magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.58k stars 9.32k forks source link

Unable to checkout via Braintree with ReCaptcha V2 or V3 Invisible #37241

Closed n2diving-dgx closed 5 months ago

n2diving-dgx commented 1 year ago

Preconditions and environment

Upon upgrading our production site from M2.4.5-p2 to M2.4.6 we discovered customers were unable to checkout via Credit Card using the Braintree Payments extension V4.5.0 bundled in to M2.4.6 The cause was found to be the ReCaptcha V3 security enabled on the Credit Card checkout.

See detailed steps below to reproduce the issue using a fresh unaltered M2.4.6 install with Luma Store sample data and Braintree sandbox credentials with ReCAPTCHA V3 Invisible security. If you wish you may repeat test using ReCAPTCHA V2 Invisible security, hung result is the same as with V3.

Only workaround to protecting checkout using Braintree Credit Card Payment method is reCAPTCHA V2 (I'm not a robot) challenge. According to Google this is the least secure of the three ReCAPTCHA options.

Building Magento 2.4.6
+ cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
+ /usr/local/apache/bin/httpd -v
Server version: Apache/2.4.46 (Unix)
Server built:   Jun 16 2021 21:29:21
+ mysql -V
mysql  Ver 8.0.28 for Linux on x86_64 (MySQL Community Server - GPL)
+ php -v
PHP 8.1.17 (cli) (built: Mar 17 2023 09:39:39) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.17, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.17, Copyright (c), by Zend Technologies
+ php /usr/local/bin/composer -V
Composer version 2.3.5 2022-04-13 16:43:00

Steps to reproduce

Fresh Install of M2.4.6 in environment as above Login to backend

Nav to Admin>Stores>Configure>General>Web>Default Cookie Settings If necessary, set the Cookie Domain to the appropriate domain value (so you will be able to login on front end) Save Config Nav to Admin>Stores>Configure>Security>Google reCAPTCHA Storefront Enter known valid credentials for Google Recaptcha V2 (robot), V2 (invisible), and V3. On Storefront Enable Customer Login and Braintree payment form for reCAPTCHA V2 (I am not a robot) Save Config Nav to Admin>Stores>Configure>Sales>Payment Methods Select Merchant Country as United States and Save Config Configure Braintree Payments (by GENE Commerce v4.5.0) Enter known valid sandbox credentials for Merchant ID, Public Key, Private Key and Validate Credentials Enable Card Payments = Yes and Save Config Flush Magento Cache

On Frontend, successfully Sign In using Demo Customer Access credentials Answer ReCaptcha "I'm not a robot." challenge Add Affirm Water Bottle to cart Proceed to Checkout Shipping Method select Fixed Flat Rate Payment Method select Credit Card Enter Card # 4111 1111 1111 1111 Expiration: 12/2023 Security Code: 123 Answer ReCaptcha "I'm not a robot." challenge Click blue "Place Order" button Observe "spinner" appears for a moment and then automatically redirects to "Thank you for your purchase!" success page with order number Logout of Customer Account

Return to backend Nav to Admin>Stores>Configure>Security>Google reCAPTCHA Storefront> Storefront Change Enable Customer Login and Braintree payment form to reCAPTCHA V3 Invisible and Save Config Flush Magento Cache

On Frontend, successfully Sign In using Demo Customer Access credentials Verify "Protected by reCAPTCHA" badge appears next to "Sign In" button Add Affirm Water Bottle to cart Proceed to Checkout Shipping Method select Fixed Flat Rate Payment Method select Credit Card Enter Card # 4111 1111 1111 1111 Expiration: 12/2023 Security Code: 123 Verify "Protected by reCAPTCHA" badge appears to the left of "Place Order" button Click dark blue "Place Order" button Place Order button turns light blue and ... Order Page is HUNG, UNABLE TO PLACE ORDER using ReCAPTCHA V3 Invisible security

Expected result

Upon clicking Place Order button, the order is placed successfully with ReCAPTCHA V3 Invisible security enabled on Braintree Credit Card payment method, customer is redirected to the success page.

Actual result

Upon clicking dark blue Place Order button, the button turns light blue and order page is HUNG, unable to place order with ReCAPTCHA V3 Invisible security enabled on Braintree Credit Card payment method, and Customer is NOT redirected to the success page

Additional information

The issue appears to only affect protecting Braintree Credit Card payment method with reCAPTCHA, in the limited testing of an frontend Customer Sign In using any version of reCAPTCHA does not appear to affect the login.

Checkout via Credit Card protected with ReCAPTCHA V3 Invisible security was working correctly for M2.4.5-p2 in both production and sandbox environments. I also tested M2.4.6 using our Braintree production credentials instead of sandbox, but there was no difference using either set of credentials - the Place Order hangs and attempting to place an order protected with either version of V2 or V3 Invisible ReCAPTCHA fails.

