This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

Is it possible for grecaptcha.enterprise.execute to return empty or null values?

Posted on 08-16-2024 04:39 AM
rustammuss
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM
We have successfully integrated Google reCAPTCHA Enterprise into our site, and it functions perfectly when I fill out and submit the form. However, our logs reveal numerous error messages indicating that requests are missing the required non-empty reCAPTCHA token parameter.
 
Upon investigation, it appears that many of these errors are likely due to bot-like behavior, as we observe that the form is often submitted within just 1-2 seconds after the page is loaded. However, we also encounter cases where the issue does not seem to stem from automated scripts. In these instances, the form submission occurs after a reasonable period, suggesting that the issue might not be solely related to rapid submissions.
 
We have implemented Google reCAPTCHA Enterprise on our site by including the following script in the <head> section of our HTML:
 
On the frontend, we use a submitForm function to retrieve the reCAPTCHA token and submit the form data to our backend. The submitForm function is defined as follows:
 
function submitForm(form, url, siteKey) {
// Display a loading spinner 
grecaptcha.enterprise.ready(async () => {
const token = await grecaptcha.enterprise.execute(siteKey, { action: 'submit' });
 
// Perform additional processing for complex inputs
const searchParams = new URLSearchParams();
searchParams.append('g-recaptcha-response', token);
 
// Submit the form data via a POST request
fetch(url, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded'
            },
            body: searchParams.toString(),
        })
        .then((response) => {
            // Handle the response from the server
            ...
        });
 
In this implementation, the fetch request is only executed after grecaptcha.enterprise.ready and await grecaptcha.enterprise.execute. Therefore, the token should be obtained before the POST request is made. However, if the token is empty, it could be due to Google returning an empty value or if the request is being sent manually, bypassing this JavaScript code.
 
My question is: Can grecaptcha.enterprise.execute return empty or null values? 
If so, in which cases tokens can be empty? How should we correctly handle it? Is it safe to check the token in FE side before sending a POST request? 
If not, is it something with our implementation? Why might it work in some cases but not in others?
0 0 672
Topic Labels
0 Likes
0 REPLIES 0
Top Solution Authors
View all