README
¶
hCaptcha Module
A bot protection module for oCMS integrating hCaptcha on the login form.
Features
- hCaptcha widget integration on login form
- Server-side token verification with hCaptcha API
- Environment variable overrides for keys
- Configurable theme (light/dark) and size (normal/compact)
- Template functions for custom integration
- Hook-based architecture for extensibility
- Admin interface for configuration
- Settings persisted in database
Admin Interface
Access at Admin > Modules > hCaptcha or /admin/hcaptcha.
Routes
| Method | Path | Description |
|---|---|---|
| GET | /admin/hcaptcha |
Settings dashboard |
| POST | /admin/hcaptcha |
Save settings |
Configuration
Via Admin Interface
- Navigate to hCaptcha settings
- Enter your Site Key (from hCaptcha dashboard)
- Enter your Secret Key (from hCaptcha dashboard)
- Choose theme and size preferences
- Enable hCaptcha
- Save settings
Via Environment Variables
OCMS_HCAPTCHA_SITE_KEY=your-site-key
OCMS_HCAPTCHA_SECRET_KEY=your-secret-key
Environment variables override database settings for keys.
Test Keys (Defaults)
hCaptcha's test keys are used as defaults when no keys are configured:
| Key | Value |
|---|---|
| Site Key | 10000000-ffff-ffff-ffff-000000000001 |
| Secret Key | 0x0000000000000000000000000000000000000000 |
With test keys, the widget auto-passes without showing a challenge.
This means you can enable hCaptcha immediately in development without configuring any keys. Just enable it in the admin interface and it will work. Replace with your own keys from hcaptcha.com for production use.
Template Functions
hcaptchaEnabled
Returns true if hCaptcha is enabled and properly configured.
{{if hcaptchaEnabled}}
<!-- Show captcha-related content -->
{{end}}
hcaptchaWidget
Returns the hCaptcha widget HTML (script + div).
{{if hcaptchaEnabled}}
<div class="captcha-container">
{{hcaptchaWidget}}
</div>
{{end}}
Output:
<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
<div class="h-captcha" data-sitekey="..." data-theme="light" data-size="normal"></div>
Hooks
The module registers two hooks for integration:
auth.login_widget
Called to render the captcha widget in the login form.
auth.before_login
Called before login to verify the captcha response. Receives a VerifyRequest struct:
type VerifyRequest struct {
Response string // h-captcha-response from form
RemoteIP string // Client IP address
Verified bool // Set to true after successful verification
Error string // Error message if verification failed
ErrorCode string // Error code for i18n
}
Database Schema
Settings are stored in a single-row table:
CREATE TABLE hcaptcha_settings (
id INTEGER PRIMARY KEY CHECK (id = 1),
enabled INTEGER NOT NULL DEFAULT 0,
site_key TEXT NOT NULL DEFAULT '10000000-ffff-ffff-ffff-000000000001',
secret_key TEXT NOT NULL DEFAULT '0x0000000000000000000000000000000000000000',
theme TEXT NOT NULL DEFAULT 'light',
size TEXT NOT NULL DEFAULT 'normal',
updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
);
Note: Default values are hCaptcha test keys for development convenience.
Module Structure
modules/hcaptcha/
├── module.go # Module definition, lifecycle, hooks, template funcs, migrations
├── handlers.go # HTTP handlers (dashboard, save settings)
├── settings.go # Settings struct, load/save, widget rendering
├── verify.go # hCaptcha API verification
├── README.md # This file
└── locales/ # Embedded i18n translations
├── en/messages.json
└── ru/messages.json
Verification Flow
- User loads login page with hCaptcha widget
- User completes captcha challenge
- Form submission includes
h-captcha-responsefield - Server extracts response and client IP
auth.before_loginhook is called- Module verifies token with hCaptcha API (
https://api.hcaptcha.com/siteverify) - Verification result determines if login proceeds
API Verification
The module sends a POST request to hCaptcha:
POST https://api.hcaptcha.com/siteverify
Content-Type: application/x-www-form-urlencoded
secret=your-secret-key&response=token&remoteip=client-ip
Response:
{
"success": true,
"challenge_ts": "2024-01-01T00:00:00Z",
"hostname": "example.com",
"error-codes": []
}
Error Codes
| Code | Description |
|---|---|
hcaptcha.error_required |
User didn't complete captcha |
hcaptcha.error_verification |
API request failed |
hcaptcha.error_invalid |
Token rejected by hCaptcha |
Internationalization
Translations are embedded and automatically loaded. Supported languages:
- English (en)
- Russian (ru)
Add new languages by creating locales/{lang}/messages.json.
See docs/i18n.md for the translation file format and guidelines.
Module Active Status
The module can be enabled/disabled from Admin > Modules:
- Active: Hooks registered, widget renders, verification enforced
- Inactive: No widget shown, verification skipped
Note: Even when the module is active, hCaptcha protection only applies when enabled=true in settings AND both keys are configured.