Release note

No response

Triage and priority

m2-assistant[bot] commented 1 year ago

Hi @n2diving-dgx. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

n2diving-dgx commented 1 year ago

Hopefully some other user with different Google reCaptcha and Braintree credentials would test in their environment to confirm the issue with protecting Braintree checkout via credit cards as described above is reproduceable on M2.4.6 using credentials other than mine.

m2-assistant[bot] commented 1 year ago

Hi @engcom-Dash. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:


engcom-Dash commented 1 year ago

@magento give me 2.4-develop instance

magento-deployment-service[bot] commented 1 year ago

Hi @engcom-Dash. Thank you for your request. I'm working on Magento instance for you.

magento-deployment-service[bot] commented 1 year ago

Hi @engcom-Dash, here is your Magento Instance: https://1b3463814a34b1f892a4768bc32ddd33.instances-prod.magento-community.engineering Admin access: https://1b3463814a34b1f892a4768bc32ddd33.instances-prod.magento-community.engineering/admin_118a Login: 5c67384a Password: f3a11763eef9

engcom-Dash commented 1 year ago

Hi @n2diving-dgx ,

Issue Confirmed !

Verified the issue in 2.4.4 local instance and 2.4.6 magento instance and its reproducible,Hence we are confirming the issue.

Preconditions: Magento Version 2.4.4 Magento version 2.4.6 PHP version 8.1

Steps to reproduce:

1.Install Fresh 2.4.6 Magento instance 2.Go to Backend and Configuration and Security 3.Select Google recaptcha Store Frontend 4.Enter API website and Secret key of Recaptcha invisible v3 5.Save Configuration and clear cache. 6.Again go to Configuration and Sales and Payment methods 7.Select Braintree Payment Configuration 8.Enter Public key ,Private key and validate the credentials and enable card payment 9.save Configuration and clear cache 10.Go to front login with customer 11.Select any product and place the order with Credit card and enter card details as per main description 12.Trying to place order with Recaptcha invisible with v3

Kindly refer the below screenshots:( Recaptcha Invisible v3)

re2 re3 re4 re6

In magento 2.4.6 version Order Page is HUNG, UNABLE TO PLACE ORDER using ReCAPTCHA V3 Invisible security.Same thing we are trying to reproduce in 2.4.4 instance and we can place the order successfully.

Kindly refer the below screenshots:

re7 re8

In 2.4.4 instance we can place the order successfully both RECAPTCHA V2 AND INVISIBLE V3 But in magento 2.4.6 instance we got Actual result as per the description,Hence we confirming the issue.

Regards,

github-jira-sync-bot commented 1 year ago

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-8315 is successfully created for this GitHub issue.

m2-assistant[bot] commented 1 year ago

:white_check_mark: Confirmed by @engcom-Dash. Thank you for verifying the issue.
Issue Available: @engcom-Dash, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

engcom-Hotel commented 1 year ago

@engcom-Dash As per the discussion in triage call, we need to recheck this issue.

Thanks

github-jira-sync-bot commented 1 year ago

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-8329 is successfully created for this GitHub issue.

rostilos commented 1 year ago

@magento I am working on this

JosephLeedy commented 1 year ago

Any updates on this?

mamsincl commented 1 year ago

+1 please as happening with 2.4.6-p1

https://experienceleague.adobe.com/docs/commerce-knowledge-base/kb/support-tools/patches/v1-1-31/acsd-50345-recaptcha-issues-during-checkout.html is already part of above version and as per the description

Please note that the issue was partially fixed in Adobe Commerce 2.4.6 and is scheduled to be completely fixed in Adobe Commerce 2.4.7.
bosskar231 commented 1 year ago

Hi, is there any patch available now for this issue.

colyield commented 1 year ago

+1 Got the same problem. Waiting for a solution.

itaymesh commented 1 year ago

+1 is there any patch available now for this issue?

colyield commented 1 year ago

Upgraded to 2.4.6p2, problem is still there. And just noticed that the "I am not a robot" v2 Recapcha actually is not working at all. Even if the checkbox is not checked, still can make the payment successfully..

ThisIsRuddy commented 1 year ago

Just spent 2 days trying to find what was causing our checkout to fail silently (2.4.6-p2).

I finally arrived in the right place!

Any update on this ridiculousness?

ThisIsRuddy commented 1 year ago

I analysed the ACSD-50345_1.1.4-p1.patch and it only brings in a few changes from the upgraded re-captcha (1.1.3) which are already present in 2.4.6-p2 so no fix there I'm afraid.

Amiga4ever commented 1 year ago

Still issue exist. I don't see any other way to block card attacks. Our big client on latest Magento build stil encounter it.. Please fix it.

kartikmaniyar commented 1 year ago

Thank you everyone for your feedback!

