I am sending a username, password and the h-captcha-response token to express via a login form. The username and password are being sent fine from the form, without single quotes, the h-captcha-response ( which is formulated by hcaptcha and sent back to the web form and is sent also) is being sent with enclosing single quotes and the hcaptcha middleware ( express-hcaptcha ) sees no token. Response from the middleware is ....
Error: bad request - no token provided in body
I am using https://github.com/vastus/express-hcaptcha
When I dump the req I am seeing that the h-captcha-response is enclosed in single quotes. I believe this may have to do with the form input that is being sent to express is not being set to application/json but that’s a guess since I am new to node/express.
The applicable part of the req dump is below and followed by the node/express info. Can someone point me in the correct direction ? Many thanks JW
req dump ( via console.log )
————-
<snip>
….
….
body:
{ username: ‘xxxx’,
password: ‘xxxx’,
'h-captcha-response': ‘xxxxxxxxxxxxxx’ },
_body: true,
length: undefined,
….
….
<snip>
Appropriate parts of the js file —————
const http = require('http');
const mysql = require('mysql');
const express = require('express');
const session = require('express-session');
const cors = require('cors');
const hcaptcha = require('express-hcaptcha');
//hcaptcha secret key
const SECRET = “xxxxxx”;
var bodyParser = require('body-parser');
var connection = mysql.createConnection({
…..<snip>
});
const path = require('path');
const app = express();
app.use(cors());
app.use(bodyParser.json());
app.set("view engine","hbs");
app.use(bodyParser.urlencoded({extended : true}));
//create app server
var server = app.listen(3000, "0.0.0.0", function () {
var host = server.address().address
var port = server.address().port
});
app.post('/verify', hcaptcha.middleware.validate(SECRET), (req, res) => {
res.json({message: 'verified!', hcaptcha: req.hcaptcha});
});
The key 'h-captcha-response'
is enclosed in quotes because that's the only way you can create an object key containing special characters (-
in this case) in javascript:
const bad = { a-b: '' }
// ^ Parsing error: unexpected token, expected ","
const good = { 'a-b': '' } // no error
And while node is not creating an object here but just logging it into the console it still respects common js syntax.
As for the error: Error: bad request - no token provided in body
.
It's happening because express-hcaptcha
middleware expects the field named token
. If the field as absent or evaluated to the falsy value you're getting the error you can observe now.
If you're sending data as application/x-www-form-urlencoded
then to fix the issue you have to change the name
attribute of the captcha field in your html form from h-captcha-response
to token
.
If you're sending data as json
then do the same renaming to the key of the sending json object.