Skip to content

LG-12292: Perform reCAPTCHA assessment at sign-in#10772

Merged
aduth merged 14 commits intomainfrom
aduth-lg-12292-recaptcha-sign-in
Jun 24, 2024
Merged

LG-12292: Perform reCAPTCHA assessment at sign-in#10772
aduth merged 14 commits intomainfrom
aduth-lg-12292-recaptcha-sign-in

Conversation

@aduth
Copy link
Contributor

@aduth aduth commented Jun 6, 2024
edited
Loading

🎫 Ticket

LG-12292

🛠 Summary of changes

Implements reCAPTCHA validation at sign-in, behind a feature flag.

This builds upon code from the previous proof-of-concept at #10587.

📜 Testing Plan

Verify that you can pass and fail reCAPTCHA validation at sign-in from a new or existing device:

  1. Go to http://localhost:3000
  2. Enter email and password
  3. (Optional) Customize "reCAPTCHA score" in the mock debugger tool
  4. Click "Sign in"
  5. Observe:
    • If you have already signed in on this device, you are allowed to proceed regardless of the score entered in Step 3
    • If you haven't already signed in on this device and you enter a score at or above 0.3, you are allowed to proceed
    • Otherwise, you are presented with an error message

Verify that there is no validation when the feature flag is disabled:

  1. Add sign_in_recaptcha_score_threshold: 0.0 and phone_recaptcha_mock_validator: false (rename TBD) to config/application.yml
  2. Restart server
  3. Go to http://localhost:3000
  4. Observe no "reCAPTCHA score" field
  5. Sign in with email and password
  6. Observe no error message shown

👀 Screenshots

image

aduth
aduth commented Jun 6, 2024
View reviewed changes
app/forms/sign_in_recaptcha_form.rb Outdated
Comment on lines 39 to 35
Copy link
Contributor Author

@aduth aduth Jun 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This revised lookup is intended to address previous comments from proof-of-concept #10587 (comment) and #10587 (comment) (cc @mitchellhenke @zachmargolis)

@aduth aduth force-pushed the aduth-lg-12292-recaptcha-sign-in branch from 82eb2cc to 807ca11 Compare June 7, 2024 14:30
@aduth aduth requested a review from a team June 7, 2024 14:31
@aduth aduth marked this pull request as ready for review June 7, 2024 14:31
zachmargolis
zachmargolis approved these changes Jun 10, 2024
View reviewed changes
mdiarra3
mdiarra3 reviewed Jun 12, 2024
View reviewed changes
mdiarra3
mdiarra3 reviewed Jun 18, 2024
View reviewed changes
mdiarra3
mdiarra3 reviewed Jun 18, 2024
View reviewed changes
mdiarra3
mdiarra3 requested changes Jun 18, 2024
View reviewed changes
aduth and others added 13 commits June 21, 2024 08:42
@aduth
Proof-of-concept: reCAPTCHA at sign-in
851804c
@aduth
Configure review apps for sign-in reCAPTCHA
71a9e9c
@aduth
Shift device validation to SignInRecaptchaForm
8d5325c
@aduth
Add feature short-circuiting on disabled reCAPTCHA
d886823
@aduth
Accept button_options as optional property on captcha component
2f7d9a2
@aduth
Remove unnecessary value override
4b46ab9 
Previously needed since recaptcha_token wasn't a method on SignInRecaptchaForm, but the method was added in ede24b278b
@aduth
Implement reCAPTCHA exemption via score_threshold
cbe2b00 
Base classes manage exemption already using score threshold, so initialize score threshold based on expected sign-in exemption cases
@aduth
Log reCAPTCHA result with sign-in attempt
36521b5
@aduth
Update selector to look for specific SP banner text
3fcf78f
@aduth
Add changelog
3a7df39 
changelog: Upcoming Features, Spam Mitigation, Add reCAPTCHA at sign-in behind feature flag
@aduth
Render CAPTCHA submit conditionally by feature flag
8f56061 
Not strictly necessary, but safer, and avoids loading extra resources while disabled
@aduth
Fix captcha validation with mock validator
474bc8e 
Move short-circuit to score_threshold logic
@aduth @mdiarra3
Fix renamed phone_recaptcha_mock_validator
112ea41 
See: #10772 (comment)
Co-Authored-By: Malick Diarra <malick.diarra@gsa.gov>
@aduth aduth force-pushed the aduth-lg-12292-recaptcha-sign-in branch from dd0bdca to 112ea41 Compare June 21, 2024 12:52
@aduth
Refactor to simplify captcha validation logging
a49374e 
Revert to behavior more similar to how it works on main
@aduth aduth requested review from mdiarra3 and zachmargolis June 21, 2024 13:40
mdiarra3
mdiarra3 approved these changes Jun 21, 2024
View reviewed changes
Copy link
Contributor

@mdiarra3 mdiarra3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM tested locally and worked as expected.

@aduth aduth merged commit 38b0a90 into main Jun 24, 2024
@aduth aduth deleted the aduth-lg-12292-recaptcha-sign-in branch June 24, 2024 13:19
@jmhooper jmhooper mentioned this pull request Jun 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdiarra3 mdiarra3 mdiarra3 approved these changes

@zachmargolis zachmargolis Awaiting requested review from zachmargolis

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aduth @zachmargolis @mdiarra3