Laravel: reCAPTCHA goes brrr
Checking for robots in your application is faster now
A long time ago I created Captchavel, an innocent package for Laravel that included a middleware to verify reCAPTCHA challenges. I helped me to keep bots from appearing on the frontend easily without too much hassle.
Version after version I improved Captchavel based on my needs. Version 3 was a response to the laziness of Google after a PR that was never answered for months. It ditched the official SDK and used Guzzle (cURL) directly, which in turn allowed for HTTP/2, making the challenge load faster in the backend — in the future only one line is needed to change to support HTTP/3.
The new Version 6 was brought up because a simple idea around Score Challenges, and treat them as async requests.
Get the challenge while I do something else…
One of the neat things of Guzzle are async requests. When doing an async request, you won’t need wait until there is a response to proceed. Rather, you receive a “promise” that will be “resolved” later. It’s something like a ticket you can redeem once you want.
While the most common way to retrieve the challenge would mean to block the application until received, Captchavel 6 doesn’t block the app.
In other words, the challenge is retrieved in the background thanks to Guzzle, while your application continues to run. It’s not until you use isHuman() or isRobot() that the response is forced to resolve if it hasn’t yet — considering that reCAPTCHA servers use HTTP/2 and HTTP/3, it’s just some milliseconds of difference.
Additional gains can be made if we run the Captchavel middleware before anything else, since this means more time to retrieve the response.
Another thing to take into account are dangling challenges. In the example above, the comment may fail validation. When that happens, the next code won’t execute, so the challenge won’t be resolved in the controller.
In these cases, the Score Middleware will cancel the request after the response has been sent out to the user, even if it’s invalid.
If you’re interested in avoiding bots in your application, you may want to give Captchavel a try.
