18F · aduth · Feb 24, 2023 · Feb 14, 2023 · Feb 15, 2023 · Feb 23, 2023
diff --git a/app/components/captcha_submit_button_component.rb b/app/components/captcha_submit_button_component.rb
@@ -17,7 +17,7 @@ def call
       :'lg-captcha-submit-button',
       safe_join([input_errors_tag, input_tag, spinner_button_tag, recaptcha_script_tag]),
       **tag_options,
-      'recaptcha-site-key': IdentityConfig.store.recaptcha_site_key,
+      'recaptcha-site-key': IdentityConfig.store.recaptcha_site_key_v3,
       'recaptcha-action': action,
     )
   end
@@ -42,11 +42,11 @@ def input_tag
   end
 
   def recaptcha_script_tag
-    return if IdentityConfig.store.recaptcha_site_key.blank?
+    return if IdentityConfig.store.recaptcha_site_key_v3.blank?
     content_tag(:script, '', src: recaptcha_script_src, async: true)
   end
 
   def recaptcha_script_src
-    UriService.add_params(RECAPTCHA_SCRIPT_SRC, render: IdentityConfig.store.recaptcha_site_key)
+    UriService.add_params(RECAPTCHA_SCRIPT_SRC, render: IdentityConfig.store.recaptcha_site_key_v3)
   end
 end
diff --git a/app/controllers/concerns/recaptcha_concern.rb b/app/controllers/concerns/recaptcha_concern.rb
@@ -9,6 +9,10 @@ module RecaptchaConcern
     'https://recaptcha.google.com/recaptcha/',
   ].freeze
 
+  def recoverable_recaptcha_error?(result)
+    result.errors.keys == [:recaptcha_token]
+  end
+
   def allow_csp_recaptcha_src
     policy = current_content_security_policy
     policy.script_src(*policy.script_src, *RECAPTCHA_SCRIPT_SRC)

diff --git a/app/controllers/users/phone_setup_controller.rb b/app/controllers/users/phone_setup_controller.rb
@@ -28,6 +28,8 @@ def create
 
       if result.success?
         handle_create_success(@new_phone_form.phone)
+      elsif recoverable_recaptcha_error?(result)
+        render :spam_protection, locals: { two_factor_options_path: two_factor_options_path }
       else
         render :index
       end
@@ -84,6 +86,7 @@ def new_phone_form_params
         :otp_delivery_preference,
         :otp_make_default_number,
         :recaptcha_token,
+        :recaptcha_version,
       )
     end
   end

diff --git a/app/controllers/users/phones_controller.rb b/app/controllers/users/phones_controller.rb
@@ -15,9 +15,12 @@ def add
 
     def create
       @new_phone_form = NewPhoneForm.new(user: current_user, analytics: analytics)
-      if @new_phone_form.submit(user_params).success?
+      result = @new_phone_form.submit(user_params)
+      if result.success?
         confirm_phone
         bypass_sign_in current_user
+      elsif recoverable_recaptcha_error?(result)
+        render 'users/phone_setup/spam_protection'
       else
         render :add
       end
@@ -37,6 +40,7 @@ def user_params
         :otp_delivery_preference,
         :otp_make_default_number,
         :recaptcha_token,
+        :recaptcha_version,
       )
     end
 

diff --git a/app/forms/new_phone_form.rb b/app/forms/new_phone_form.rb
@@ -21,7 +21,8 @@ class NewPhoneForm
               :otp_delivery_preference,
               :otp_make_default_number,
               :setup_voice_preference,
-              :recaptcha_token
+              :recaptcha_token,
+              :recaptcha_version
 
   alias_method :setup_voice_preference?, :setup_voice_preference
 
@@ -31,6 +32,7 @@ def initialize(user:, analytics: nil, setup_voice_preference: false)
     @otp_delivery_preference = user.otp_delivery_preference
     @otp_make_default_number = false
     @setup_voice_preference = setup_voice_preference
+    @recaptcha_version = 3
   end
 
   def submit(params)
@@ -129,7 +131,7 @@ def validate_not_premium_rate
   end
 
   def validate_recaptcha_token
-    return if !FeatureManagement.phone_recaptcha_enabled?
+    return if !phone_recaptcha_enabled?
     return if recaptcha_validator.valid?(recaptcha_token)
     errors.add(
       :recaptcha_token,
@@ -139,7 +141,15 @@ def validate_recaptcha_token
   end
 
   def recaptcha_validator
-    @recaptcha_validator ||= PhoneRecaptchaValidator.new(parsed_phone:, analytics:)
+    @recaptcha_validator ||= PhoneRecaptchaValidator.new(
+      parsed_phone:,
+      recaptcha_version:,
+      analytics:,
+    )
+  end
+
+  def phone_recaptcha_enabled?
+    FeatureManagement.phone_recaptcha_enabled?
   end
 
   def parsed_phone
@@ -155,6 +165,7 @@ def ingest_submitted_params(params)
     @otp_delivery_preference = delivery_prefs if delivery_prefs
     @otp_make_default_number = true if default_prefs
     @recaptcha_token = params[:recaptcha_token]
+    @recaptcha_version = 2 if params[:recaptcha_version].to_i == 2
   end
 
   def confirmed_phone?

