Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS WAF Captcha keeps triggering

0

I've setup WAF for my API Gateway with a CAPTCHA rule for one of the endpoints:

  1. Rule 1: URI contains string "/my_protected_endpoint" AND
  2. Rule 2: Http Method matches string "POST"

I've got a simple test page setup with the following code:

async function protectedPostRequest(data) {
    const result = await AwsWafIntegration.fetch(
        `${API_URL}/my_protected_endpoint`,
        {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify(data)
        }
    );
    console.log({result});

    if (result.status === 405) {
        AwsWafCaptcha.renderCaptcha(
            document.querySelector("#container"), 
            {
                apiKey:  <My API Key>,
                onSuccess: () => protectedPostRequest(data),
                onError: (error) => console.log(error),
            }
        );
    } else {
        const text = await result.text?.();
        if(result.ok) {
            alert(text);
        } else {
            console.log(text || String(result));
        }
    }

The issue I'm running into is, even after successfully completing the CAPTCHA, the requests still result in a 405 code. I've already confirmed that the requests contain "X-Aws-Waf-Token" in the header.

I've also got a Cloudfront for the Api Gateway if that makes any difference..

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudFrontAmazon API GatewayAWS WAF
Language
English
asked 3 years ago1.2K views
2 Answers
0

Hi, did you properly set the "Immunity time" of your captcha? See point 7 of https://cloudcompiled.com/tutorials/aws-waf-captcha-protect-from-bots/

Once a user solves a captcha, a cookie containing the validated token will be
saved in their browser. By default the immunity time is set to 5 mins (300 seconds). 
Once the immunity period expires, the user will be have to solve a new Captcha to 
access the protected page again.

Hope it helps!

Didier

EXPERT
answered 3 years ago
0

Is this problem solved? I get the same problem, the API keeps returning 405 and captcha html after captcha is solved, I use default immunity time, so it shouldn't be the problem. I follow the code in below link to handle response, it's almost same as OP's code. https://docs.aws.amazon.com/waf/latest/developerguide/waf-js-captcha-api-conditional.html In request header, x-aws-waf-token is attached In the response header, it shows a general error x-amzn-errortype: ForbiddenException x-amzn-waf-action: captcha x-cache: Error from cloudfront

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content