We have used Recaptcha v3 and v2 in our application, If Recaptcha v3 fails, ReCaptcha v2 will be loaded.

It happens randomly on our application but is noticeable. Below error message is displayed if Recaptcha v3 fails and Recaptcha v2 is not loading.

reCAPTCHA verification failed, please try again.

ruby: 2.7.5
rails: 5.2.8
recaptcha: 5.7.0

Yeah, I'm having the same issue implementing the exact same behavior

As of about 1 month ago I am also having a similar issue. Using Rails v6.1.5 and Devise (latest) on the password_controller.rb. I originally had a v3 ReCaptcha setup with a v2 fallback and it all worked properly. I am using this same v3 with a v2 fallback on the registration and the login and they both work fine. They all use similar code, some variables are named differently of course to accommodate the 3 different situations but essentially the code is the SAME.

Out of no place again approx. 1 month ago or so, all of a sudden the v3 started failing which would bring up the v2 fallback. The fallback is working properly. To Troubleshoot I changed it to use ONLY v3 and it fails on the first ReCaptcha attempt, sometimes on the next attempt it will go through, most of the time it will not. V2 on the same controller works perfectly 100% of the time.

So I know all of the keys work (again I have v3 with v2 fallback working on registrations and login), it is doing the same thing from localhost as well as from app.filtertrak.direct (you can't go to app.filtertrak.direct to reproduce because I had to change it to use ONLY v2 since v3 is bugged out), I verified that both v2 and v3 have the correct URLS in the Google console and they do (or it wouldn't work on the registrations and the login).

The only item that seems to be consistent is v3 and the password_controller.rb. I don't know if this is a DEVISE bug (something that they maybe changed?) or a ReCaptcha bug (something Google changed?) from Google's side or the gem? The gem or Google is my suspicion as the very same code worked fine before for months. Again the very SAME CODE is working on Login and Registrations using the same version of Devise.

I have searched high and low and can't seem to find anything helpful on this. I tried setting the score to .01 and it still will fail on the first attempt 100% of the time. I am capturing the score and printing it to my log but almost every time when it fails it captures a NIL response, I can't find anything else I can print to the logs to give me more information. If anyone KNOWS of something I can print out or capture to give me more information I would LOVE to hear what it is.

So something has changed that is preventing v3 from working with Devise on the password controller.

I plug in the v3 keys via a recaptcha_initializer.rb.
The v2 keys I pull from ENV on the requests themselves.

password_controller.rb

class Users::PasswordsController < Devise::PasswordsController

  prepend_before_action :pw_reset_check_captcha, only: [:create]



  private

    def pw_reset_check_captcha
      return if check_captcha?
      self.resource = resource_class.new
      respond_with_navigational(resource) do
        flash.discard(:recaptcha_error) # We need to discard flash to avoid showing it on the next page reload
        render :new
      end
    end

    def check_captcha?
      logger.debug "\n\n Inside check_captcha METHOD:\n\n"
      success = verify_recaptcha(action: 'create', minimum_score: 0.75)# || success = verify_recaptcha(action: 'edit', minimum_score: 0.5)
      checkbox_success = verify_recaptcha(secret_key: ENV['RECAPTCHA_SECRET_KEY_V2']) unless success
      @rr = recaptcha_reply
      if success || checkbox_success
        logger.debug "\n\n In check_captcha IF\n\n"
        logger.debug "\n\n reCAPTCHA Reply Object:#{@rr.inspect}\n\n"
        true
      else
        logger.debug "\n\n In check_captcha ELSE\n\n"
        logger.debug "\n\n reCAPTCHA Reply Object:#{@rr.inspect}\n\n"
        unless success
          @show_checkbox_recaptcha = true
          return
        end
      end
    end
end

new.html.haml

%br
.authform
  .add_box_shadow
    = form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post, role: 'form'}) do |f|
      %h3{style: 'margin-top: 0px;'} Forgot your password?
      %p We'll send password reset instructions.
      = render "devise/shared/error_messages", resource: resource
      .form-group
        = f.label :email
        = f.email_field :email, autofocus: true, class: 'form-control'
        %br/
        %br/
        %br/
        -#= recaptcha_v3(action: 'password/reset')
        -#= recaptcha_tags(site_key: ENV['RECAPTCHA_SITE_KEY_V2'])
        - if @show_checkbox_recaptcha
          = recaptcha_tags(site_key: ENV['RECAPTCHA_SITE_KEY_V2'])
        - else
          = recaptcha_v3(action: 'password/reset')
      = f.submit 'Reset Password', class: 'button right'

I guess nobody checks this. Another create a gem and forget about it situation?

I'm not actively using this, just keeping the lights on by merging PRs that look good and make sense.

I guess nobody checks this. Another create a gem and forget about it situation?

I ended up implementing recaptcha from scratch as Google docs says.