search

UmbHost / Our.Umbraco.Forms.uCaptcha

MIT License
5 stars 0 forks source link

Turnstile validation failing #8

Open PeteSmithDev opened 1 year ago

PeteSmithDev commented 1 year ago

Versions

I've tried both: Umbraco Cms 10.5.1, Umbraco Forms 10.4.0 and uCaptcha 4.0.3, and Umbraco Cms 11.1.0, Umbraco Forms 11.0.0 and uCaptcha 4.0.3

To Repeat

Add uCapture to any Umbraco Form. Use a "Visible" Turnstile dummy sitekey and the "Always passes" secret key (1x0000000000000000000000000000000AA). Ensure use of @Html.RenderUmbracoFormDependencies() in razor view. Navigate to form page, populate form and, if not auto-ticked, tick Turnstile captcha, then submit the form.

Result

On form submission it does postback, redisplays form with validation message against captcha: You must check the "I am human" checkbox to continue.

Expected Result

Pass Turnstile validation, allow form submission and redirect to/display completion message.

Analysis

Using the same test site, if I change uCapture appsettings to use hCapture test keys (with Provider=hCaptcha) it works ok, suggesting the problem is only with Turnstile.

There seems to be two problems on submission of Turnstile captchas.

  1. When using the Turnstile dummy "Always passes" sitekey (1x00000000000000000000AA) it is possible to get the capture to pass by manually adding a script tag for umbracoforms.turnstile.js to the view, e.g : <script src="~/App_Plugins/our.umbraco.forms.ucaptcha/assets/umbracoforms.turnstile.js"></script>

In the package code it looks like it needs this code on line 84 of uCaptchaField.cs : javascriptFiles.Add($"~/App_Plugins/Our.Umbraco.Forms.uCaptcha/Assets/{uCaptchaConsts.Turnstile.LocalJsResource}");

  1. When using the Turnstile dummy "Forces an interactive challenge & visible" sitekey (3x00000000000000000000FF), even with the above script is included, it always fails validation. Stepping through uCaptchaField.cs I can see context.Request.Form[verifyPostParameter] is always empty with this sitekey (it's populated with the "Always passes" sitekey).
AaronSadlerUK commented 1 year ago

Thanks for reporting this, I will investigate shortly and see what I find.

AaronSadlerUK commented 1 year ago

Point 1:

Yes the file was missing, I've added this and will fix that shortly.

Point 2: Yes I can replicate, it's caused due to the token coming back from Cloudflare being empty, I'm not sure why this is, so I have opened an issue on their forum: https://community.cloudflare.com/t/empty-token-on-callback-with-forces-an-interactive-challenge-test/542186

PeteSmithDev commented 1 year ago

Many thanks for the update and code fix Aaron! Let's see what Cloudflare come up with.