Recaptcha & Payments - Githubissues

verbb / formie

The most user-friendly forms plugin for Craft CMS.

Other

93 stars 69 forks source link

Recaptcha & Payments #1953

Open bymayo opened 4 days ago

bymayo commented 4 days ago

Describe the bug

We are using Opayo as a payment gateway, and the hidden Google Recaptcha V3.

When someone is using the form to make a payment it seems that the submission goes through even if they fail the recaptcha, and the payment is taken. The issue being that admins aren't then notified by email of the payment.

I know theres a setting to send emails for all spam submissions, but this can't be turned on really.

It would be good if the payment wasn't taken and an alert was shown or something similar

Steps to reproduce

Setup Opayo payment gateway
Add Google Recpatcha V3
Fail the recaptcha (Somehow!)
Payment goes through, but submission is marked as spam.

Form settings

Multi-page form: Yes
Submission Method: Ajax
Client-side Validation: Yes
Custom Form Templates: No

Craft CMS version

4.10.0

Plugin version

2.1.9

Multi-site?

Additional context

No response

engram-design commented 4 days ago

Captchas are run before payment integrations, and if a captcha has marked a submission as spam payments aren't run.

I'll double check this with Opayo with regards to its capture flow, but while the payment is authorized before the form is submitted, it's not supposed to be captured until after everything has cleared.

bymayo commented 4 days ago

@engram-design Yeah might just be worth checking, or letting me know if we've missed a setting somewhere.

You can see that it's marked as spam from recaptcha, but payment is success:

CleanShot 2024-06-24 at 14 47 30@2x

CleanShot 2024-06-24 at 14 49 01@2x

engram-design commented 4 days ago

Yep, so I've just tested this and it's working as I'd expect. Note that we added a check in 2.1.4 to fix processing payments regardless of spam. I note you're on 2.1.9 but just wanted to confirm.

A quick-and-dirty test that might be useful on your end is to add some debug code in 2 places.

Firstly to flag the captcha failing here:

$this->spamReason = 'Manual fail.';
return false;

Then, adding a debug statement before processing payments here:

Craft::dd('processPayments');

You'll have to inspect the network request in your web developer tools, as the form will be Ajax due to Opayo's requirements. But this should be either showing the submission as successful (and the payment not being triggered) or, you should see that debug message.

Otherwise, I can't see a scenario where payments are being processed when something is marked as spam...