reCAPTCHA v3 network intensive web applications

Question

I'm using Google's reCAPTCHA v3 in an Angular 2 application to protect from automatic form submission. My application makes many network calls in the background as users' interact with the UI.

From index.html, I make an intentionally blocking call to load the library (preventing the Angular world from entering before recaptcha/api.js is loaded):

<script src="https://www.google.com/recaptcha/api.js?render=reCAPTCHA_site_key"></script>

From the constructor of an Angular Service I use the DOCUMENT DI token to reference the grecaptcha object:

  constructor(@Inject(DOCUMENT) private document: any) {
    this.grecaptcha = this.document.grecaptcha;
  }

Once the application's loaded (using lifecycle hooks), the aforementioned Angular service calls grecaptcha.execute to obtain the unique token (as per the Frontend Integration guide):

  public executeCaptcha() {
    this.grecaptcha.ready(() => {
      this.grecaptcha
        .execute(MyService.CAPTCHA_KEY, {
          action: 'execute'
        })
        .then((token: string) => this.token = token);
    });
  }

The token is a parameter of the callback, and is stored as a member of the Angular service (this.token = token)).

At this point the application has not made any API calls to my backend, nor has the user been verified as a human.

The token must be sent to my backend server, which in-turn must verify the user's response by making an API Request.

The API Response can then be returned to the browser (Angular app):

{
  "success": true|false,
  "challenge_ts": timestamp,  // timestamp of the challenge load (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
  "hostname": string,         // the hostname of the site where the reCAPTCHA was solved
  "error-codes": [...]        // optional
}

Questions

• Should the token be sent with every HTTP request from my Angular app, and verified each time?
  • ... or can the user be verified once (at the start) and their score remembered in the Angular app?
• I read somewhere that Google uses mouse movements, and various client-side signals to calculate the score.
  • ...does this mean I should (re)verify periodically to get an improved score?

Answer 1

If you want to be secure you have to send token (each time new one) every time user is posting data via forms. Otherwise if user find out that you are checking him just once he could click post the first time himself then he could run selenium or other scripting program, since his session would already be verified.

Notice that you need to ask google each time for new token. Firstly because they allow you only to use one token single time, secondly token has small time-to-live time after which it it expired. And those two boundaries are for purpose to protect against vulnerability I described above.

Of course there is always a trade-off between security and performance. I would not recommend caching verification data, but maybe for some kind of lightweight search, you could consider it, but I would strongly advise against such practice when posting data, updating or deleting.