https://github.com/apostrophecms/login-hcaptcha

Adds hCaptcha to Apostrophe login pages
https://github.com/apostrophecms/login-hcaptcha

Last synced: 4 months ago
JSON representation

Adds hCaptcha to Apostrophe login pages

• Host: GitHub
• URL: https://github.com/apostrophecms/login-hcaptcha
• Owner: apostrophecms
• License: mit
• Created: 2022-07-27T09:58:52.000Z (almost 4 years ago)
• Default Branch: main
• Last Pushed: 2024-10-03T14:12:18.000Z (over 1 year ago)
• Last Synced: 2025-10-19T21:29:45.462Z (8 months ago)
• Language: JavaScript
• Size: 53.7 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE.md

Awesome Lists containing this project

README

          


  


  
Apostrophe hCaptcha Login Verification

  


    

      

    

    

      

    

    

      

    

    

      

    

  



This login verification module adds a [hCaptcha](https://hcaptcha.com) check when any user logs into the site.

## Installation

To install the module, use the command line to run this command in an Apostrophe project's root directory:

```

npm install @apostrophecms/login-hcaptcha

```

## Usage

Instantiate the hCaptcha login module in the `app.js` file:

```javascript

require('apostrophe')({

  shortName: 'my-project',

  modules: {

    '@apostrophecms/login-hcaptcha': {}

  }

});

```

The other requirement is to add your [hCaptcha public API site key](https://docs.hcaptcha.com/configuration#hcaptcha-container-configuration) to the `@apostrophecms/login` module (*not* this module). This module adds functionality to that module (it "improves" it, in Apostrophe speak), so most configuration should be directly on the core login module.

```javascript

// modules/@apostrophecms/login/index.js

module.exports = {

  options: {

    hcaptcha: {

      site: 'ADD YOUR SITE KEY',

      secret: 'ADD YOUR SECRET KEY'

    }

  }

};

```

Once configured, hCaptcha verification should work on all login attempts.

### Content security headers

If your site has a content security policy, including if you use the [Apostrophe Security Headers](https://www.npmjs.com/package/@apostrophecms/security-headers) module, you will need to add additional configuration to use this module. This module adds a script tag to the site's `head` tag fetching hCaptcha code, so we need to allow resources from that domain.

**If you are using the Apostrophe Security Headers module**, add the following policy configuration for that module:

```javascript

module.exports = {

  options: {

    policies: {

      'login-hcaptcha': {

        'script-src': 'hcaptcha.com *.hcaptcha.com',

        'frame-src': 'hcaptcha.com *.hcaptcha.com',

        'style-src': 'hcaptcha.com *.hcaptcha.com',

        'connect-src': 'hcaptcha.com *.hcaptcha.com'

      },

      // Any other policies...

    }

  }

};

```

**If your content security policy is configured some other way**, add `hcaptcha.com  *.hcaptcha.com` to the `script-src`, `frame-src`, `style-src` and `connect-src` directives.

Please refer to the list at https://docs.hcaptcha.com/#content-security-policy-settings for any additional settings.