Trying to understand how recaptcha works step by step

Question

This is my current understanding of recaptcha (using v2 invisible)

• We load the api.js script onto our site
• We add data attributes to the button
• User clicks button
• A listener somewhere in the api.js script fires because it's listening for an event on a tag with those data attributes
• This is where it gets fuzzy and I start guessing:
• api.js gathers browsing info from the user's cookies and information about how they interacted with the site. Based on this it determines how likely you are are to be a bot and if you are below a certain threshold it gives you a test. Whether you pass the test then gets further factored into your score and all of that gets encoded into a token, which we receive in our callback that we specified on the button's data attribute.
• We pass this token to the back end with the rest of our form
• From the backend, we make an API request to Google to convert the token into usable information about whether the user passed or failed.

At this point I get confused about why this wasn't just what the api.js script returned in the first place. Does this step only exist in order to give Recaptcha information to further improve it? I just don't understand why this step is here, unless I'm misunderstanding what is going on earlier in the process. Am I getting these we steps wrong? Thanks.

Answer 1

Okay according to me how these works is that whenever a human interacts with the frontend and sends a turnstile request it validates it and returns a token which can then be used to verify with the backend so that it can check if the client requesting is a human or not

So if we do not perform the Backend Validation for the token what happens is that if like I as a robot hits the Backend with say postman which does not have the token as it is not using the frontend would be able to use the endpoint which may risk for malicious bots to hit the endpoint

But if I am also verifying it on server/Backend I add an extra layer of security to the Backend so that it can also verify that the client has a token and also the token is valide which was provided by the Google Captcha

If the Token is valid you can then allow the user to hit the api endpoint and then carry on

If not then you can send the Error Message to the Request and not perform any further actions in backend

Answer 2

The whole point for captchas is that your server (instead of client in the browser) can verify that the (HTTP) request it received was generated from a real person's actions, when interacting with your application.

This is why your client sends a recaptcha token to your server and your backend consults with the captcha provider about this token and receives trusted information about the original client. In this scenario, your server does not trust the client, so it receives only a token from it. Then it communicates with the trusted captcha provider server-to-server and validates that the token it received from the client is valid and the user behind it is legitimate.

If your client sent the original response from the captcha provider to your backend server, there would be no way for your server to know whether this was a legitimate response from the captcha provider, or a fake one from the client.