hcaptcha fails with "Invalid site key"

[greenship24]

Background information

• Dendrite version or git SHA: Latest dendrite as of 2022-11-12
• Monolith or Polylith?:Monolith
• SQLite3 or Postgres?:postgres
• Running in Docker?:docker
• go version:built-in to image
• Client used (if applicable): Element, schilidchat, element on the web, syphon, etc.

Description

• What is the problem: hcaptcha fails to work -
• Who is affected: Anyone using hcaptcha in lieu of recaptcha
• How is this bug manifesting: Response is "ERROR for site owner: Invalid site key" upon trying to register for the server
• When did this first appear:

Steps to reproduce

• Place site key in the recaptcha_public_key
• Place private key in recaptcha_private_key
• Uncomment all fields under # To use hcaptcha.com..... and use the defaults (as in the dendrite.yaml template)

Additional

I think it might have to do with whatever v2 and v3 recaptcha uses which I presume hcaptcha uses v3 now? Just a guess. I've verified all settings and have done simple tests otherwise where the site key works fine.

[twiguard]

I just want to add, that is seems reCaptcha is returning the error, not hCaptcha as configured.

[greenship24]

  # Settings for ReCAPTCHA.
  recaptcha_public_key: "<key here>"
  recaptcha_private_key: "<private key here>"
  recaptcha_bypass_secret: ""

  # To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
  recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
  recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
  recaptcha_form_field: "h-captcha-response"
  recaptcha_sitekey_class: "h-captcha"

This is what I have in dendrite.yaml (with my hcaptcha keys obviously in the key here portions). Am I missing something?

[wait-what]

I am experiencing the same issue.

1. Element does GET requests to recaptcha.net, gstatic.com and fonts.gstatic.com and none to hcaptcha.
2. The /register endpoint returns this (no mentions to hcaptcha)

   {"flows":[{"stages":["m.login.recaptcha"]}],"completed":[],"params":{"m.login.recaptcha":{"public_key":"<snip>"}},"session":"<snip>"}

Dendrite seems to ignore the hcaptcha configuration (as from the sample config) and clients attempt to use recaptcha by default, for which the site key is invalid.

[wait-what]

It seems like there are even more problems here.

The configuration says

# To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.

However, keeping them empty results in an error:

level=error msg="Configuration error: missing config key \"client_api.recaptcha_siteverify_api\""

[kegsay]

I believe https://github.com/matrix-org/dendrite/pull/2939 fixed this?

[acheong08]

nope

[CicadaCinema]

I checked out the commit https://github.com/matrix-org/dendrite/commit/0782011f54dca98d96a8c5a78f68569ed045892a where this feature was implemented, and I am still getting recaptcha instead of hcaptcha, with the same client error as in the OP.

$ git rev-parse HEAD
0782011f54dca98d96a8c5a78f68569ed045892a

I am also getting the same kind of response to the /register endpoint: {"flows":[{"stages":["m.login.recaptcha"]}],"completed":[],"params":{"m.login.recaptcha":{"public_key":"... snip ..."}},"session":"... snip ..."}

However, navigating to /_matrix/client/v3/auth/m.login.recaptcha/fallback/web?session=aaa shows the proper captcha, because the html form was produced by the server's fallback endpoint:

So it looks like clients implementing the m.login.recaptcha login type will always load the Google Recaptcha challenge and be sent an invalid site key by dendrite.

But clients which do not implement this will load the hcaptcha HTML form using the fallback endpoint.

Because there are no alternative captcha methods in the spec, I don't see a way to solve this and I suspect hcaptcha has never worked in clients implementing m.login.recaptcha (this issue was opened 16 days after the feature https://github.com/matrix-org/dendrite/pull/2834 was merged). Maybe a solution could be to use m.login.sso when the configuration is changed to hcaptcha, because looking at the spec it looks like this just redirects to the fallback mechanism.

[Elara6331]

The matrix spec currently only supports recaptcha. There's an open issue about this in the spec repo: matrix-org/matrix-spec#295.

[LordPraslea]

Just want to leave a potential workable solution for the element web interface here: You need to host your own element-web release which is just a static website and should be easy to do. In the element-web folder search for m.login.recaptcha (it should reside in bundle.js) replace with m.login.recaptchaZTODODISABLED

Clear cache in browser, retry the URL. Upon registration you'll get a link "start authentication" which will redirect you to https://matrix.yourdomain.com/_matrix/client/v3/auth/m.login.recaptcha/fallback/web?session=yourseession

Then the user fills in captcha and it should work. Of course this is a bit ugly and it should be fixed in a different way.. But hey, it works for registrations :).

The easiest solution I found by experimenting with many things including a WIP email registration.. which I left behind.

What I hope is that instead of using "recaptcha" a new setting should be used, which will force clients to use the fallback method instead.