Fix: reCAPTCHA + HTML5 form validation

[thekaveman]

Fixes #1068

Based on an answer to this SO post: https://stackoverflow.com/q/41665935/453168

What this PR does

Uses programmatic reCAPTCHA validation

This is the main issue being solved. reCAPTCHA v3 supports two options:

• Automatically bind the challenge to a button (existing implementation)

• Programmatically invoke the challenge (new implementation in this PR)

Using a programmatic challenge allows the browser's HTML5 form validation a chance to kick-in before reCAPTCHA's checks,
which isn't possible with the challenge button auto-bind.

Refactors how templates get reCAPTCHA data

Before we used a Django context processor, which gave the data to every request context, even those that didn't need it:

def recaptcha(request):
    """Context processor adds recaptcha information to request context."""
    return {
        "recaptcha": {
            "api_url": settings.RECAPTCHA_API_URL,
            "enabled": settings.RECAPTCHA_ENABLED,
            "site_key": settings.RECAPTCHA_SITE_KEY,
        }
    }

This PR introduces a Middleware, following our usual pattern where we can apply the middleware per-view that needs it, which adds the reCAPTCHA data directly to the request:

class RecaptchaEnabled(MiddlewareMixin):
    """Middleware configures the request with required reCAPTCHA settings."""

    def process_request(self, request):
        if settings.RECAPTCHA_ENABLED:
            request.recaptcha = {
                "data_field": recaptcha.DATA_FIELD,
                "script_api": settings.RECAPTCHA_API_KEY_URL,
                "site_key": settings.RECAPTCHA_SITE_KEY,
            }
        return None

# later in views.py

@decorator_from_middleware(RecaptchaEnabled)
def confirm(request):
    """View handler for the eligibility verification form."""
    # etc.

This makes it more explicit which views use reCAPTCHA, and also makes using reCAPTCHA data easy from templates. Like in base.html where we include the reCAPTCHA API library only once and only if needed:

<html>
    <body>
        <!-- etc -->

        {% if request.recaptcha %}<script src="{{ request.recaptcha.script_api }}"></script>{% endif %}
    </body>
</html>

Makes the eligibility:unverified path a redirect

This has a couple advantages:

• (the reason for this change): creates a new request, clearing reCAPTCHA data from prior /eligiblity/confirm request
• Mirrors how the eligibility:verified path works (ultimately a redirect to enrollment:index)
• URL is now /eligiblity/unverified instead of /eligibility/confirm, a more accurate UX

Testing this PR

Setup

Add this to your .vscode/launch.json under the Django: Benefits Client, Debug=False entry's env:

{
  "name": "Django: Benefits Client, Debug=False",
  // other fields...
  "env": {
    // existing fields...
   // add these 2 entries with the values for the test reCAPTCHA site
    "DJANGO_RECAPTCHA_SITE_KEY": "<SITE KEY HERE>",
    "DJANGO_RECAPTCHA_SECRET_KEY": "<SECRET KEY HERE>"
  }
}

Eligibility index

reCAPTCHA library included once at the bottom of <body>:

HTML5 validation works, form submits with valid data:

Eligibility confirm

reCAPTCHA library included once at the bottom of <body>:

HTML5 validation works, form submits with valid data:

Other pages

Every other page should not have the reCAPTCHA library or any reCAPTCHA handling for form elements.

E.g. the homepage does not include reCAPTCHA:

Nor does the eligibility:start page:

[machikoyasuda]

I just wrote these notes for myself to help document what the app is doing for forms and what JS each form has

These are the 4 forms that use the form.html includes on the app and their corresponding IDs:

• #verifier-selection - has recaptcha
• #eligibility-verification - has recaptcha, has button name change
• #card-tokenize-fail - does not have recaptcha
• #card-tokenize-success - does not have recaptcha

The header's language selector button is also a form, but it does not use form.html.

[machikoyasuda]

Really like the way the JS in form.html is cleaned up! I also really like the instructions/documentation on how to run recaptcha locally - this will be very helpful.

I added the note comment there just to make sure we never make a CSS ID that collides with the ID name of a form. (ie - Ensuring we never make another #verifier-selection ID).

Once this PR is merged, I believe the unverified page should have the proper new layout that is on dev already.

[thekaveman]

I added the note comment there just to make sure we never make a CSS ID that collides with the ID name of a form

That's a good point - we could prefix these new form IDs with form- to make that more clear and less likely for a collision?

[angela-tran]

Nice refactoring!

[machikoyasuda]

I added the note comment there just to make sure we never make a CSS ID that collides with the ID name of a form

That's a good point - we could prefix these new form IDs with form- to make that more clear and less likely for a collision?

Yeah. This could be done in another PR.