Duplicate reCAPTCHA validation breaks checkout success redirect after initial server error response

[nthurston]

Preconditions (*)

1. Magento 2.4.3-p1
2. Enable for Checkout/Placing Order - reCAPTCHA v3 invisible

Steps to reproduce (*)

1. Trigger a server side error on initial place order press
2. Fix server side error and place order again

Expected result (*)

1. Order is placed
2. Redirect to success page

Actual result (*)

1. Order is placed
2. No redirect to success page
3. Cart is cleared

Diagnosis

This presented with a custom Payment Gateway module, it was triggered by bad AVS validation but I suspect that any server side error will cause this sequence of events.

Main problem is in Magento_ReCaptchaWebapiUi/js/webapiReCaptchaRegistry.js addListener method. If the token has already been gathered, it simply calls the callback function.

{{ addListener: function (id, func) { if (this.tokens.hasOwnProperty(id)) { func(this.tokens<id>); } else { this._listeners<id> = func; } } }}

In Magento_ReCaptchaCheckout/js/model/place-order-mixin.js this means the payment-information URL gets called with the old token.

{{ recaptchaRegistry.addListener('recaptcha-checkout-place-order', function (token) { //Add reCaptcha value to place-order request and resolve deferred with the API call results payload.xReCaptchaValue = token; originalAction(serviceUrl, payload, messageContainer).done(function () { recaptchaDeferred.resolve.apply(recaptchaDeferred, arguments); }).fail(function () { recaptchaDeferred.reject.apply(recaptchaDeferred, arguments); }); }); }}

As far as I am aware, a second validation request with the same token will always fail, so that request fails and rejects, completing the promise.

Meanwhile, place-order-mixin also triggers another validation which generates a new token.

recaptchaRegistry.triggers<'recaptcha-checkout-place-order'>();

When that returns it goes back into the callback, that request succeeds and the order is placed. However, the placeOrder deferred object has already been rejected with the original error.

It's not clear to me why you would ever want to reuse the old token, so I am able to solve this by simply changing the addListener method to this:

{{ addListener: function (id, func) { this._listeners<id> = func; } }}

But I haven't studied the other reCAPTCHA modules enough to know if that will cause issues elsewhere. Perhaps v2 or checkbox should be handled differently.

Could potentially be solved with different logic in the place-order-mixin as well.

[m2-assistant[bot]]

Hi @nthurston. Thank you for your report. To speed up processing of this issue, make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, review the Magento Contributor Assistant documentation.

Add a comment to assign the issue: @magento I am working on this

To learn more about issue processing workflow, refer to the Code Contributions.

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

  :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[nthurston]

Diff for anyone that needs it. Not tested much yet, so use at your own risk. Seems to solve this checkout issue and not cause any other issues with v3 invisible on other forms.

diff --git a/ReCaptchaWebapiUi/view/frontend/web/js/webapiReCaptchaRegistry.js b/ReCaptchaWebapiUi/view/frontend/web/js/webapiReCaptchaRegistry.js
index ba2f786..119e8e4 100644
--- a/ReCaptchaWebapiUi/view/frontend/web/js/webapiReCaptchaRegistry.js
+++ b/ReCaptchaWebapiUi/view/frontend/web/js/webapiReCaptchaRegistry.js
@@ -32,11 +32,7 @@ define([], function () {
          * @param {Function} func - Will be called back with the token
          */
         addListener: function (id, func) {
-            if (this.tokens.hasOwnProperty(id)) {
-                func(this.tokens[id]);
-            } else {
-                this._listeners[id] = func;
-            }
+            this._listeners[id] = func;
         }
     };
 });

[alikhani97]

@magento give me 2.4-develop instance

[magento-deployment-service[bot]]

Hi @alikhani97. Thank you for your request. I'm working on Magento instance for you.

[magento-deployment-service[bot]]

Hi @alikhani97, here is your Magento Instance: https://2de18f30f64b88e7665703b37877a0b7.instances.magento-community.engineering Admin access: https://2de18f30f64b88e7665703b37877a0b7.instances.magento-community.engineering/admin_1d78 Login: adb9b515 Password: 17963e2e5caf

[m2-assistant[bot]]

Hi @engcom-Hotel. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• [ ] 5. Add label Issue: Confirmed once verification is complete.

• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Hotel]

Hello @nthurston,

Thanks for posting this issue!

We request you to please elaborate below point:

1. Trigger a server side error on initial place order press

Thanks

[nthurston]

Need to simulate payment gateway denial. It can be done with Braintree sandbox and order amount between $2000-$3000. That acts a little differently because of Braintree mixin. Not sure of the best way to simulate it with magento core code.

[engcom-Hotel]

Hello @nthurston,

Thanks for posting the issue!

We have tried to reproduce the issue in the latest stable version of Magento and the issue is reproducible for us. We have followed below steps in order to reproduce the issue:

1. Enable Recaptcha V3 invisible for the store on the checkout/order page.

2. Add a product to the cart.

3. On the checkout page fill in all the required details like CC details for making the order.

4. Stop the server.

5. Click on the place order button, it returns the error as follows:

6. Start the server

7. Then again click on the place order button, it will not redirect to the order confirmation page and throw the below error:

8. But the order is placed. Please have a look at the below screenshot:

   

Hence confirming the issue.

Thanks

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.magento.com/browse/AC-2642 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-Hotel. Thank you for verifying the issue.
Issue Available: @engcom-Hotel, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[github-jira-sync-bot]

:x: You don't have permission to export this issue.

[Calvin495]

Is there any potential fix that is officially released for this issue?

[Calvin495]

the solution that @nthurston suggested is not working for us.

[nthurston]

Can someone link the PR for this? As a note, I've confirmed the issue on 2.4.4-p1 so it is still not fixed there.

[engcom-Hotel]

Hello @nthurston,

I think you are looking for the commits related to the fix. For this please refer the below link:

https://github.com/search?q=org%3Amagento+AC-2642&type=commits

Thanks

[jmonrove]

Recaptcha V3 is causing issues on my store as well when adding a bundled product to the cart, seems like the promise is not triggered and then it hands and resends, ends up doubling up the quantity in the cart, as soon as I disabled Recaptcha V3 on the frontend the problem went away....