diff --git a/app/services/phone_recaptcha_validator.rb b/app/services/phone_recaptcha_validator.rb
@@ -1,11 +1,12 @@
 class PhoneRecaptchaValidator
-  attr_reader :parsed_phone, :analytics
+  attr_reader :parsed_phone, :recaptcha_version, :analytics
 
   delegate :valid?, :exempt?, to: :validator
 
-  def initialize(parsed_phone:, analytics: nil)
+  def initialize(parsed_phone:, recaptcha_version:, analytics: nil)
     @parsed_phone = parsed_phone
     @analytics = analytics
+    @recaptcha_version = recaptcha_version
   end
 
   def self.exempt_countries
@@ -23,7 +24,7 @@ def score_threshold
   private
 
   def validator
-    @validator ||= RecaptchaValidator.new(score_threshold:, analytics:)
+    @validator ||= RecaptchaValidator.new(score_threshold:, recaptcha_version:, analytics:)
   end
 
   def score_threshold_country_override

diff --git a/app/services/recaptcha_validator.rb b/app/services/recaptcha_validator.rb
@@ -1,13 +1,19 @@
 class RecaptchaValidator
   VERIFICATION_ENDPOINT = 'https://www.google.com/recaptcha/api/siteverify'.freeze
-
   EXEMPT_ERROR_CODES = ['missing-input-secret', 'invalid-input-secret']
+  VALID_RECAPTCHA_VERSIONS = [2, 3]
+
+  attr_reader :recaptcha_version, :score_threshold, :analytics
 
-  attr_reader :score_threshold, :analytics
+  def initialize(recaptcha_version: 3, score_threshold: 0.0, analytics: nil)
+    if !VALID_RECAPTCHA_VERSIONS.include?(recaptcha_version)
+      raise ArgumentError, "Invalid reCAPTCHA version #{recaptcha_version}, expected one of " \
+                           "#{VALID_RECAPTCHA_VERSIONS}"
+    end
 
-  def initialize(score_threshold: 0.0, analytics: nil)
     @score_threshold = score_threshold
     @analytics = analytics
+    @recaptcha_version = recaptcha_version
   end
 
   def exempt?
@@ -20,10 +26,7 @@ def valid?(recaptcha_token)
 
     response = faraday.post(
       VERIFICATION_ENDPOINT,
-      URI.encode_www_form(
-        secret: IdentityConfig.store.recaptcha_secret_key,
-        response: recaptcha_token,
-      ),
+      URI.encode_www_form(secret: recaptcha_secret_key, response: recaptcha_token),
     ) do |request|
       request.options.context = { service_name: 'recaptcha' }
     end
@@ -45,21 +48,45 @@ def faraday
   end
 
   def recaptcha_result_valid?(recaptcha_result)
-    if recaptcha_result.blank?
-      true
-    elsif recaptcha_result['success']
-      recaptcha_result['score'] >= score_threshold
+    return true if recaptcha_result.blank?
+
+    success, score, error_codes = recaptcha_result.values_at('success', 'score', 'error-codes')
+    if success
+      recaptcha_score_meets_threshold?(score)
     else
-      (recaptcha_result['error-codes'] - EXEMPT_ERROR_CODES).blank?
+      recaptcha_errors_exempt?(error_codes)
+    end
+  end
+
+  def recaptcha_score_meets_threshold?(score)
+    case recaptcha_version
+    when 2
+      true
+    when 3
+      score >= score_threshold
     end
   end
 
