Skip to content
This repository has been archived by the owner on Nov 25, 2024. It is now read-only.

hcaptcha fails with "Invalid site key" #2878

Open
greenship24 opened this issue Nov 13, 2022 · 9 comments
Open

hcaptcha fails with "Invalid site key" #2878

greenship24 opened this issue Nov 13, 2022 · 9 comments
Labels
C-Client-API F-Registration O-Occasional Affects or can be seen by some users regularly or most users rarely S-Major Major functionality / product severely impaired, no satisfactory workaround. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@greenship24
Copy link

greenship24 commented Nov 13, 2022

Background information

  • Dendrite version or git SHA: Latest dendrite as of 2022-11-12
  • Monolith or Polylith?:Monolith
  • SQLite3 or Postgres?:postgres
  • Running in Docker?:docker
  • go version:built-in to image
  • Client used (if applicable): Element, schilidchat, element on the web, syphon, etc.

Description

  • What is the problem:
    hcaptcha fails to work -
  • Who is affected:
    Anyone using hcaptcha in lieu of recaptcha
  • How is this bug manifesting:
    Response is "ERROR for site owner: Invalid site key" upon trying to register for the server
  • When did this first appear:

Steps to reproduce

  • Place site key in the recaptcha_public_key
  • Place private key in recaptcha_private_key
  • Uncomment all fields under # To use hcaptcha.com..... and use the defaults (as in the dendrite.yaml template)

Additional

I think it might have to do with whatever v2 and v3 recaptcha uses which I presume hcaptcha uses v3 now? Just a guess.
I've verified all settings and have done simple tests otherwise where the site key works fine.

@twiguard
Copy link

I just want to add, that is seems reCaptcha is returning the error, not hCaptcha as configured.

@greenship24
Copy link
Author

  # Settings for ReCAPTCHA.
  recaptcha_public_key: "<key here>"
  recaptcha_private_key: "<private key here>"
  recaptcha_bypass_secret: ""

  # To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
  recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
  recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
  recaptcha_form_field: "h-captcha-response"
  recaptcha_sitekey_class: "h-captcha"

This is what I have in dendrite.yaml (with my hcaptcha keys obviously in the key here portions). Am I missing something?

@wait-what
Copy link

wait-what commented Nov 30, 2022

I am experiencing the same issue.

  1. Element does GET requests to recaptcha.net, gstatic.com and fonts.gstatic.com and none to hcaptcha.
  2. The /register endpoint returns this (no mentions to hcaptcha)
{"flows":[{"stages":["m.login.recaptcha"]}],"completed":[],"params":{"m.login.recaptcha":{"public_key":"<snip>"}},"session":"<snip>"}

Dendrite seems to ignore the hcaptcha configuration (as from the sample config) and clients attempt to use recaptcha by default, for which the site key is invalid.

@wait-what
Copy link

wait-what commented Nov 30, 2022

It seems like there are even more problems here.

The configuration says

# To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.

However, keeping them empty results in an error:

level=error msg="Configuration error: missing config key \"client_api.recaptcha_siteverify_api\""

@kegsay kegsay added C-Client-API T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. F-Registration S-Major Major functionality / product severely impaired, no satisfactory workaround. O-Occasional Affects or can be seen by some users regularly or most users rarely labels Dec 6, 2022
@kegsay
Copy link
Member

kegsay commented Feb 14, 2023

I believe #2939 fixed this?

@acheong08
Copy link
Contributor

nope

@CicadaCinema
Copy link
Contributor

I checked out the commit 0782011 where this feature was implemented, and I am still getting recaptcha instead of hcaptcha, with the same client error as in the OP.

$ git rev-parse HEAD
0782011f54dca98d96a8c5a78f68569ed045892a

I am also getting the same kind of response to the /register endpoint:
{"flows":[{"stages":["m.login.recaptcha"]}],"completed":[],"params":{"m.login.recaptcha":{"public_key":"... snip ..."}},"session":"... snip ..."}

However, navigating to /_matrix/client/v3/auth/m.login.recaptcha/fallback/web?session=aaa shows the proper captcha, because the html form was produced by the server's fallback endpoint:

image

So it looks like clients implementing the m.login.recaptcha login type will always load the Google Recaptcha challenge and be sent an invalid site key by dendrite.

But clients which do not implement this will load the hcaptcha HTML form using the fallback endpoint.

Because there are no alternative captcha methods in the spec, I don't see a way to solve this and I suspect hcaptcha has never worked in clients implementing m.login.recaptcha (this issue was opened 16 days after the feature #2834 was merged). Maybe a solution could be to use m.login.sso when the configuration is changed to hcaptcha, because looking at the spec it looks like this just redirects to the fallback mechanism.

@Elara6331
Copy link

The matrix spec currently only supports recaptcha. There's an open issue about this in the spec repo: matrix-org/matrix-spec#295.

@LordPraslea
Copy link

Just want to leave a potential workable solution for the element web interface here:
You need to host your own element-web release which is just a static website and should be easy to do.
In the element-web folder search for m.login.recaptcha (it should reside in bundle.js) replace with m.login.recaptchaZTODODISABLED

Clear cache in browser, retry the URL. Upon registration you'll get a link "start authentication" which will redirect you to
https://matrix.yourdomain.com/_matrix/client/v3/auth/m.login.recaptcha/fallback/web?session=yourseession

Then the user fills in captcha and it should work.
Of course this is a bit ugly and it should be fixed in a different way.. But hey, it works for registrations :).

The easiest solution I found by experimenting with many things including a WIP email registration.. which I left behind.

What I hope is that instead of using "recaptcha" a new setting should be used, which will force clients to use the fallback method instead.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
C-Client-API F-Registration O-Occasional Affects or can be seen by some users regularly or most users rarely S-Major Major functionality / product severely impaired, no satisfactory workaround. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Development

No branches or pull requests

8 participants