apostrophe-login-hcaptcha v1.0.0
apostrophe-login-hcaptcha
Installation
To install the module, use the command line to run this command in an Apostrophe project's root directory:
npm install apostrophe-login-hcaptcha
Usage
Configure the apostrophe-login-hcaptcha
module in the app.js
file:
const apos = require('apostrophe')({
modules: {
'apostrophe-login-hcaptcha': {
hcaptchaSite: 'site-key-from-hcaptcha',
hcaptchaSecret: 'site-secret-from-hcaptcha'
}
}
});
Benefits
The login page will always display an hCaptcha prompt, requiring the user to prove they are human before logging in.
Warnings
If you have extensively overridden the login.html
template in your project in the past, this module will make a good faith attempt to figure it out. However, if it does not work, you may need to add a data-apos-login-form
attribute to the form and a data-apos-login-submit-button
attribute to the submit button. Future overrides will likely include these since they are now in the loginBase.html
template of Apostrophe.
Content security headers
If your site has a content security policy, including if you use the Apostrophe Security Headers module, you will need to add additional configuration to use this module. This module adds a script tag to the site's head
tag fetching hCaptcha code, so we need to allow resources from that domain.
If you are using the Apostrophe Security Headers module, add the following policy configuration for that module:
module.exports = {
options: {
policies: {
'login-hcaptcha': {
'script-src': 'hcaptcha.com *.hcaptcha.com',
'frame-src': 'hcaptcha.com *.hcaptcha.com',
'style-src': 'hcaptcha.com *.hcaptcha.com',
'connect-src': 'hcaptcha.com *.hcaptcha.com'
},
// Any other policies...
}
}
};
If your content security policy is configured some other way, add hcaptcha.com *.hcaptcha.com
to the script-src
, frame-src
, style-src
and connect-src
directives.
Please refer to the list at https://docs.hcaptcha.com/#content-security-policy-settings for any additional settings.
2 years ago