kraftware/sw6-store-api-captcha
Composer 安装命令:
composer require kraftware/sw6-store-api-captcha
包简介
Enforce Shopware core captchas on Store API routes
README 文档
README
Enforce Shopware's core captchas on Store API routes. Shopware only enforces captchas on Storefront routes out of the box; this plugin extends the same captcha framework to the Store API, which is useful for headless / composable frontends and API integrations.
No new captcha type is added. The plugin reuses the captchas registered under the
shopware.storefront.captcha tag (Honeypot, Google reCAPTCHA v2/v3, and any third-party
captcha such as Cloudflare Turnstile) and the captcha selection configured under
Settings → Basic information.
How a route gets protected
A Store API route is protected when either:
-
It declares the
_captcharoute attribute — parity with how Storefront routes opt in. Plugin authors adddefaults={"_captcha"=true}(or the attribute equivalent) to their own Store API route. Example:#[Route(path: '/store-api/my-route', name: 'store-api.my-route', defaults: ['_captcha' => true], methods: ['POST'])]
-
Its route name is listed in the plugin configuration — open the plugin config and add one Store API route name per line, e.g.:
store-api.account.register store-api.contact.formUse mechanism 2 to protect existing core or third-party routes without changing their code.
Matching is by exact route name (the Symfony _route).
Behaviour
- Runs only for requests in the
store-apiroute scope; Storefront and Admin API behaviour is untouched. - On captcha failure the request is rejected with the core
CaptchaException: HTTP 403, error codeFRAMEWORK__INVALID_CAPTCHA_VALUE, as a Store API JSON error. - On success the request proceeds normally.
- Honors per-sales-channel configuration for both the route list and the captcha selection.
- Only POST requests are validated. The core captchas apply to form/POST submissions and
return
supports() === falsefor other methods. GET requests are never captcha-checked, so protect state-changing POST routes. Adding a GET-only (or GET-served) route to the list does not captcha-protect its GET traffic.
Client responsibility
This plugin only validates. The API client must obtain the captcha token and send the
captcha parameter in the request body, e.g. _grecaptcha_v3 for Google reCAPTCHA v3. Captcha
parameters sent in a JSON body are read correctly (Shopware decodes the JSON body into the
request parameters before validation).
Notes and limitations
- Storefront bundle required. The captcha implementations live in
shopware/storefront, which is a hard dependency. A pure headless install without the Storefront bundle is not supported. - Token-based captchas recommended. Google reCAPTCHA v2/v3 (and other token-verified captchas) are stateless and work well over the Store API.
- BasicCaptcha is skipped, not enforced. The image-based BasicCaptcha reports
shouldBreak() === falsebecause it expects an interactive image/session challenge that cannot be presented to a stateless API client. Rather than hard-block every request, the plugin skips any active captcha whoseshouldBreak()isfalse. Do not rely on BasicCaptcha for Store API protection. - Honeypot is weak on a headless client. Honeypot treats an empty field as valid, which works against bots that blindly fill hidden form fields. A first-party API client simply never sends the field, so honeypot passes every request and provides little real protection over the Store API. Prefer a token-verified captcha.
kraftware/sw6-store-api-captcha 适用场景与选型建议
kraftware/sw6-store-api-captcha 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1 次下载、GitHub Stars 达 0, 最近一次更新时间为 2026 年 07 月 15 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 kraftware/sw6-store-api-captcha 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 kraftware/sw6-store-api-captcha 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 1
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 1
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: proprietary
- 更新时间: 2026-07-15