Protect Your Web Application with Google reCaptcha on Ruby on Rails

‘Spam’ could be one of the most dreadful word for a web application owner. Especially for an application with a lot of user generated content, it could be a nightmare to cope with. To keep the spammers at bay, a free service by Google called as reCaptcha could be used. A service to protect the website from spam and abuse and freeing your users to attest without having to solve a captcha, Google reCaptcha protect the application from a denial of service attack by preventing automating form submissions. A better solution to the existing image captchas, Google reCaptcha is easy to use and comes packed with advanced security features. Using an advanced risk analysis engine, reCaptcha keeps the automated bots from engaging in spamming activities for your application. Besides it is much more user friendly than the earlier image captchas. Before you can add in Google reCaptcha to your application, you need to follow these steps: 1) Get the credentials 2) Add recaptcha tags 3) To handle verification, create a recaptcha class 4) In Registrations controller add verify_recaptcha method Setup Step 1:- Add the following to your gem file: gem “recaptcha”, :require => “recaptcha/rails” Step 2:- Login to http://developers.google.com and sign into your gmail account and search for ‘recaptcha’. Click on “Signup for an API Key” link. Check the secret and site keys. As the name itself suggests, the secret key should be kept at a safer location whereas the site key is the public key used for authenticating to Google. Register your site name with your google account to retrieve public and private key that will be used later on the application. After the registration is done, you will get the public key and private key. From the client side, the public key is sent to recaptcha service to request a new captcha. The private key is applied on the server side to verify if the right value is entered. Then register for a reCAPTCHA API key and add that to your environment config files: #put this in development.rb and in production.rb ENV_RECAPTCHA_PUBLIC_KEY= ‘your-public-key’ ENV_RECAPTCHA_PRIVATE_KEY= ‘your-private-key’ Step 3:- Create a file named recaptcha.rb in config/initializers to configure recaptcha parameters. Recaptcha.configure do |config| config.public_key = ‘ ENV_RECAPTCHA_PUBLIC_KEY’ config.private_key = ‘ENV_RECAPTCHA_PRIVATE_KEY’ config.proxy = ‘http://www.google.com/recaptcha/api/verify’ end Step 4:- View The Captcha Gem helps to render the actual captcha box. It’s as simple as putting the following into your view at the point where you want the captcha to appear: <%= raw recaptcha_tags %> If you are using SSL, use this instead: <%= recaptcha_tags :ssl => true %>, The SSL option ensures we send a https request to the recaptcha service. Step 5:- Controller

The Captcha Gem provides another helper method that posts to the reCaptcha API server to verify if the submission is correct. If it is then the method returns true, if not, it will add a custom error message that the recaptcha is wrong to the model instance. Here is the basic code as you might have it in the create action of your controller:- In devise controllers, app/controllers/registrations_controller.rb, Insert the following code: require ‘recaptcha.rb’ before_action :verify_recaptcha, only: [:create] def verify_recaptcha response = Recaptcha.verify(params) session[:sign_up] = params[:user].except(:password, :password_confirmation, :remoteip) if response.code == 200 if response[‘success’] flash[:notice] = “Recaptcha verification successful.” else redirect_to new_user_registration_path(user: params[:user]), alert: “Recaptcha verification error.” end else redirect_to new_user_registration_path(user: params[:user]), alert: “HTTP connection error.” end end

The session[:sign_up] is persisted as the signup form can be pre-filled if verification fails.