On Wed, Mar 9, 2022 at 1:39 PM YuanSheng Wang <[email protected]> wrote:
> > {
> > "plugins": {
> > "recaptcha": {
> > "apis":[
> > {
> > "path":"/login",
> > "methods":[ "POST" ],
> > "param_from":"header",
> > "param_name":"captcha"
>
> can we use this project? https://github.com/api7/lua-resty-expr
>
> `lua-resty-expr` should be simpler.
>
>
Please ignore this message.
BTW, I think we can remove `apis`. We can bind the plugin recaptcha to a
specific APISIX route.
It is easier to use.
If the community needs more power, we can implement it later.
>
> On Tue, Mar 8, 2022 at 7:41 PM 李玉升 <[email protected]> wrote:
>
>> Background
>> Google reCAPTCHA is a popular human-identify service in the world. It
>> protects website(API) from spam and abuse.
>>
>>
>>
>> For now, the APISIX users who want to integrate the reCAPTCHA service in
>> their system, either write the plugin on their own or just leave it to the
>> backend microservices. Therefore, users have required the skills of plugin
>> development, or into a bad situation where the reCAPTCHA layer is spread
>> to
>> multiple microservices.
>>
>>
>>
>> Based on the pre context. It's will be great if APISIX has official
>> recaptcha plugin. Backend services can just focus on their core business
>> logic and take every request as if it were sent by humans.
>>
>>
>>
>> Here is the code snippet of recaptcha plugin schema
>>
>> local schema = {
>> type = "object",
>> properties = {
>> -- The secret key of the Google reCAPTCHA service.
>> recaptcha_secret_key = { type = "string" },
>> -- The list of APIs needs to be verified by reCAPTCHA.
>> apis = {
>> type = "array",
>> items = {
>> type = "object",
>> properties = {
>> -- The API path
>> path = { type = "string" },
>> -- The list of HTTP method
>> methods = { type = "array", items = { type = "string"
>> }, minItems = 1 },
>> -- The enum of captcha parameter source. Only header,
>> query are supported.
>> param_from = {
>> type = "string",
>> default = "header",
>> enum = { "header", "query" }
>> },
>> -- The name of captcha parameter.
>> param_name = { type = "string", default = "captcha" },
>> }
>> },
>> minItems = 1
>> },
>> -- The response of invalid recaptcha token.
>> response = {
>> type = "object",
>> properties = {
>> content_type = { type = "string", default =
>> "application/json; charset=utf-8" },
>> status_code = { type = "number", default = 400 },
>> body = { type = "string", default = '{"message": "invalid
>> captcha"}' }
>> }
>> },
>>
>> },
>> additionalProperties = false,
>> required = { "recaptcha_secret_key" },
>> }
>>
>>
>>
>>
>> And the example of plugin config
>>
>> {
>> "plugins": {
>> "recaptcha": {
>> "apis":[
>> {
>> "path":"/login",
>> "methods":[ "POST" ],
>> "param_from":"header",
>> "param_name":"captcha"
>> },
>> {
>> "path":"/users/*/active",
>> "methods":[ "POST" ],
>> "param_from":"query",
>> "param_name":"captcha"
>> }
>> ],
>> "response":{
>> "content_type":"application/json; charset=utf-8",
>> "body":"{\"message\":\"invalid captcha\"}\n",
>> "status_code":400
>> },
>> "recaptcha_secret_key":"6LeIxAcTAAAAAGGXXXXXXXXXXXXXXXXXXX"
>> }
>> }
>> }
>>
>>
>>
>>
>> The process would be like this
>> 1. client-side provides a recaptcha token(obtain from google JS SDK)
>> when
>> invoking server API
>> 2. the plugin determines whether to verify the request based on the
>> plugin apis configuration.
>> 1. NO: request will continue
>> 2. YES: retrieve the captcha parameter from the request, and verify
>> it to the google recaptcha api. allowing the request if token valid,
>> terminating the request if token invalid.
>>
>>
>> plugin document:
>>
>> https://github.com/apache/apisix/blob/41db53714936bb8e1099f477e50973b494118718/docs/en/latest/plugins/recaptcha.md
>>
>
>
> --
>
> *MembPhis*
> My GitHub: https://github.com/membphis
> Apache APISIX: https://github.com/apache/apisix
>
--
*MembPhis*
My GitHub: https://github.com/membphis
Apache APISIX: https://github.com/apache/apisix
