README

Laravel HCaptcha

Looking for a maintainer

I don't have the intention to maintain this package any longer. Captchas only punish the end user and are easily bypassed by bots.

If someone wants to take over, feel free to open a discussion and tag me in it.

A package to easily include HCaptcha in Laravel.

This project is originally based on laravel-reCAPTCHA and forked from Scyllaly, who seemingly abandoned the project.

This fork is a near-drop-in replacement for Scyllaly's package, maintaining the same namespace for 4.x and 5.x versions.

Requirements

Need support for Laravel 7 or before? Check the 4.x branch.

Installation

Install the package with Composer:

composer require rvxlab/hcaptcha

Publish the config file:

php artisan vendor:publish --tag="hcaptcha-config"

Optionally publish the translations:

php artisan vendor:publish --tag="hcaptcha-lang"

Optionally publish the views:

php artisan vendor:publish --tag="hcaptcha-views"

Configuration

Add HCAPTCHA_SECRET and HCAPTCHA_SITEKEY in .env file :

HCAPTCHA_SECRET=secret-key
HCAPTCHA_SITEKEY=site-key

You can obtain them from your HCaptcha dashboard.

Usage

Prepare the script

First you need to initialize the script:

{!! HCaptcha::renderJs() !!}
// Or
<x-hcaptcha::script />

You can optionally set the locale and the custom callback function:

{!! HCaptcha::renderJs('nl', true, 'myCallbackFunction') !!}
// Or
<x-hcaptcha::script lang="nl" :has-callback="true" on-load-class="myCallbackFunction" />

You can also use the app locale if you have a multilingual application:

<x-hcaptcha::script use-app-locale />

Render the widget

This package provides support for the regular widget, as well as the invisible captcha.

Initialize the regular widget:

{!! HCaptcha::display() !!}
// Or
<x-hcaptcha::widget />

Any attributes can be passed as an array to the display method or as properties on the Blade component:

{!! HCaptcha::display([ 'class' => 'my-widget', 'data-test' => 'Test' ]) !!}
// Or
<x-hcaptcha::widget class="my-widget" data-test="Test" />

Invisible widget

If you rather want forms to have an invisible widget:

<form id="register-form" method="post" action="{{ route('register') }}">
    <input type="text" name="email" />
    
    <input type="password" name="password" />
    
    {!! HCaptcha::displaySubmit('register-form', 'Submit', [ 'class' => 'btn' ]) !!}
    // Or
    <x-hcaptcha::submit form-identifier="register-form" class="btn">
        Submit
    </x-hcaptcha::submit>
    @csrf
</form>

If you have a custom callback defined for your forms you can define a data-callback attribute:

{!! HCaptcha::displaySubmit('register-form', 'Submit', [ 'class' => 'btn', 'data-callback' => 'userDefinedCallback ]) !!}
// Or
<x-hcaptcha::submit form-identifier="register-form" class="btn" data-callback="userDefinedCallback">
    Submit
</x-hcaptcha::submit>

Validation

Add 'h-captcha-response' => 'required|HCaptcha' to the rules array:

class RegisterRequest extends \Illuminate\Foundation\Http\FormRequest
{
    public function rules(): array
    {
        return [
            'email' => 'required|email|exists:users,email',
            'password' => 'required',
            'h-captcha-response' => 'required|HCaptcha',
        ];
    }
}

Testing

You can mock the HCaptcha validation by calling the shouldReceive method on the HCaptcha facade:

HCaptcha::shouldReceive('verifyResponse')->once()->andReturnTrue();

HCaptcha::shouldReceive('display')->andReturn('<input type="hidden" name="h-captcha-response" value="1" />');

Or when testing a JSON call:

HCaptcha::shouldReceive('verifyResponse')->once()->andReturnTrue();

$response = $this->json('POST', '/register', [
    'h-captcha-response' => '1',
    'email' => 'john@example.com',
    'password' => '123456',
]);

Upgrading

Check the Upgrade Guide for notes on updating from 4.x to 5.x.

License

This package is licensed under MIT.