How to Set Up Google reCAPTCHA on Your Website

00:00

if you have been browsing internet and

00:02

logging into websites then you must have

00:04

seen and used the google's i am not a

00:06

robot checkbox that checkbox is the

00:09

google's recaptcha service and is used

00:12

to identify valid users and filter out

00:14

any bots or malicious requests

00:17

so if you want to understand what are

00:18

the google recapture services and how

00:21

can we integrate the i am not a robot

00:24

checkbox into your web pages then be

00:27

sure to watch this video till the end

00:30

now this video is divided into chapters

00:32

so if you want to skip any part like you

00:35

are only interested in the coding part

00:37

then feel free to skip to that chapter

00:39

also if you feel this video is

00:41

interesting and helpful then please

00:43

don't be shy and like the video and also

00:46

subscribe to this channel to stay

00:47

updated with more such kind of videos

00:51

now before we start adding the recaptcha

00:54

checkbox in a webpage first let's have a

00:57

brief overview of different recapture

00:59

services that google provides

01:01

so basically google offers three kinds

01:03

of recapture services first one is the

01:06

recapture version two then there is a

01:08

version three and then there is the

01:10

recaptcha enterprise

01:11

so recapture version 2 is the one where

01:14

we can add the i am not a robot checkbox

01:16

to validate the user's request

01:19

it also includes invisible verification

01:22

also google provides 1 million

01:24

verifications for free which i believe

01:26

should be sufficient as far as free

01:29

services go second one is recaptcha

01:32

version 3 and it works differently where

01:35

it gives a score of user interaction and

01:37

based on that score we can decide what

01:40

to do with the user's request so if the

01:42

score that the service provides when

01:45

validating a user is low then we can

01:47

decide to reject the user's request or

01:50

to identify the user either as a bot or

01:53

as a malicious user if the score is

01:55

acceptable or if it is high enough then

01:58

we can say yeah this user is valid and

02:00

he can go through to use our services

02:02

then there is the recaptcha enterprise

02:04

which provides an entire suite of

02:06

services for fraud detection and other

02:09

services such as ddos protection etc you

02:12

can find more about it if you want to by

02:15

going to this url of google recapture

02:18

but in this video i'm going to talk

02:20

about recaptcha version 2 where we are

02:22

going to add a recaptcha i am not a

02:25

robot checkbox and i will show you how

02:27

we can take the help of google in

02:29

verifying if the user is a valid user or

02:32

if it is a malicious user etc so without

02:35

wasting any more time let's begin now

02:38

the first thing that you need to do is

02:39

to open up the

02:40

admin console of google recapture and

02:43

then login into your account if you are

02:45

not yet logged in when you will open up

02:47

the console then if you do not have any

02:51

recapture services enabled for any of

02:53

your hosts or domains then it will ask

02:56

you to register a new site the first

02:58

thing that you need to do is to give in

03:01

the name of the label so i'm just going

03:03

to give the name as test

03:06

now for recapture type i am going to

03:08

select recapture version 2 because this

03:10

is the one where we are going to add the

03:12

i am not a robot checkbox it also

03:15

provides two more services where

03:17

it validates the requests in the

03:19

background and the third one is for

03:20

android but in this video we are going

03:22

to see how we can add this checkbox next

03:25

you will have to add the domain so i

03:27

will come to this part later because i

03:29

will show you how i am going to do that

03:31

for this video this is the email address

03:33

of owners so

03:35

your email address will come here as

03:37

default you can add more email addresses

03:40

to receive any kind of notifications

03:42

from google let's say google detects

03:44

that someone is maliciously trying to

03:47

use our web application so it can notify

03:50

us by means of sending emails to the

03:53

owner's email addresses and then you

03:55

will have to accept the recapture terms

03:56

of service and this checkbox send alert

03:59

to owners is checked by default so i

04:01

have already told you what this will do

04:03

it will detect problems and if it does

04:06

then it will send the owners

04:07

notifications about those malicious

04:10

users now let's come to the part where

04:12

we have to add a domain so to do that

04:15

i have created a new static html

04:18

javascript and css application

04:20

in stack blitz so stack blitz is an

04:23

online platform where you can create

04:26