+  def recaptcha_errors_exempt?(error_codes)
+    (error_codes - EXEMPT_ERROR_CODES).blank?
+  end
+
   def log_analytics(recaptcha_result: nil, error: nil)
     analytics&.recaptcha_verify_result_received(
       recaptcha_result:,
       score_threshold:,
+      recaptcha_version:,
       evaluated_as_valid: recaptcha_result_valid?(recaptcha_result),
       exception_class: error&.class&.name,
     )
   end
+
+  def recaptcha_secret_key
+    case recaptcha_version
+    when 2
+      IdentityConfig.store.recaptcha_secret_key_v2
+    when 3
+      IdentityConfig.store.recaptcha_secret_key_v3
+    end
+  end
 end
diff --git a/app/views/users/phone_setup/spam_protection.html.erb b/app/views/users/phone_setup/spam_protection.html.erb
@@ -0,0 +1,43 @@
+<% title t('titles.spam_protection') %>
+
+<%= render PageHeadingComponent.new.with_content(t('titles.spam_protection')) %>
+
+<p><%= t('forms.spam_protection.description') %></p>
+
+<%= simple_form_for(@new_phone_form, url: request.url, method: :post) do |f| %>
+  <%= f.input :phone, as: :hidden %>
+  <%= f.input :international_code, as: :hidden %>
+  <%= f.input :otp_delivery_preference, as: :hidden %>
+  <%= f.input :otp_make_default_number, as: :hidden %>
+  <%= f.input :recaptcha_version, as: :hidden, input_html: { value: 2 } %>
+  <%= f.input :recaptcha_token, as: :hidden, input_html: { id: :recaptcha_token } %>
+  <%= javascript_tag(nonce: true) do %>
+    function onCaptchaResponse(token) {
+      const input = document.getElementById('recaptcha_token');
+      input.value = token;
+      input.closest('form').submit();
+    }
+  <% end %>
+  <div
+    class="g-recaptcha"
+    data-sitekey="<%= IdentityConfig.store.recaptcha_site_key_v2 %>"
+    data-callback="onCaptchaResponse"
+  ></div>
+  <script src="https://www.google.com/recaptcha/api.js" async></script>
+<% end %>
+
+<%= render TroubleshootingOptionsComponent.new do |c| %>
+  <% c.header { t('components.troubleshooting_options.default_heading') } %>
+  <% if local_assigns[:two_factor_options_path].present? %>
+    <% c.option(
+         url: two_factor_options_path,
+       ).with_content(t('two_factor_authentication.login_options_link_text')) %>
+  <% end %>
+  <% c.option(
+       url: MarketingSite.help_center_article_url(
+         category: 'get-started',
+         article: 'authentication-options',
+       ),
+       new_tab: true,
+     ).with_content(t('two_factor_authentication.phone_verification.troubleshooting.learn_more')) %>
+<% end %>
diff --git a/config/application.yml.default b/config/application.yml.default
@@ -251,8 +251,10 @@ rack_mini_profiler: false
 rack_timeout_service_timeout_seconds: 15
 rails_mailer_previews_enabled: false
 reauthn_window: 120
-recaptcha_site_key: ''
-recaptcha_secret_key: ''
+recaptcha_site_key_v2: ''
+recaptcha_site_key_v3: ''
+recaptcha_secret_key_v2: ''
+recaptcha_secret_key_v3: ''
 recovery_code_length: 4
 redis_irs_attempt_api_url: redis://localhost:6379/2
 redis_throttle_url: redis://localhost:6379/1

diff --git a/config/locales/forms/en.yml b/config/locales/forms/en.yml
@@ -111,6 +111,9 @@ en:
       labels:
         email: Enter your email address
         email_language: Select your email language preference
+    spam_protection:
+      description: We use reCAPTCHA to protect against automated spam. Check the box
+        below to continue.
     ssn:
       show: Show Social Security number
     totp_delete:

diff --git a/config/locales/forms/es.yml b/config/locales/forms/es.yml
@@ -119,6 +119,9 @@ es:
       labels:
         email: Ingrese su dirección de correo electrónico
         email_language: Seleccione su preferencia de idioma de correo electrónico
+    spam_protection:
+      description: Utilizamos reCAPTCHA como protección contra el correo no deseado
+        automatizado. Marque la casilla de abajo para continuar.
     ssn:
       show: Mostrar Número de Seguro Social
     totp_delete:

diff --git a/config/locales/forms/fr.yml b/config/locales/forms/fr.yml
@@ -120,6 +120,9 @@ fr:
       labels:
         email: Entrez votre adresse email
         email_language: Sélectionnez votre préférence de langue pour les e-mails
+    spam_protection:
+      description: Nous utilisons reCAPTCHA pour nous protéger contre les pourriels
+        automatisés. Cochez la case ci-dessous pour continuer.
     ssn:
       show: Afficher le numéro de sécurité sociale
     totp_delete:

