-
Notifications
You must be signed in to change notification settings - Fork 898
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only fetch reCAPTCHA v2 token when FAKE_TOKEN #8493
Conversation
|
Size Report 1Affected Products
Test Logs |
Size Analysis Report 1Affected Products
Test Logs |
request.phoneEnrollmentInfo.captchaResponse === FAKE_TOKEN | ||
) { | ||
// If reCAPTCHA Enterprise token is FAKE_TOKEN, fetch reCAPTCHA v2 token and inject into request. | ||
if (request.phoneEnrollmentInfo.captchaResponse === FAKE_TOKEN) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is the case that we need to use a fake token?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use fake token when rCE token is missing (MISSING_RECAPTCHA_TOKEN) or reCAPTCHA Enterprise token check fails (INVALID_APP_CREDENTIAL). In audit mode, if the 1st request fails with the above reason, we try again with FAKE_TOKEN and rcv2 token
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you Ricky!
Issue
Currently, we show the challenge and fetch reCAPTCHA v2 token when reCAPTCHA Enterprise token is empty (token fetch fails) before making the phone auth request.
In Enforce mode, we fetch rcv2 token when rCE token is empty. This is incorrect behavior, we shouldn't fetch rcv2 token in Enforce mode. Fetching rcv2 means we will show the rcv2 challenge, which would make confuse developers as to why we show rcv2 challenge when they're in Enforce mode.
We expect to throw MISSING_RECAPTCHA_TOKEN instead without fetching rcv2 token. This PR fixes that.
Testing