My contact form is a simple form using a post webhook.
I recently noticed receiving a lot of marketing e-mails from my website, which was strange because I am having CAPTCHA. Then I did some digging and found out: The form can be submitted without completing the CAPTCHA challenge !
I would suggest to set to Self Hosted and seeing if the issue persists. I see you have a class applied to the whole form container. Not sure what that one does though.
In a more detailed description, the fact that CAPTCHA needs to be evaluated on the server should not have an impact on the POST call. After all, a BlocsApp user should not really care about how itâs done. Expected behavior (mine at least) would be CAPTCHA to also protect the webhook, which is actually the behavior of any other online form I have worked with.
Not sure what the question is. Do the following screenshots answer your question ? Everything I am using is the defaults, except from POST instead of self hosted
As I understand it, blocs generates the form handler (PHP file) with the fields inside the form. If you have the captcha bric in there, it also adds the code required to process the challenge (all sever side, as Jannis was saying).
Since you are using your own âform handlerâ. You will need to add captcha support into your code.
Thank you for the recommendation @PeteSharp, I will implement the CAPTCHA verification on my side of things. I still do not consider this to be the expected behaviour, but a walk-around.
Any idea how to show an âInvalid CAPTCHAâ message in the web form if the challenge is not passed ? I assume my webhook should response 401 ?
I would expect this to be the behaviour. You have chosen custom. Blocs isnât managing the form code for you.
I suspect you might need to add the captcha to the form too without the Bric. Custom forms Iâve implemented Iâve built without the form bric so not 100% sure on that.
I guess thatâs not enough. That would require the Blocs form to post the data via Ajax to the custom endpoint, which, afaik, isnât the case. Just try, youâll see.
I guess the easiest fix from Blocs side is to allow us make it a required field. So if user forgot to do the CAPTCHA validation, it does not proceed to the webhook.
I implemented it just now and this is the only issue I identified. If the CAPTCHA is invalid, then OK a simple error response is fine since this will not happen unless I messed up