WP Forms Lite prompts to “Please verify that you are human”

Hi,

Thanks for the message!

In the next plugin update (coming soon) this issue should be fixed.

Hi,

Please could you try updating to the latest version (1.17.0) and give this another try?

The problem still occurs. The testing procedure creates at least 10 form validation errors prior to a successful submission that should verify Turnstile. Could the number of retries or time to completion be a factor?

Edit: Possibly related FAQs about verification calls. https://developers.cloudflare.com/turnstile/frequently-asked-questions/#can-a-turnstile-token-be-used-twice

• This reply was modified 1 year, 11 months ago by deltafactory.

Regarding retries, what is the motivation for hooking the Turnstile validation process to wpforms_process_before instead of wpforms_process?

After some digging in, I have some possible answers. The fix was to adjust the action hook to wpforms_process.

1. Reusing of Turnstile tokens is not allowed. On a normal submission cycle the form isn’t submitted until all client-side validation passes. This means that the siteverify API isn’t called until most field validation passes.
2. Our testing process triggered an extra level of email validation which occurs on the server-side. During that submission, the Turnstile token is submitted and verified. However the form itself has not been completed when email validation fails.
3. If the error with the email address is corrected, the subsequent submissions reuse the Turnstile token when calling siteverify which will fail. This may resolve itself after 5 minutes when the token expires IF the widget is configured to refresh itself.

By changing the action hook where Turnstile validates, all other validation has passed before siteverify is called. This is not an ideal fix because other plugins may run during this later hook (as recommended by the developers in the code!) and fail submission, creating the same scenario.

The optimal solution would refresh the Turnstile token has been used to call the siteverify API and if the form fails server-side submission for any reason.

Thanks for the info. I will look into fixing this in the next update, so that with WPForms integration, Turnstile will re-render (new token) if the form is submitted but has an error. ??