different kinds of projects like angular

04:27

react view etc and then you can compile

04:30

those projects and see how they look

04:32

like when

04:33

compiled and when they are running in

04:35

the browser so in this project there are

04:37

three files first one is the index.html

04:40

file then there is a

04:41

script file and then there is a

04:42

style.css so usually we use the i am not

04:46

a robot checkbox when a user is trying

04:48

to log in because we want to make sure

04:50

that a genuine user is trying to log in

04:52

and not a bot or any other malicious

04:55

user is trying to login so what i'm

04:57

going to do is i'm going to add the

04:58

checkbox the i'm not a robot checkbox

05:00

below this login button but i was

05:03

talking about how to add the domain name

05:06

and if you will pay attention stack

05:09

blades provide you a url which you can

05:12

use to access your application your

05:14

built or bundled application from

05:16

anywhere on the web so i'm just going to

05:19

use this url and we don't have to enter

05:22

the https we just have to use the

05:25

domain name or the host name so let's

05:28

just do that

05:30

now we have added everything and it's

05:32

time to submit

05:34

so test has been registered and the

05:37

google's recaptcha has created two keys

05:39

for us first one is the site key and the

05:41

second one is the secret key so site key

05:44

is the key which we use in the browser

05:47

and the secret key is the one which we

05:48

use

05:49

on our server so do not expose this

05:52

secret key the side key is going to be

05:54

exposed anyway so it doesn't really

05:55

matter if anyone knows about it or not

05:58

because you are going to use this key to

05:59

create the checkbox container within

06:01

your web page so now when we have the

06:03

site key and the secret key it's time to

06:06

create the i am not a robot component or

06:09

widget and place it on this webpage

06:11

below this login button now there are

06:14

two ways in which the recaptcha widget

06:16

can be rendered the first one is it will

06:18

render automatically where we will use a

06:20

div and the second one is we will render

06:23

it explicitly by creating a javascript

06:26

function so let's first see how we can

06:28

add the widget automatically now the

06:30

first thing that we need to do is we

06:32

need to add the

06:33

script element

06:35

so let's do that and add it

06:37

below this script

06:39

this is the url of the captcha api

06:42

script and we have to load it in the

06:43

async default mode the next thing that

06:45

we need to do to automatically add the

06:48

recaptcha widget is to add a div element

06:50

below this login button so i'm just

06:52

going to create a new div element now in

06:55

this div element first we have to add

06:57

the

06:58

class attribute and its value is going

07:00

to be g recaptcha and then we will have

07:03

to add the

07:04

site key attribute so

07:07

for that

07:08

we are going to copy the value of the

07:10

site key from over here when we created

07:14

or registered our new recaptcha so let's

07:17

just do that i'm going to paste it over

07:19

here

07:21

so whenever we make any changes then the

07:23

page on the right side is going to

07:25

refresh automatically so you can see

07:27

that the recaptcha

07:29

widget has been added and right now this

07:32

widget is working but we will also need

07:35

to handle the outcome of the widget like

07:38

if the google is going to validate the

07:40

user when they will click on this

07:42

checkbox then we will need to know if

07:44

the validation or the verification was

07:47

successful or not to do that we use

07:49

callbacks but before that i am going to

07:51

show you the explicit way of adding this

07:53

widget where we will not be adding the

07:56

site key within this div element and we

07:59

will be using a function which will act

08:01

as the callback whenever the

08:03

recaptcha api will be loaded let me just

08:07

zoom it so that you can see it

08:09

so to add the captcha explicitly the

08:11

first thing that i will do is i will add

08:14

a script callback function

08:16

so i'm going to add this function within

08:18

this html page

08:20

within a new script element

08:24

so let's first create a new function

08:26

with the name

08:28

on load callback

08:32

now we need to add two parameters to

08:34

this source value and those two

08:37

parameters are going to be

08:38

the onload parameter and the render

08:41

parameter so we need to add these two

08:43

parameters onload is going to point to

08:46

the callback function which we just

08:47

created on callback and render is going

08:50

to have the value explicit now you have

08:52

to make sure that the callback function

08:54

should be available or should be loaded

08:56

before the recaptcha script loads now to

