Auth0 ROPG from Browser with Google reCAPTCHA v3

ropg.html

<!doctype html>
<html lang="en">
<head>
    <title>ROPG</title>
    <meta charset="utf-8">
    <script src="https://www.google.com/recaptcha/api.js?render=XXXXXX"></script>
    <style>
        .grecaptcha-badge { visibility: hidden; }
    </style>
</head>
<body>
<script>
    const auth0_clientID = 'XXXXX';
    const auth0_tenant = 'amin01.au';
    const auth0_domain = `https://${auth0_tenant}.auth0.com`;
    const default_connection = 'Username-Password-Authentication';
    const RECAPTCHA_SITE_KEY = 'XXXXXX';

    function oauth_token(realm, username, password, captcha_token) {
        let url = auth0_domain + '/oauth/token';

        let data = {
            grant_type: 'http://auth0.com/oauth/grant-type/password-realm',
            realm: realm,
            client_id: auth0_clientID,
            username: username,
            password: password,
            captcha_token: captcha_token
        };

        const params = {
            headers: {'content-type': 'application/json'},
            method: 'POST',
            body: JSON.stringify(data)
        };

        fetch(url, params)
            .then(data => data.json())
            .then(value => document.getElementById('result').innerHTML = JSON.stringify(value))
            .catch(err => console.log('error in oauth_token call: ' + err));
    }

    function submit() {
        grecaptcha.ready(() => {
            grecaptcha.execute(RECAPTCHA_SITE_KEY, {action: 'sign_in'}).then(captcha_token => {
                let username = document.getElementById('username').value;
                let password = document.getElementById('password').value;
                oauth_token(default_connection, username, password, captcha_token);
            })
        })
    }

</script>

<label for="username">Username</label><input id="username" type="text"/>
<br/>
<label for="password">Password</label><input id="password" type="password"/>
<br/>
<input type="submit" value="Login" onclick="submit()"/>
<pre id="result">
</pre>

</body>
</html>

validate-recaptcha-v3.js

function (user, context, callback) {
    const RECAPTCHA_SECRET= configuration.RECAPTCHA_SECRET; 

    if(context.protocol !== "oauth2-password") {
        return callback(null, user, context);
    }

    if(context.clientID !== 'XXXXX') {
        return callback(null, user, context);
    }

    let captcha_token = context.request.body.captcha_token;

    if(captcha_token === null) {
        return callback(new UnauthorizedError('capcha error'));
    }

    console.log('captcha_token: ' + captcha_token);

    let ip = context.request.ip;

    let formData = {
        secret: RECAPTCHA_SECRET,
        response : captcha_token,
        remoteip: ip
    };

    request({
        url: 'https://www.google.com/recaptcha/api/siteverify',
        method: 'POST',
        form: formData
    }, function(error, response, body) {
        if(error)
            return callback(error);

        if(response.statusCode !== 200)
            return callback(new UnauthorizedError('invalid status'));

        let result = JSON.parse(body);

        if(result.success === true) {
            console.log('captcha success');
            return callback(null, user, context);
        }

        return callback(new UnauthorizedError('capcha error ' + result['error-codes']));
    });
}