This API serves as a reCAPTCHA token validation service for web applications. It allows you to securely validate reCAPTCHA tokens without directly communicating with Google's reCAPTCHA services. This API is compatible with both reCAPTCHA v2 and v3.
- Dynamic Configuration: Easily configure the reCAPTCHA endpoint and domain settings.
- IP Whitelisting: Allow specific IP addresses to bypass reCAPTCHA validation.
- CORS Support: Define a whitelist of domains that can access the API.
- Rate Limiting: Implement rate limiting to prevent abuse of the API.
- Logging: Comprehensive logging for monitoring and debugging.
The API's settings are managed via a config.js
file. Here's an overview of the available configuration options:
recaptchaEndpoint
: The reCAPTCHA verification endpoint URL. You can use Google'shttps://www.google.com/recaptcha/api/siteverify
or alternative endpoints likehttps://recaptcha.net/recaptcha/api/siteverify
in regions where Google services are restricted.domains
: An array of domain configurations withname
,secretKeyV2
,secretKeyV3
, andscoreThreshold
.allowedIPs
: An array of IP addresses that can bypass reCAPTCHA validation.rateLimit
: Rate limiting configuration withwindowMs
,maxRequests
, andactive
.port
: The port on which the API server will run.autoValidateLocalIp
: Enable automatic validation for local IP addresses.
Example Configuration (config.js
):
module.exports = {
recaptchaEndpoint: "https://www.google.com/recaptcha/api/siteverify",
domains: [
{
name: "example.com",
secretKeyV2: "YOUR_SECRET_KEY_V2",
secretKeyV3: "YOUR_SECRET_KEY_V3",
scoreThreshold: 0.5,
},
],
allowedIPs: ["127.0.0.1"],
rateLimit: {
windowMs: 900000,
maxRequests: 100,
active: true,
},
port: 3000,
autoValidateLocalIp: true,
};
To get started with the reCAPTCHA Validator API, you'll need to clone the repository from GitHub. Follow these steps:
-
Open your terminal or command prompt.
-
Navigate to the directory where you want to store the project.
-
Use the following command to clone the repository:
git clone https://github.com/cemonal/recaptcha-validation-api.git
Before you can run the reCAPTCHA Validator API, you need to install its dependencies. The project uses Node.js and npm for package management. Follow these steps to install the required packages:
-
Open your terminal or command prompt.
-
Navigate to the root directory of the cloned repository:
cd reCAPTCHA-validator-api
-
Run the following command to install the dependencies:
npm install
This command will read the package.json
file and install all the necessary packages listed in it.
Once the installation is complete, you're ready to configure the API and start the server.
To configure the settings for the reCAPTCHA Validator API, you need to modify the appropriate configuration file based on your environment. The available configuration files are located in the config
folder:
development.js
(default for development)test.js
(for testing)production.js
(for production)
Follow these steps:
-
Navigate to the project's root directory.
-
Open the configuration file corresponding to your desired environment using a text editor or code editor. For example, to configure settings for development, open
config/development.js
. -
Modify the configuration options as needed. This includes specifying reCAPTCHA keys, adjusting rate limiting settings, configuring allowed IP addresses, and more.
-
Save the changes to the configuration file.
By choosing the appropriate configuration file and adjusting the settings within it, you can tailor the reCAPTCHA Validator API to your specific requirements.
To run the reCAPTCHA Validator API in development mode, follow these steps:
-
Navigate to the project's root directory using your terminal or command prompt.
-
Use the following command to start the API with automatic server restarts:
npm run dev
This command uses nodemon
to monitor your code for changes. When you save changes to your code, the server will automatically restart, allowing for a smoother development experience.
To run the reCAPTCHA Validator API in production mode, make sure to set the NODE_ENV
environment variable to production
to indicate the production environment. This ensures that the API uses the production configuration settings defined in the config/production.js
file.
Follow these steps to run the API in production mode:
-
Set the Production Environment Variable:
export NODE_ENV=production
For Windows:
set NODE_ENV=production
This environment variable tells the API that it should use the production configuration.
-
Start the API:
npm start
The API will now run in production mode using the configuration settings specified in config/production.js
.
Make sure you have configured the config/production.js
file with the appropriate reCAPTCHA keys and any other settings required for your production environment.
The API provides the following endpoints for reCAPTCHA token validation:
-
Request Body:
token
(string, required): The reCAPTCHA V2 token to validate.
-
Headers:
Origin
(string, required): Set this header to the domain making the request. It's essential for determining the domain configuration for validation.
-
Response:
- HTTP Status: 200 OK if the validation is successful.
- HTTP Status: 400 Bad Request if the
token
is missing or invalid. - HTTP Status: 400 Bad Request if the
Origin
header is missing. - HTTP Status: 500 Internal Server Error if there's a validation error.
-
Request Body:
token
(string, required): The reCAPTCHA V3 token to validate.action
(string, optional): The action identifier for the reCAPTCHA.
-
Headers:
Origin
(string, required): Set this header to the domain making the request. It's essential for determining the domain configuration for validation.
-
Response:
- HTTP Status: 200 OK if the validation is successful.
- HTTP Status: 400 Bad Request if the
token
is missing or invalid. - HTTP Status: 400 Bad Request if the
Origin
header is missing. - HTTP Status: 500 Internal Server Error if there's a validation error.
This API uses the winston
library for logging. Log files are categorized as info
and error
, and they provide detailed information about API requests, errors, and server start logs. Log files are stored in the logs
directory.
- Helmet Middleware: This application uses the
helmet
middleware to enhance security by setting various HTTP headers. - Rate Limiting: Rate limiting is applied to prevent abuse of the API.
- CORS Policies: Only whitelisted domains can access the API.
- IP Whitelisting: You can whitelist specific IP addresses to bypass reCAPTCHA validation.
Contributions to this project are welcome. To contribute:
- Fork the repository.
- Create a new branch for your feature or bugfix.
- Make your changes and follow coding standards.
- Submit a pull request with a detailed description of your changes.
Your contributions, whether small or large, are highly appreciated.