I always get "success":false as response from google recaptcha version 2

[Fauck Faucker]

I always get "success":false as response from google(no error messages), but the captcha from google shows me that the input was right.

THis is where I got my informations from.

THis is what I tried, I also sent this with "PostMan"(chrome addon), and JQuery.Post.. :

     var userInput=req.body["g-recaptcha-response"]? "&response="+req.body["g-recaptcha-response"]:"";
            var remoteIp="&remoteip="+req.connection.remoteAddress;

            var finalRequest="https://www.google.com/recaptcha/api/siteverify?secret=..."+userInput;//+remoteIp;

            request({
                uri: finalRequest,
                method: "POST",
                timeout: 10000,
                followRedirect: true,
                maxRedirects: 10
            }, function(error, response, body) {
                console.log(body);
               
            });

[Kevin Hynes]

It looks like you have '?secret=...' ?  The ... would need to be your actual secret.

Are you doing this in jquery in the same page as the widget? You shouldn't be doing that. It really needs to be done on the server to get the full protection from reCaptcha. Think of it this way: you are trying to submit a value (g-recaptcha-response) that can't be faked by spammers. If you just to the check in js and not on the server, you haven't done that.

--
You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
To unsubscribe from this group and stop receiving emails from it, send an email to recaptcha+...@googlegroups.com.
To post to this group, send email to reca...@googlegroups.com.
Visit this group at http://groups.google.com/group/recaptcha.
For more options, visit https://groups.google.com/d/optout.

[Fauck Faucker]

I left out the '?secret=...' , because I keep it secret it is like a password. No, the code snippet I posted will be handled on the server side(request is an npm module for node.js),

I just used to use jquery and postman for testing, to send a post request to google.

[iwa12]

I came across a very similar problem in my application too.

I add what I saw here in case this would give some insight in the problem:

I implemented a simple login form, with 2 string form items, according to the example in https://developers.google.com/recaptcha/docs/display.

On the client side it looks like reCAPTCHA works fine, and when the form is submitted, at least I could get the  g-recaptcha-response value.

But when I made a request to https://www.google.com/recaptcha/api/siteverify using file_get_contents($url), since it is used in most examples I found. However, my JSON response was only {"success":false}, without errorCodes part.

I don't think it's derived from the use of file_get_contents. At first I doubted that it lacks async communication, so I substituted it with curl_init, as found in http://www.codediesel.com/security/integrating-googles-new-nocaptcha-recaptcha-in-php/. But the situation hasn't changed.

The odd thing is that when I copied the actual request url (with parameters) from the log when I got success:"false" once, and pasted in the chrome url bar, it returned

{  "success": true }

!

Then I tried the second request with the same URL(in chrome), it returned that "success": false.

So I suspect when I get no errorCodes, I think something is wrong with "success" return value, even if the actual verification process would be fine. When I provided an empty string or some random string in response parameter in api/siteverify, it returns 

{

"success": false,

"error-codes": [

"invalid-input-response"

]

}

This clearly indicates that the verification was erroneous.

After some experiments, if it works fine, I might would rather use this "error-codes" field to make a judgement, instead of "success" field, as long as it can prevent exploitation or random submission of the form.

[Kevin Hynes]

According to the "verifying the user's response" section of the guide you linked to, you can only verify a response once and it will fail the second time.  If that's true, then the fact that it's working the first time you paste the url from the log seems to indicate that something's wrong with the code and it's somehow  not sending the parameters properly.  Can you post more of the verification code?

[iwa12]

The verification code I used was a part of bundle called RecaptchaLibrary(https://github.com/DarioSwain/ReCaptchaLibrary/blob/master/src/ReCaptcha.php) authored by DarioSwain.

      $grcResponse = $_POST['g-recaptcha-response'];

      $reCaptchaResponse = new ReCaptcha($key, #clientIp, $grcResponse);

      $response = $reCaptcha->bindRequest()->send();

      if ($response->isSuccess()){

         //success

      }

The classes involved with verification are structured, but inside it seemed the same google verification url is called with a proper set of parameters using file_get_contents($url).  

When $reCaptcha->bindRequest()->send() is called, a response is populated like below:

      $response = json_decode($response, true);

        if ($response['success'] === true) {

            return new Response(true);

        } else {

            return new Response(false, array_key_exists('error-codes', $response) ? $response['error-codes'] : array());

        }

As I explained above I end up getting false without error codes.

After some trials I noticed that I haven't tried implementing it with jquery instead, which is mentioned in the guide too.

Then I tried posting the verification url from  $.ajax statement, and it looks more stable, at least so far.

In that trial I have noticed that the trouble I came across maybe related to asynchronous option in ajax:

$.ajax({

    type: 'POST',

    url:  '{path to the verify controller}',

    dateType:   'json',

    async:    false,

    data: {

          captchaResponse: $('#g-recaptcha-response').val();   

    :

    :

    :

At first I put true in async attribute, and it worked sometimes, and sometimes the response was 'undefined', but after I changed this to false, it ceased to give such errors.( instead returns json data { [success] => 1 } )

I put this js code onSubmit event of my login form.

Ideally I want to make it work this when the form is submitted, but at first I want to make sure this solution works in a steady way.

[Petroglyph]

I have pretty much the same problem as you do, and posted a similiar question at stackoverflow and here. Have you made any progress yet? I want to add, that in my case, even the test keys, that are always supposed to work produce the described error. My original question is posted here: Google Groups Recaptcha always false

[jernwerber]

I was having this same issue (always "success":false, no error codes). I threw a urlencode on the response for kicks (well, actually, because of the underscores) and it started working, but I removed it and it's still working. The only other thing I changed was adding another domain in the domains section for the key. I'm on shared hosting and I was using my domain, but I added the server's domain for kicks.

As far as testing, it appropriately returns false if I try to submit the same response twice (works the first time, false the second time).

This doesn't really fill me with a lot of confidence, but I guess we'll see if it stops working in the near future again...

[Servesh Singh]

I had same issue but I found that I was validating Captcha twice.

Soon after validating Capticha, Print the response , You will get if you are validating twice. 

Here is techniques,[ You print all the logs in one separate file and keep this fine in appen mode.]

$verifyResponse = file_get_contents('https://www.google.com/recaptcha/api/siteverify?secret='.$secret.'&response='.$_POST['g-recaptcha-response']); /* this will validate*/

file_put_contents( "logfile",  $verifyResponse, FILE_APPEND ); /* this will print output*/

read the content of logfile. If it has two validating reponse then you are sending two requests.