承接 kraftware/sw6-store-api-captcha 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

kraftware/sw6-store-api-captcha

Composer 安装命令:

composer require kraftware/sw6-store-api-captcha

包简介

Enforce Shopware core captchas on Store API routes

README 文档

README

Enforce Shopware's core captchas on Store API routes. Shopware only enforces captchas on Storefront routes out of the box; this plugin extends the same captcha framework to the Store API, which is useful for headless / composable frontends and API integrations.

No new captcha type is added. The plugin reuses the captchas registered under the shopware.storefront.captcha tag (Honeypot, Google reCAPTCHA v2/v3, and any third-party captcha such as Cloudflare Turnstile) and the captcha selection configured under Settings → Basic information.

How a route gets protected

A Store API route is protected when either:

  1. It declares the _captcha route attribute — parity with how Storefront routes opt in. Plugin authors add defaults={"_captcha"=true} (or the attribute equivalent) to their own Store API route. Example:

    #[Route(path: '/store-api/my-route', name: 'store-api.my-route', defaults: ['_captcha' => true], methods: ['POST'])]
  2. Its route name is listed in the plugin configuration — open the plugin config and add one Store API route name per line, e.g.:

    store-api.account.register
    store-api.contact.form
    

    Use mechanism 2 to protect existing core or third-party routes without changing their code.

Matching is by exact route name (the Symfony _route).

Behaviour

  • Runs only for requests in the store-api route scope; Storefront and Admin API behaviour is untouched.
  • On captcha failure the request is rejected with the core CaptchaException: HTTP 403, error code FRAMEWORK__INVALID_CAPTCHA_VALUE, as a Store API JSON error.
  • On success the request proceeds normally.
  • Honors per-sales-channel configuration for both the route list and the captcha selection.
  • Only POST requests are validated. The core captchas apply to form/POST submissions and return supports() === false for other methods. GET requests are never captcha-checked, so protect state-changing POST routes. Adding a GET-only (or GET-served) route to the list does not captcha-protect its GET traffic.

Client responsibility

This plugin only validates. The API client must obtain the captcha token and send the captcha parameter in the request body, e.g. _grecaptcha_v3 for Google reCAPTCHA v3. Captcha parameters sent in a JSON body are read correctly (Shopware decodes the JSON body into the request parameters before validation).

Notes and limitations

  • Storefront bundle required. The captcha implementations live in shopware/storefront, which is a hard dependency. A pure headless install without the Storefront bundle is not supported.
  • Token-based captchas recommended. Google reCAPTCHA v2/v3 (and other token-verified captchas) are stateless and work well over the Store API.
  • BasicCaptcha is skipped, not enforced. The image-based BasicCaptcha reports shouldBreak() === false because it expects an interactive image/session challenge that cannot be presented to a stateless API client. Rather than hard-block every request, the plugin skips any active captcha whose shouldBreak() is false. Do not rely on BasicCaptcha for Store API protection.
  • Honeypot is weak on a headless client. Honeypot treats an empty field as valid, which works against bots that blindly fill hidden form fields. A first-party API client simply never sends the field, so honeypot passes every request and provides little real protection over the Store API. Prefer a token-verified captcha.

kraftware/sw6-store-api-captcha 适用场景与选型建议

kraftware/sw6-store-api-captcha 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 07 月 15 日, 在 PHP 生态内属于活跃度较高的组件。

我们在过去多个企业项目中使用过 kraftware/sw6-store-api-captcha 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 kraftware/sw6-store-api-captcha 我们能提供哪些服务?
定制开发 / 二次开发

基于 kraftware/sw6-store-api-captcha 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 1
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 1
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: proprietary
  • 更新时间: 2026-07-15