This login verification module adds a hCaptcha check when any user logs into the site.

Installation

To install the module, use the command line to run this command in an Apostrophe project's root directory:

npm install @apostrophecms/login-hcaptcha

Usage

Instantiate the hCaptcha login module in the app.js file:

require('apostrophe')({
  shortName: 'my-project',
  modules: {
    '@apostrophecms/login-hcaptcha': {}
  }
});

The other requirement is to add your hCaptcha public API site key to the @apostrophecms/login module (not this module). This module adds functionality to that module (it "improves" it, in Apostrophe speak), so most configuration should be directly on the core login module.

// modules/@apostrophecms/login/index.js
module.exports = {
  options: {
    hcaptcha: {
      site: 'ADD YOUR SITE KEY',
      secret: 'ADD YOUR SECRET KEY'
    }
  }
};

Once configured, hCaptcha verification should work on all login attempts.

Content security headers

If your site has a content security policy, including if you use the Apostrophe Security Headers module, you will need to add additional configuration to use this module. This module adds a script tag to the site's head tag fetching hCaptcha code, so we need to allow resources from that domain.

If you are using the Apostrophe Security Headers module, add the following policy configuration for that module:

module.exports = {
  options: {
    policies: {
      'login-hcaptcha': {
        'script-src': 'hcaptcha.com *.hcaptcha.com',
        'frame-src': 'hcaptcha.com *.hcaptcha.com',
        'style-src': 'hcaptcha.com *.hcaptcha.com',
        'connect-src': 'hcaptcha.com *.hcaptcha.com'
      },
      // Any other policies...
    }
  }
};

If your content security policy is configured some other way, add hcaptcha.com *.hcaptcha.com to the script-src, frame-src, style-src and connect-src directives.

Please refer to the list at https://docs.hcaptcha.com/#content-security-policy-settings for any additional settings.