如何验证 g-captcha 响应？

Question

In the documentation of google recaptcha, said:

URL: https://www.google.com/recaptcha/api/siteverify

METHOD: POST

POST Parameter Description secret - Required. The shared key between your site and reCAPTCHA.

The response is a JSON object:

{
  "success": true|false,
  "challenge_ts": timestamp,  // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

I'm getting that response with an onloadCallback, that calls a function after the user is validated correctly, and submit the form automatically . What I'm getting in the post is:

Array ([g-recaptcha-response] => 03AHJ_VuvxFs1t32j2Yn97X2tt8_86_XnXBLuMdY05BcYCBy-Jz1GWBCy9rGif83IJ59pq3C-0SdmlcxQwHHSz2CrRNBOFGc97Rb1W-0u0OxETOYufUJ5fRunvO_yOWp2a3yln8I9AT7SGmYVh0jTrxshuYnmu5KwxRTaR9k0FAwlmI38chPw2DplS2jk-8FpDDZdy0hs0_p7zGdI3xemq5OpF1WXeXvfCSRKAA8P4C7YBKp4GA-qEGv3gJE1HjXEaR1VHjVGPF8crn3H_EuhEWEBRnEpQMk1HN-nfUKwF2cv97fJ_2Qu_jtkbFK_laclISWIR18SDcMtR27_wuzgQUV6Ll49z3cQw6ZinD0YZcJLjBoGrtDWSqPDRBPYvRF9VEZNpmRasL6vU7W037BCoccDwrcCeVsFlspDFVDr6PlxrddkvF2USBjc0QTJNb_sDUEEfaEBbCot6wKcQxsBqfFtfHiwRuY3SZEszbMWdeLMyQNOE3rh7pJJRSFURWxYjgoLbV1jDbyQosdS6R9-VepLpiZ1Gc6Lw35cQAD2zsdajJuTBP-lih3fLxsxw9OuQqsFfpXpXQAUQ0owzjpbLWdy4O-bNM4zbVQttz-kWDwNFD4JL57SbUIm6LAjNlhxhJeYSZGE7SvaxPZ93WWm-VV7PIWiEmFZy5X981rUGMRpxJSpwHMCTpwLgV_LabMHoJd-EDXQjN6w6BDIqC4yVV15yBDBmWO6t_CcCgTNgu7-lpL671g03LW14MChkwt7EGLXNAYi9gHKOP8e69aT2zrCT-3FwMg4wmMpaPMqt62YnGTIJ0zoRlLHn8Jl0uuE6PTFycusBTdmOLjTui1urTW_a5sI98TuY4Jx1uNaRpxbxmUBK357gXy3bYOgwzqGA8i_w4goq-QKEIwjlZRsaLQkDMZaxHQF6mR6ehjQWJ5PFS0IRFk5IRJINKjwsldqzO7lM-8Ill-wqVRRQy2W111k4vtsYn3ymYDZ9SOwu3clx5HrWr_viE7_-WeJnMRL0DHQZD2ZBcrqoZWp1LAtcreKZzvgpiP7nGd-sU2JLqUlA9u1HbLwe7LTuEtoMuCpW_PZ4kgyauQTro6W1qZNkeCz1-nIiptMdrCWE4PeHF3pbuD4srkDS61eiOMGSey-ZprTorH92Egc0DQf-obzkjWw_8A_isfl3pQ )

Theres's no JSON present, only this string. What is the next step?

Thanks.

Answer 1

There's no JSON present, only this string. only this string. What is the next step?

By submitting the POST to https://www.google.com/recaptcha/api/siteverify with g-recaptcha-response value and reCaptcha secret key you've already got a success response as JSON :

{
   "success": true|false,
   "challenge_ts": timestamp,  // timestamp of the challenge load  
   "hostname": string,  // the hostname of the site where the reCAPTCHA was solved
   "error-codes": [...]        // optional
}

So, this was your validation of g-recaptcha-response value. And now you include success parameter value ( true/false ) into your web form to submit or use it server-side (since you've got g-recaptcha-response value thru your server request to google server) for further response to client.
Read here more.