g-recaptcha-response

[tsiebecker]

solved g-recaptcha-response in index.php is NOT detected when hosting the site on an other port.
https://mysite.com:99/ etc should all suffer from this

[RealEnder]

The port have nothing to do with this - what was the exact error?

[tsiebecker]

On https://localhost/?get_key g-recaptcha-response is always not solvable because of
Localhost is not in the list of supported domains for this site key. message from google reCaptcha.

On https://mysite.com:99/?get_key the reCaptcha is normally solvable, but even if you just solved it correctly (usually marked with a green check mark) and then press the "Get private key" button, you will only be redirected to a completely white page also under the url https://mysite.com:99/?get_key, instead of sending an email as desired and forwarding to Get key Key issued. Make sure you keep it to access the results. cookie etc is not set either.
But if you delete the part of index.php that is responsible for validating the g-recaptcha-response, it will work fine even via https://localhost/?get_key as well as externally via https://mysite.com:99/?get_key, i.e. redirect to the correct page, set the cookie and send the email.
(something like this then:

//User key actions
$rec_valid = false;
if (isset($_POST['g-recaptcha-response'])) {
    $rec_valid = true;
    if ($rec_valid) {
        require_once('db.php');
        require_once('common.php');

        //if we have email, validate it
        $mail = Null;
        if (isset($_POST['mail']) && validEmail($_POST['mail'])) {
            $mail = trim($_POST['mail']);
        }

        //put new key in db
        $sql = 'INSERT INTO users(userkey, mail, ip) VALUES(UNHEX(?), ?, ?)
                ON DUPLICATE KEY UPDATE userkey=UNHEX(?), ip=?, ts=CURRENT_TIMESTAMP()';
        $stmt = $mysql->stmt_init();
        $ip = ip2long($_SERVER['REMOTE_ADDR']);
        $userkey = gen_key();
        $stmt->prepare($sql);
        $stmt->bind_param('ssisi', $userkey, $mail, $ip, $userkey, $ip);
        $stmt->execute();
        $stmt->close();

        //set cookie
        setcookie('key', $userkey, 2147483647, '', '', false, true);
        $_COOKIE['key'] = $userkey;
        
        //send mail with the key
        if (isset($mail)) {
            require_once('mail.php');
            try {
                $mailer->AddAddress($mail);
		        $mailer->Subject = 'wpa-sec.stanev.org key';
		        $mailer->Body    = "Key to access results is: $userkey";
		        $mailer->Send();
		        $mailer->SmtpClose();
		    } catch (Exception $e) { }
        }
    }
}

[tsiebecker]

I think it's due to the limited control of recaptcha itself, because you can only specify domains without port, quote:

Your registration is restricted to the domains you enter here, plus any subdomains. In other words, a registration for domain.com also registers subdomain.domain.com. A valid domain requires a host and must not include any path, port, query or fragment. Changes to this field may take up to 30 minutes to take effect.

so I think first the actual "solve" of the captcha is recognized correctly, but afterwards the domain is evaluated as false negative because of the "additional" port.
In principle this is correct, because "https://mysite.com:99/" is technically not registered as an associated domain, but https://mysite.com/ was registered as an associated domain for the recaptcha query.
The only thing I would have thought of to avoid this would be to use a provider like no-ip.com to create a dynDNS on "https://mysite.com:99/" to enter this pseudonym into reCaptcha.