08:58

ensure that you can order the callback

09:01

function before the recaptcha script

09:03

like i have done here

09:04

in another script element and you can or

09:07

you have to use the async and default

09:10

tags within the script element which is

09:12

pointing to the recaptcha api javascript

09:14

file so now to explicitly render the

09:17

captcha

09:18

we need to call g

09:22

recaptcha function and we need to call

09:26

render

09:29

now the first argument is going to be

09:30

the name of the element which is

09:33

going to contain the widget and after

09:35

that we are going to provide an options

09:38

object with more information like the

09:40

site key and the callback etc so let's

09:42

just do that now if you remember we have

09:45

already created a div but we provided

09:47

the side key in that div so i'm going to

09:49

remove the side key attribute from this

09:51

div and

09:52

i am going to

09:54

you know what provide an id to this div

09:57

so let's call it as div

09:59

recaptcha and let's copy this id and

10:03

paste it into or place it or provide it

10:05

as the first argument for g captcha dot

10:08

render function now let's provide the

10:10

site key so site key property is going

10:12

to

10:14

have the same value just copy it from

10:16

over here from recaptcha

10:19

admin console and then paste it

10:21

the widget is now here but then we will

10:24

also need to provide a callback function

10:25

so we need to create a new callback

10:27

function

10:28

so before we do that let's first talk a

10:30

little bit about these callback

10:32

functions to capture the response from

10:34

recaptcha after the user interacts with

10:37

it there can be three kinds of responses

10:39

and we can specify callbacks for them

10:41

the first one is going to be a normal or

10:43

a successful callback so when the

10:45

response is successfully submitted by

10:47

the user then this callback gets called

10:50

for any successful callback a response

10:52

token will also be received as an

10:54

argument and then i will show you what

10:56

we can do with that response token and

10:58

for that we can either add the data

11:01

callback attributes to the widget div

11:04

when we are adding this

11:06

widget automatically otherwise we can

11:08

provide it as a property within this

11:10

options object when we are calling this

11:12

g recaptcha dot render function the

11:14

second kind of callback is the expired

11:16

callback this is called when the

11:18

response expires and the user needs to

11:20

resubmit

11:21

the recaptcha response the third one is

11:24

an error callback which is usually

11:27

called when there is some kind of

11:28

network connection problem and we need

11:30

to notify the user about this specific

11:33

issue that there is some kind of issue

11:35

with their network and for that reason

11:37

the recapture service is not going to

11:39

work the expired callback can be added

11:41

by using the data expired callback

11:43

attribute and the error callback can be

11:46

wired up using the data error callback

11:48

now i'm going to create a new callback

11:50

function

11:51

and the callback function is going to be

11:54

created in this script.js file

11:56

so i'm going to remove this console.log

11:59

statement and then let's create a new

12:02

function and let's just call it success

12:05

callback

12:08

now within this i'm just going to

12:09

provide a debugger

12:11

let's go to index.html again and

12:14

let's provide the name or the reference

12:16

of the callback function so

12:20

success callback now for some reason i'm

12:23

still not seeing the widget so maybe

12:25

the callback function yep there is a

12:28

typo over here so

12:30

now you can see that the callback has

12:31

been provided and now i'm going to click

12:34

on this i'm not a robot checkbox and we

12:36

will receive a response if it is

12:38

successful then the code execution is

12:40

going to

12:41

break over here at this point where i

12:43

have placed debugger but to test this

12:45

one i am going to copy this url and then

12:48

open it up in a new

12:49

chrome tab

12:50

so let's do it and open up the console

12:53

and now let's click on this i am not a

12:55

robot checkbox you can see that we have

12:58

received a callback but because i have

13:00

not added any argument over here for the

13:02

response the way to check it is to add

13:05

the arguments

13:09

in the watch

13:11

you can see that arguments has only a

13:13

single argument which is the response

13:16

the token which the google recapture

13:18

service has sent back to us after

13:21

successfully verifying the user clicking

13:24

on this i am not a robot checkbox so

13:26

what i'm going to do is i'm going to add

13:28

an argument over here now you must be

13:30

thinking what the hell is this response

