1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed ReCaptcha Secure Token Deprecation

Discussion in 'Resolved Bug Reports' started by Jake B., May 10, 2016.

  1. Jake B.

    Jake B. Well-Known Member

    I've gotten a ton of these emails recently, seems Google is changing how their ReCaptcha API works. The Secure Token isn't required anymore and now they're forcing domain validation. At least that's what I got out of this

  2. Chris D

    Chris D XenForo Developer Staff Member

    The site you got this alert for, is it using the old reCAPTCHA or the new "I'm not a robot" reCAPTCHA?

    EDIT: I actually can't see that we use the secure token anywhere...
  3. Jake B.

    Jake B. Well-Known Member

    Nope, it's using the 'new' No CAPTCHA one


    Is the secret key and secure token not the same thing? I'm not really familiar with NoCaptcha, but if not then I guess this can be closed :p
  4. Chris D

    Chris D XenForo Developer Staff Member

    Yeah it's not the same thing.

    That said, this does perhaps highlight some verification we're not actually doing so I'm going to escalate this to a bug.

    It seems like we should have been doing the secure token validation but I don't think we are and alternatively we should be doing the hostname validation so we should look at adding that.
    Jake B. likes this.
  5. Chris D

    Chris D XenForo Developer Staff Member

    On closer inspection of the documentation, there's not necessarily anything we need to do here.

    We do not make use of the secure token parameter. Also hostname validation happens automatically by default. However, there is an option to turn that off. Therefore as a precaution we are now also doing domain validation just to cover all bases. On that note, we'll call this fixed for the next release :)

    Jake B. likes this.

Share This Page