This project contains a microservice to enable you to easily include a CAPTCHA widget in my online digital form to protect your digital service from bots.
git clone git@github.com:bcgov/MyGovBC-CAPTCHA-Service.git
cd MyGovBC-CAPTCHA-Service/
You have two choices of configuring the service
- add some environment variables
- open server.js and change the default strings.
The following is a list of the environment variables:
- NODE_ENV
If running in a production environment, you should set this to "production" to force you to se SECRET and PRIVATE_KEY accordingly.
- SECRET
This should be the same on each server/service/pod that will need to verify the JWT created by any other server/service/pod.
- PRIVATE_KEY
This is for encrypting the answer in the captcha for stateless verification on any other server/service/pod.
- WINSTON_HOST
The remote host that winston service is running on, if using winston in your deployment.
- WINSTON_PORT
The remote port that winston is listening on, if using winston in your deployment.
- LOG_LEVEL
Set this to none/error/debug depending on how much verbosity to stderr/stdout you would like.
- SERVICE_PORT
What port you want the service to run on, defaults to 3000.
- CAPTCHA_SIGN_EXPIRY
Time in minutes you want to automatically expire the Captcha returned to clients (default: 15min)
- JWT_SIGN_EXPIRY
Time in minutes you want to automatically expire the Service JWT returned to clients (default: 15min)
npm install
This will download all the required dependencies for the project so that npm start/npm test will work.
npm start
npm test
The tests cover the following cases:
- Empty request on requesting a captcha (must fail)
- Passing in a nonce for generating the captcha (must pass and return valid captcha
- If either the captcha failed to generate, or the encrypted password sent with the request fails, the unit test will fail. (must pass)
- The captcha is written to disk, and the default browser is used to open the captcha for viewing, the user must then input the correct captcha, or the test will fail (must pass)
- Verifying the captcha (must pass)
- Receiving and then sending back the signed JWT (must pass)
Request Type | API Endpoint | Parameters | Returns | Purpose |
---|---|---|---|---|
HTTP GET | /status | OK | Returns "OK" if the service is running | |
HTTP POST | /captcha | request body: { nonce: string } | { "nonce": string, "captcha": string, "validation": JSON, "expiry": JWT} | Retrieve a captcha to be displayed to a user |
HTTP POST | /verify/captcha | request body: { nonce: string, answer: string, validation: JSON } | { valid: true/false, jwt: JWT } | Compare the answer to the encryptedAnswer, return a signed JWT if successful |
HTTP POST | /verify/jwt | request body: { nonce: string, token: JWT } | { valid: true/false } | Validate a signed JWT |