diff --git a/config/locales/titles/en.yml b/config/locales/titles/en.yml
@@ -80,6 +80,7 @@ en:
       completion_new_attributes: '%{sp} is requesting new information'
       completion_new_sp: You are now signing in for the first time
       confirmation: Continue to sign in
+    spam_protection: Protecting against spam
     totp_setup:
       new: Add authentication app
     two_factor_setup: Two-factor authentication setup

diff --git a/config/locales/titles/es.yml b/config/locales/titles/es.yml
@@ -82,6 +82,7 @@ es:
       completion_new_attributes: '%{sp} está solicitando nueva información'
       completion_new_sp: Acabas de iniciar sesión por primera vez
       confirmation: Continuar para iniciar sesión
+    spam_protection: Protección contra el correo no deseado
     totp_setup:
       new: Agregar aplicación de autenticación
     two_factor_setup: Configuración de autenticación de dos factores

diff --git a/config/locales/titles/fr.yml b/config/locales/titles/fr.yml
@@ -82,6 +82,7 @@ fr:
       completion_new_attributes: '%{sp} demande de nouvelles informations'
       completion_new_sp: Vous vous connectez pour la première fois
       confirmation: Continuer à vous connecter
+    spam_protection: Protection contre les pourriels
     totp_setup:
       new: Ajouter une application d’authentification
     two_factor_setup: Configuration de l’authentification à deux facteurs

diff --git a/config/routes.rb b/config/routes.rb
@@ -251,7 +251,8 @@
     get '/second_mfa_setup' => 'users/mfa_selection#index'
     patch '/second_mfa_setup' => 'users/mfa_selection#update'
     get '/phone_setup' => 'users/phone_setup#index'
-    patch '/phone_setup' => 'users/phone_setup#create'
+    patch '/phone_setup' => 'users/phone_setup#create' # TODO: Remove after next deploy
+    post '/phone_setup' => 'users/phone_setup#create'
     get '/users/two_factor_authentication' => 'users/two_factor_authentication#show',
         as: :user_two_factor_authentication # route name is used by two_factor_authentication gem
     get '/backup_code_refreshed' => 'users/backup_code_setup#refreshed'

diff --git a/lib/feature_management.rb b/lib/feature_management.rb
@@ -113,8 +113,10 @@ def self.log_to_stdout?
   end
 
   def self.phone_recaptcha_enabled?
-    IdentityConfig.store.recaptcha_site_key.present? &&
-      IdentityConfig.store.recaptcha_secret_key.present? &&
+    IdentityConfig.store.recaptcha_site_key_v2.present? &&
+      IdentityConfig.store.recaptcha_site_key_v3.present? &&
+      IdentityConfig.store.recaptcha_secret_key_v2.present? &&
+      IdentityConfig.store.recaptcha_secret_key_v3.present? &&
       IdentityConfig.store.phone_recaptcha_score_threshold.positive?
   end
 

diff --git a/lib/identity_config.rb b/lib/identity_config.rb
@@ -352,8 +352,10 @@ def self.build_store(config_map)
     config.add(:rack_timeout_service_timeout_seconds, type: :integer)
     config.add(:rails_mailer_previews_enabled, type: :boolean)
     config.add(:reauthn_window, type: :integer)
-    config.add(:recaptcha_site_key, type: :string)
-    config.add(:recaptcha_secret_key, type: :string)
+    config.add(:recaptcha_site_key_v2, type: :string)
+    config.add(:recaptcha_site_key_v3, type: :string)
+    config.add(:recaptcha_secret_key_v2, type: :string)
+    config.add(:recaptcha_secret_key_v3, type: :string)
     config.add(:recovery_code_length, type: :integer)
     config.add(:recurring_jobs_disabled_names, type: :json)
     config.add(:redis_irs_attempt_api_url)

diff --git a/spec/components/captcha_submit_button_component_spec.rb b/spec/components/captcha_submit_button_component_spec.rb
@@ -34,7 +34,7 @@
 
   context 'without configured recaptcha site key' do
     before do
-      allow(IdentityConfig.store).to receive(:recaptcha_site_key).and_return(nil)
+      allow(IdentityConfig.store).to receive(:recaptcha_site_key_v3).and_return(nil)
     end
 
     it 'renders without recaptcha site key attribute' do
@@ -49,7 +49,7 @@
   context 'with configured recaptcha site key' do
     let(:recaptcha_site_key) { 'site_key' }
     before do
-      allow(IdentityConfig.store).to receive(:recaptcha_site_key).and_return(recaptcha_site_key)
+      allow(IdentityConfig.store).to receive(:recaptcha_site_key_v3).and_return(recaptcha_site_key)
     end
 
     it 'renders with recaptcha site key attribute' do