > > >
> > > > > >
> > > > > >
> > > > > > For now, the APISIX users who want to integrate the reCAPTCHA
> > service
> > > > in
> > > > > > their system, either write the plugin on their own or just leave
> it
> > > to
> > > > > the
> > > > > > backend microservices. Therefore, users have required the skills
> of
> > > > > plugin
> > > > > > development, or into a bad situation where the reCAPTCHA layer is
> > > > spread
> > > > > to
> > > > > > multiple microservices.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Based on the pre context. It's will be great if APISIX has
> official
> > > > > > recaptcha plugin. Backend services can just focus on their core
> > > > business
> > > > > > logic and take every request as if it were sent by humans.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Here is the code snippet of recaptcha plugin schema
> > > > > >
> > > > > > local schema = {
> > > > > > type = "object",
> > > > > > properties = {
> > > > > > -- The secret key of the Google reCAPTCHA service.
> > > > > > recaptcha_secret_key = { type = "string" },
> > > > > > -- The list of APIs needs to be verified by reCAPTCHA.
> > > > > > apis = {
> > > > > > type = "array",
> > > > > > items = {
> > > > > > type = "object",
> > > > > > properties = {
> > > > > > -- The API path
> > > > > > path = { type = "string" },
> > > > > > -- The list of HTTP method
> > > > > > methods = { type = "array", items = { type =
> > > > "string"
> > > > > > }, minItems = 1 },
> > > > > > -- The enum of captcha parameter source. Only
> > > > header,
> > > > > > query are supported.
> > > > > > param_from = {
> > > > > > type = "string",
> > > > > > default = "header",
> > > > > > enum = { "header", "query" }
> > > > > > },
> > > > > > -- The name of captcha parameter.
> > > > > > param_name = { type = "string", default =
> > > "captcha"
> > > > > },
> > > > > > }
> > > > > > },
> > > > > > minItems = 1
> > > > > > },
> > > > > > -- The response of invalid recaptcha token.
> > > > > > response = {
> > > > > > type = "object",
> > > > > > properties = {
> > > > > > content_type = { type = "string", default =
> > > > > > "application/json; charset=utf-8" },
> > > > > > status_code = { type = "number", default = 400 },
> > > > > > body = { type = "string", default = '{"message":
> > > > "invalid
> > > > > > captcha"}' }
> > > > > > }
> > > > > > },
> > > > > >
> > > > > > },
> > > > > > additionalProperties = false,
> > > > > > required = { "recaptcha_secret_key" },
> > > > > > }
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > And the example of plugin config
> > > > > >
> > > > > > {
> > > > > > "plugins": {
> > > > > > "recaptcha": {
> > > > > > "apis":[
> > > > > > {
> > > > > > "path":"/login",
> > > > > > "methods":[ "POST" ],
> > > > > > "param_from":"header",
> > > > > > "param_name":"captcha"
> > > > > > },
> > > > > > {
> > > > > > "path":"/users/*/active",
> > > > > > "methods":[ "POST" ],
> > > > > > "param_from":"query",
> > > > > > "param_name":"captcha"
> > > > > > }
> > > > > > ],
> > > > > > "response":{
> > > > > > "content_type":"application/json; charset=utf-8",
> > > > > > "body":"{\"message\":\"invalid captcha\"}\n",
> > > > > > "status_code":400
> > > > > > },
> > > > > >
> > > "recaptcha_secret_key":"6LeIxAcTAAAAAGGXXXXXXXXXXXXXXXXXXX"
> > > > > > }
> > > > > > }
> > > > > > }
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > The process would be like this
> > > > > > 1. client-side provides a recaptcha token(obtain from google JS
> > > SDK)
> > > > > when
> > > > > > invoking server API
> > > > > > 2. the plugin determines whether to verify the request based on
> > the
> > > > > > plugin apis configuration.
> > > > > > 1. NO: request will continue
> > > > > > 2. YES: retrieve the captcha parameter from the request,
> and
> > > > > verify
> > > > > > it to the google recaptcha api. allowing the request if token
> > valid,
> > > > > > terminating the request if token invalid.
> > > > > >
> > > > > >
> > > > > > plugin document:
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/apisix/blob/41db53714936bb8e1099f477e50973b494118718/docs/en/latest/plugins/recaptcha.md
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > >
> > > > > *MembPhis*
> > > > > My GitHub: https://github.com/membphis
> > > > > Apache APISIX: https://github.com/apache/apisix
> > > > >
> > > >
> > >
> >
>
