Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[IAMRISK-3010] Added support for auth0_v2 captcha failOpen #2507

Merged

Conversation

alexkoumarianos-okta
Copy link
Contributor

Changes

Made changes to allow auth0_v2 to handle failOpen by passing a distinct dummy token.

References

https://auth0team.atlassian.net/browse/IAMRISK-3010

Testing

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language

Comment on lines 197 to 211
attributes['error-callback'] = () => {
if (this.state.retryCount < MAX_RETRY) {
removeScript(scriptUrl);
loadScript(scriptUrl, attributes);
this.setState(prevState => ({
retryCount: prevState.retryCount + 1
}));
return;
}
removeScript(scriptUrl);
this.changeHandler('BYPASS_CAPTCHA');
};
window[callbackName] = () => {
delete window[callbackName];
callback();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we reuse the code we already have for this, as it seems to be identical apart from two things:

  • onerror vs error-callback
  • arkose is not doing delete window[callbackName]. Why is that different here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The naming comes directly from the APIs so we can't align them directly. I didn't work on the arkose changes but aside from skipping the delete they also send in the arkose script and I know they handle the callback a bit differently further up in the tree. I will look into it to get some more insight and get back to you!

Copy link
Member

@frederikprijck frederikprijck Dec 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didnt mean to align the names. I just mean that it may be possible to reuse the same code. Along the lines of:

if (provider === ARKOSE_PROVIDER || provider === AUTH0_V2_CAPTCHA_PROVIDER) {
  const errorCallbackName = provider === ARKOSE_PROVIDER ? 'onerror' : 'error-callback';
  attributes[errorCallbackName] = () => {
        if (this.state.retryCount < MAX_RETRY) {
          removeScript(scriptUrl);
          loadScript(scriptUrl, attributes);
          this.setState(prevState => ({
            retryCount: prevState.retryCount + 1
          }));
          return;
        }
        removeScript(scriptUrl);
        this.changeHandler('BYPASS_CAPTCHA');
      };
    window[callbackName] = callback;
}

Anyway, not saying you have to make this change. But it felt like it was doing the exact same thing so maybe worth considering but can approve if you believe it makes no sense.

Copy link
Member

@frederikprijck frederikprijck Dec 15, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The above doesnt do the delete window[callbackName], so maybe it needs to be added again. But anyway, I just wanted to show what I meant.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my other comment but we can definitely combine the Arkose & Auth0 V2 error handling here. The attributes here refers to the attributes of the script tag and we're trying to add error handling in the case the script fails to load to the DOM and this is not the same as error-callback param from the provider API which is after the script is loaded and when there are provider API related errors.

callback(arkose);
};
} else if (provider === AUTH0_V2_CAPTCHA_PROVIDER) {
attributes['error-callback'] = () => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same thing as auth0.js PR (https://github.com/auth0/auth0.js/pull/1382/files#r1433514962). It should be attached to the onerror attribute of the script tag.

Copy link

codecov bot commented Jan 2, 2024

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (51db442) 42.19% compared to head (f6efcd9) 42.35%.

❗ Current head f6efcd9 differs from pull request most recent head 4048dc1. Consider uploading reports for the commit 4048dc1 to get more accurate results

Files Patch % Lines
src/field/captcha/third_party_captcha.jsx 87.50% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master    #2507      +/-   ##
==========================================
+ Coverage   42.19%   42.35%   +0.15%     
==========================================
  Files         120      120              
  Lines        3076     3081       +5     
  Branches      334      335       +1     
==========================================
+ Hits         1298     1305       +7     
+ Misses       1684     1682       -2     
  Partials       94       94              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@TSLarson TSLarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants