Protect a flow on a public community with the Google Recaptcha component
Submitted By: Clifford Beul (8/10/20)
Before using, please review potential security concerns here: Two major security vulnerabilities? · Issue #4 · clifford-fra/GoogleRecaptchav2 (github.com)
Open your community with the flow that you want to protect. Copy the domain in this format: recaptcha-demo-developer-edition.eu13.force.com
Register a new Website for Googles Recaptcha here: https://www.google.com/recaptcha/admin/create . Provide a label, select reCAPTCHA Version 2 – Checkbox and add your domain.
Copy your Site and Secret Key.
Use the Deploy to Salesforce Button on this Github Repository: https://github.com/clifford-fra/GoogleRecaptchav2 to install the new component.
Open your Flow in Flow Builder and add the Google Recaptcha v2 custom component to your screen. Insert your Site and Secret Key into the attributes on the right side. Afterwards, save and activate your flow.
Now see the Recaptcha Component in action:
The component will allow you to go to the next screen as soon as you are verified as a person.
Note 1: If you let your Flow run from Flow Builder, the Recaptcha will tell you that your domain is invalid. This is correct, because we have not added this domain to Googles Admin Console yet. In my case, the second domain would be empathetic-koala-553oko-dev-ed–c.visualforce.com. You can add as many domains as you want in the Admin Console.
Note 2: The component will call the Apex class GoogleRecaptchaHandler.cls, which will in turn do a callout to Google to verify the recaptcha response. Consider giving the correct permissions if needed. In this use case, it was enough to give the community site guest user the Run Flows permission.