Open greenship24 opened 1 year ago
I just want to add, that is seems reCaptcha is returning the error, not hCaptcha as configured.
# Settings for ReCAPTCHA.
recaptcha_public_key: "<key here>"
recaptcha_private_key: "<private key here>"
recaptcha_bypass_secret: ""
# To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
recaptcha_form_field: "h-captcha-response"
recaptcha_sitekey_class: "h-captcha"
This is what I have in dendrite.yaml (with my hcaptcha keys obviously in the key here portions). Am I missing something?
I am experiencing the same issue.
recaptcha.net
, gstatic.com
and fonts.gstatic.com
and none to hcaptcha./register
endpoint returns this (no mentions to hcaptcha)
{"flows":[{"stages":["m.login.recaptcha"]}],"completed":[],"params":{"m.login.recaptcha":{"public_key":"<snip>"}},"session":"<snip>"}
Dendrite seems to ignore the hcaptcha configuration (as from the sample config) and clients attempt to use recaptcha by default, for which the site key is invalid.
It seems like there are even more problems here.
The configuration says
# To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
However, keeping them empty results in an error:
level=error msg="Configuration error: missing config key \"client_api.recaptcha_siteverify_api\""
I believe https://github.com/matrix-org/dendrite/pull/2939 fixed this?
nope
I checked out the commit https://github.com/matrix-org/dendrite/commit/0782011f54dca98d96a8c5a78f68569ed045892a where this feature was implemented, and I am still getting recaptcha instead of hcaptcha, with the same client error as in the OP.
$ git rev-parse HEAD
0782011f54dca98d96a8c5a78f68569ed045892a
I am also getting the same kind of response to the /register
endpoint:
{"flows":[{"stages":["m.login.recaptcha"]}],"completed":[],"params":{"m.login.recaptcha":{"public_key":"... snip ..."}},"session":"... snip ..."}
However, navigating to /_matrix/client/v3/auth/m.login.recaptcha/fallback/web?session=aaa
shows the proper captcha, because the html form was produced by the server's fallback endpoint:
So it looks like clients implementing the m.login.recaptcha
login type will always load the Google Recaptcha challenge and be sent an invalid site key by dendrite.
But clients which do not implement this will load the hcaptcha HTML form using the fallback endpoint.
Because there are no alternative captcha methods in the spec, I don't see a way to solve this and I suspect hcaptcha has never worked in clients implementing m.login.recaptcha
(this issue was opened 16 days after the feature https://github.com/matrix-org/dendrite/pull/2834 was merged). Maybe a solution could be to use m.login.sso
when the configuration is changed to hcaptcha, because looking at the spec it looks like this just redirects to the fallback mechanism.
The matrix spec currently only supports recaptcha. There's an open issue about this in the spec repo: matrix-org/matrix-spec#295.
Just want to leave a potential workable solution for the element web interface here: You need to host your own element-web release which is just a static website and should be easy to do. In the element-web folder search for m.login.recaptcha (it should reside in bundle.js) replace with m.login.recaptchaZTODODISABLED
Clear cache in browser, retry the URL. Upon registration you'll get a link "start authentication" which will redirect you to https://matrix.yourdomain.com/_matrix/client/v3/auth/m.login.recaptcha/fallback/web?session=yourseession
Then the user fills in captcha and it should work. Of course this is a bit ugly and it should be fixed in a different way.. But hey, it works for registrations :).
The easiest solution I found by experimenting with many things including a WIP email registration.. which I left behind.
What I hope is that instead of using "recaptcha" a new setting should be used, which will force clients to use the fallback method instead.
Background information
go version
:built-in to imageDescription
Steps to reproduce
Additional
I think it might have to do with whatever v2 and v3 recaptcha uses which I presume hcaptcha uses v3 now? Just a guess. I've verified all settings and have done simple tests otherwise where the site key works fine.