13:32

token well don't worry i will tell you

13:34

that too the token received after a

13:36

successful validation is valid for only

13:39

two minutes and can be used once for

13:41

verification and when we have got the

13:43

response token in the browser then we

13:46

are going to use this token to post a

13:48

request to the google's recaptcha url

13:51

but that request is going to be posted

13:54

from the server instead of this browser

13:56

so here is what the concept is google

13:58

verified the user for us but now again

14:01

we have to go to google and give it the

14:03

token and ask hey google you just

14:06

verified this guy as a real human and

14:08

you gave me this token please check if

14:10

this token is indeed correct if the

14:12

token is correct then google will say

14:14

yeah dude the token is correct and the

14:16

guy is indeed a human now if a malicious

14:19

script steals your token and sends it to

14:22

our server within two minutes which is

14:24

the time for which the token will remain

14:26

valid the same token cannot be used

14:28

twice also a token is associated with an

14:31

account which involves a secret key and

14:33

host name so the token generated in

14:36

another host will also not be valid for

14:38

our host let's now see how this can be

14:41

done

14:42

so for this application i have not

14:44

created a back end so we will be using

14:46

the postman app to send the post request

14:49

and then verify the response so this is

14:52

the postman application and you can use

14:54

it to send a bunch of different kinds of

14:55

requests you can select the type of the

14:57

request from over here by clicking on

14:59

this triangle now we need to send a post

15:02

request the url is going to be this one

15:06

google.com slash recaptcha and then api

15:08

site verify now when we are posting a

15:11

request on this url we will also need to

15:14

provide two parameters the first

15:15

parameter is going to be our secret key

15:18

if you remember i told you that we need

15:20

to use the secret key on our server the

15:23

second parameter is going to be the

15:25

token or the response token which google

15:28

has sent us after the user has clicked

15:31

on the i am not a robot checkbox so

15:34

first let's add the secret key parameter

15:37

and the value is going to be this one

15:39

let's just copy it from over here and

15:41

then

15:42

paste it in the value the second one is

15:44

going to be

15:45

response

15:47

so we can copy response when we will

15:50

click on the i am not a robot checkbox

15:53

let's reload this page again and then

15:54

copy the token value from the

15:58

browser console so

16:00

let's click on this i am not a robot

16:01

checkbox

16:02

now remember this token is only valid

16:04

for two minutes so we must hurry now i'm

16:07

just going to copy the value and

16:10

let's press ctrl c open up the postman

16:13

app and then i think i will need to

16:15

remove this quotes because they may not

16:17

be needed

16:18

and then

16:19

send it

16:20

you can see that we have received a

16:21

response and if the response is

16:24

successful then we will get three values

16:27

the success property is going to have

16:29

the value either true or false if the

16:32

verification is successful then it will

16:34

return true google will say yeah the

16:36

token is indeed for a legitimate user

16:39

and we can allow the user to enter our

16:41

system or use our application the second

16:43

one is the challenge underscore ts which

16:45

is the time stamp at which the challenge

16:48

was received and the third one is the

16:50

host name so host name is the one which

16:53

we have provided

16:54

when we were registering our application

16:57

or our web page or our web host to

16:59

google's recaptcha

17:01

and this host name is associated with

17:03

this

17:03

name or label test

17:05

now let's try to post this same request

17:07

again so because the same request cannot

17:10

be

17:11

verified twice so if i will post it

17:13

again then you can see that success is

17:16

now false and there is another property

17:18

with an array

17:20

timeout or duplicate it says that it is

17:22

either a timeout issue or either it is a

17:25

duplicate token because we have already

17:27

used this token to verify the legitimacy

17:30

of the user so that was all about the

17:33

google recaptcha version 2 checkbox

17:36

there are two more variants of this api

17:38

this one is for the invisible mode and

17:41

there is the other one which is for

17:43

android do check them out if you want to

17:45

and if you want to see how to use them

17:47

then you can always check out this

17:49

developer guide i have shared this link

17:52

in the video's description and finally

17:54

thanks for watching this video i am

17:56

nitej take care and have fun