Security
- Secret key is masked in admin display (shows
xxxx****xxxx) - All keys are HTML-escaped before injection
- Settings require admin authentication
- CSRF protection on form submission
- Client IP extraction supports reverse proxy headers (X-Forwarded-For, X-Real-IP)
- Verification timeout of 10 seconds prevents hanging
Troubleshooting
Locked out after enabling
Disable via database:
sqlite3 ./data/ocms.db "UPDATE hcaptcha_settings SET enabled = 0"
Widget not appearing
- Check
enabled = 1in database - Verify both site_key and secret_key are set
- Check browser console for JavaScript errors
- Ensure hCaptcha script can load (no firewall/ad blocker)
Verification always fails
- Verify secret key is correct
- Check server can reach
https://api.hcaptcha.com - Check server logs for specific error codes
- Ensure client IP is correctly detected (check proxy headers)
Dependencies
- hCaptcha API:
https://api.hcaptcha.com/siteverify - hCaptcha JS:
https://js.hcaptcha.com/1/api.js
Documentation
¶
Overview ¶
Package hcaptcha provides hCaptcha integration for oCMS. Protects login forms from bots and automated attacks.
Index ¶
- Constants
- func GetRemoteIP(r *http.Request) string
- func GetResponseFromForm(r *http.Request) string
- type Module
- func (m *Module) AdminURL() string
- func (m *Module) GetSettings() Settings
- func (m *Module) Init(ctx *module.Context) error
- func (m *Module) IsEnabled() bool
- func (m *Module) Migrations() []module.Migration
- func (m *Module) RegisterAdminRoutes(r chi.Router)
- func (m *Module) RegisterRoutes(_ chi.Router)
- func (m *Module) ReloadSettings() error
- func (m *Module) RenderWidget() template.HTML
- func (m *Module) Shutdown() error
- func (m *Module) SidebarLabel() string
- func (m *Module) TemplateFuncs() template.FuncMap
- func (m *Module) TranslationsFS() embed.FS
- func (m *Module) Verify(response, remoteIP string) (*VerifyResponse, error)
- func (m *Module) VerifyFromRequest(req *VerifyRequest) (*VerifyRequest, error)
- type Settings
- type VerifyRequest
- type VerifyResponse
Constants ¶
const ( // HookAuthLoginWidget is called to render the captcha widget in login form. HookAuthLoginWidget = "auth.login_widget" // HookAuthBeforeLogin is called before login to verify captcha. HookAuthBeforeLogin = "auth.before_login" // HookFormCaptchaWidget is called to render captcha widget in public forms. HookFormCaptchaWidget = "form.captcha_widget" // HookFormCaptchaVerify is called to verify captcha on form submission. HookFormCaptchaVerify = "form.captcha_verify" )
Hook names for hCaptcha integration.
const ( TestSiteKey = "10000000-ffff-ffff-ffff-000000000001" TestSecretKey = "0x0000000000000000000000000000000000000000" )
hCaptcha test/debug keys for development. These always pass verification without showing a challenge. See: https://docs.hcaptcha.com/#integration-testing-test-keys
Variables ¶
This section is empty.
Functions ¶
func GetRemoteIP ¶
GetRemoteIP extracts the client IP from an HTTP request.
func GetResponseFromForm ¶
GetResponseFromForm extracts the h-captcha-response from an HTTP request.
Types ¶
type Module ¶
type Module struct {
module.BaseModule
// contains filtered or unexported fields
}
Module implements the module.Module interface for the hCaptcha module.
func (*Module) GetSettings ¶
GetSettings returns a copy of the current settings (for use by other packages).
func (*Module) Migrations ¶
Migrations returns database migrations for the module.
func (*Module) RegisterAdminRoutes ¶
RegisterAdminRoutes registers admin routes for the module.
func (*Module) RegisterRoutes ¶
RegisterRoutes registers public routes for the module.
func (*Module) ReloadSettings ¶
ReloadSettings reloads settings from the database.
func (*Module) RenderWidget ¶
RenderWidget returns the hCaptcha widget HTML.
func (*Module) SidebarLabel ¶
SidebarLabel returns the display label for the admin sidebar.
func (*Module) TemplateFuncs ¶
TemplateFuncs returns template functions provided by the module.
func (*Module) TranslationsFS ¶
TranslationsFS returns the embedded filesystem containing module translations.
func (*Module) Verify ¶
func (m *Module) Verify(response, remoteIP string) (*VerifyResponse, error)
Verify checks the hCaptcha response token with the hCaptcha API.
func (*Module) VerifyFromRequest ¶
func (m *Module) VerifyFromRequest(req *VerifyRequest) (*VerifyRequest, error)
VerifyFromRequest verifies the captcha from a VerifyRequest struct.
type Settings ¶
type Settings struct {
Enabled bool
SiteKey string // Public site key
SecretKey string // Secret key for verification
Theme string // "light" or "dark"
Size string // "normal" or "compact"
}
Settings holds the hCaptcha configuration.
type VerifyRequest ¶
type VerifyRequest struct {
Response string // h-captcha-response from form
RemoteIP string // Client IP address
Verified bool // Set to true after successful verification
Error string // Error message if verification failed
ErrorCode string // Error code for i18n
}
VerifyRequest contains the data needed to verify a captcha response.
Source Files