Proof-of-concept: reCAPTCHA at sign-in

[aduth]

🛠 Summary of changes

Implements a proof-of-concept reCAPTCHA validation at sign-in.

📜 Testing Plan

1. Go to http://localhost:3000
2. Enter email and password
3. (Optional) Customize "reCAPTCHA score" in the mock debugger tool
4. Click "Sign in"
5. Observe:
   • If you have already signed in on this device, you are allowed to proceed regardless of the score entered in Step 3
   • If you haven't already signed in on this device and you enter a score at or above 0.3, you are allowed to proceed
   • Otherwise, you are presented with an error message

👀 Screenshots

[zachmargolis]

oooo smart use of .lazy! Another idea:

Suggested change

	return true if device.user.email_addresses.lazy.map(&:email).include?(auth_params[:email])
	return true if device.user.email_addresses.any? { |e| e.email == auth_params[:email] }

[aduth]

Yeah I thought it was a nice way to avoid having to use a block, but funny that the block form ends up being shorter anyways 😅

[zachmargolis]

should we default to RecaptchaForm for completeness?

Suggested change

	args
	args.merge(form_class: RecaptchaForm)

[aduth]

It's defaulted in SignInRecaptchaForm, so not strictly necessary:

identity-idp/app/forms/sign_in_recaptcha_form.rb

Line 10 in 2dd7c9c

def initialize(form_class: RecaptchaForm, **form_args)

This follows from the implementation for phone setup:

identity-idp/app/forms/new_phone_form.rb

Lines 144 to 153 in 37afb7e

	def recaptcha_form_args
	args = { analytics: }
	if IdentityConfig.store.phone_recaptcha_mock_validator
	args.merge(form_class: RecaptchaMockForm, score: recaptcha_mock_score)
	elsif FeatureManagement.recaptcha_enterprise?
	args.merge(form_class: RecaptchaEnterpriseForm)
	else
	args
	end
	end

But I could also change it so that form_class is a required keyword attribute and assign it here instead.

(Aside: When implementing this "proper", I'll probably plan to create a separate form class for handling the sign-in+reCAPTCHA validation, similar to what we have with NewPhoneForm)

[zachmargolis]

yeah seeing the default argument there is what prompted me to make the comment here

[zachmargolis]

this is the recaptcha_action not the older link-or-button action right? What if we renamed to recapcha_action tomatch the RECAPTCHA_ACTION constant it gets called with?

[aduth]

Yeah, it's the reCAPTCHA concept of "action", also documented with a reference link a couple lines below.

identity-idp/app/components/captcha_submit_button_component.rb

Line 8 in 2dd7c9c

# @param [String] action https://developers.google.com/recaptcha/docs/v3#actions

But sure, I think renaming recaptcha_action could be clearer / more consistent.

[aduth]

Also, that link should probably reference the Enterprise documentation, which is a little more complete and matches the expected production behavior:

https://cloud.google.com/recaptcha-enterprise/docs/actions-website

[mitchellhenke]

Discussed a little bit offline, but this query should probably include a subquery on email address for the user_id since cookie_uuid is not unique.

[aduth]

This proof-of-concept has served its purpose. I'll close this for now, but it's likely we'll use parts of this for future reference.