GENE Commerce is responsible for developing the Magento Braintree extension. I would like to tell you that this ReCaptcha issue is already been fixed in Magento v2.4.7-beta1 that has already been released on June 13, 2023. Here, you can find the v2.4.7-beta1 release notes for Braintree: https://experienceleague.adobe.com/docs/commerce-operations/release/notes/adobe-commerce/2-4-7.html?lang=en#braintree

We already have a patch for Google ReCaptcha v2 or V3 Invisible issue with Braintree in Magento/Adobe v2.4.6 and its patch versions. You can download the patch from this link: https://support.gene.co.uk/support/solutions/articles/35000227825-patch-for-unable-to-checkout-via-braintree-with-google-recaptcha-v2-or-v3-invisible-in-magento-v2-4-6-and-v2-4-6-p1-p2

Also if you have any technical issues or concerns regarding our Magento Braintree extension, you can reach out to us by raising a support ticket from here: https://support.gene.co.uk/support/home

Amiga4ever commented 1 year ago

"We already have a patch for Google ReCaptcha v2 or V3 Invisible issue with Braintree in Magento/Adobe v2.4.6 and its patch versions. You can download the patch from this link: https://support.gene.co.uk/support/solutions/articles/35000227825-patch-for-unable-to-checkout-via-braintree-with-google-recaptcha-v2-or-v3-invisible-in-magento-v2-4-6-and-v2-4-6-p1-p2"

CHallski commented 1 year ago

@Amiga4ever Assuming you're using a deploy structure that leverages cweagans (or similar module like vaimo) for patch installation, it's as straightforward as downloading that patch, adding it to your patches folder, and adding the reference to your composer.patches.json. At that point it'll be picked up and applied the next time you run composer install.

If not then you'd have to manually apply it (git apply "patchfile"), but that won't survive for very long (any reinstall of vendor will wipe it out), so I'd only do that in a local test environment.

I've just tested this locally with a 2.4.6-p2 instance we were prepping and the patch does resolve the issue (makes sense, it's basically a clone of the relevant portion of ACSD-50345 to magento/module-re-captcha-checkout/view/frontend/web/js/model/place-order-mixin.js, applied to the Braintree core module mixin).

matejslo commented 8 months ago

"We already have a patch for Google ReCaptcha v2 or V3 Invisible issue with Braintree in Magento/Adobe v2.4.6 and its patch versions. You can download the patch from this link: https://support.gene.co.uk/support/solutions/articles/35000227825-patch-for-unable-to-checkout-via-braintree-with-google-recaptcha-v2-or-v3-invisible-in-magento-v2-4-6-and-v2-4-6-p1-p2"

  • how to implement this patch ?

This patch dosen't work in my situation.

digitalrisedorset commented 7 months ago

@magento I am working on this

digitalrisedorset commented 7 months ago

Can I check whether we want to fix this issue on 2.4.7? or on develop? This issue has been here for a while and before I start, I'd like to understand what is the most recent situation with this issue. Also, on develop environment, I can't see any reCaptcha modules

For reference, I have now awareness where the recaptcha modules are: (thanks @TuVanDev) https://github.com/magento/security-package https://magento.stackexchange.com/questions/362719/where-is-the-code-of-packages-like-magento-recaptchaadminui-on-github

engcom-Dash commented 6 months ago

HI @n2diving-dgx

Thanks for reporting and collaboration.

Verified the issue on magento 2.4.7 instance but the issue is not reproducable.

Steps to reproduce:

1.Install Fresh 2.4.7 Magento instance 2.Go to Backend and Configuration and Security 3.Select Google recaptcha Store Frontend 4.Enter API website and Secret key of Recaptcha invisible v3 5.Save Configuration and clear cache. 6.Again go to Configuration and Sales and Payment methods 7.Select Braintree Payment Configuration 8.Enter Public key ,Private key and validate the credentials and enable card payment 9.save Configuration and clear cache 10.Go to front login with customer 11.Select any product and place the order with Credit card and enter card details as per main description 12.Try to place order with Recaptcha invisible with v3

We are able to place the order with creditcard and Recaptcha invisible v3 successfully.

Please refer the attached screenrecording. Do let us know if we have missed anything.

https://github.com/magento/magento2/assets/60198592/0f29c2a5-4fd7-444d-90f4-cd3485fa9102

digitalrisedorset commented 5 months ago

I can also place order successfully with 2.4.7 and the same recaptcha setting as in the post, so I will unassign myself from this task

engcom-Dash commented 5 months ago

Hi @n2diving-dgx

As per the above comments, the issue is not reproducible in 2.4.7.

We are closing the issue.

Please feel free to reopen the ticket if the issue persists again.