Unable to checkout via Braintree with ReCaptcha V2 or V3 Invisible

[n2diving-dgx]

Preconditions and environment

Upon upgrading our production site from M2.4.5-p2 to M2.4.6 we discovered customers were unable to checkout via Credit Card using the Braintree Payments extension V4.5.0 bundled in to M2.4.6 The cause was found to be the ReCaptcha V3 security enabled on the Credit Card checkout.

See detailed steps below to reproduce the issue using a fresh unaltered M2.4.6 install with Luma Store sample data and Braintree sandbox credentials with ReCAPTCHA V3 Invisible security. If you wish you may repeat test using ReCAPTCHA V2 Invisible security, hung result is the same as with V3.

Only workaround to protecting checkout using Braintree Credit Card Payment method is reCAPTCHA V2 (I'm not a robot) challenge. According to Google this is the least secure of the three ReCAPTCHA options.

Building Magento 2.4.6
+ cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
+ /usr/local/apache/bin/httpd -v
Server version: Apache/2.4.46 (Unix)
Server built:   Jun 16 2021 21:29:21
+ mysql -V
mysql  Ver 8.0.28 for Linux on x86_64 (MySQL Community Server - GPL)
+ php -v
PHP 8.1.17 (cli) (built: Mar 17 2023 09:39:39) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.17, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.17, Copyright (c), by Zend Technologies
+ php /usr/local/bin/composer -V
Composer version 2.3.5 2022-04-13 16:43:00

Steps to reproduce

Fresh Install of M2.4.6 in environment as above Login to backend

Nav to Admin>Stores>Configure>General>Web>Default Cookie Settings If necessary, set the Cookie Domain to the appropriate domain value (so you will be able to login on front end) Save Config Nav to Admin>Stores>Configure>Security>Google reCAPTCHA Storefront Enter known valid credentials for Google Recaptcha V2 (robot), V2 (invisible), and V3. On Storefront Enable Customer Login and Braintree payment form for reCAPTCHA V2 (I am not a robot) Save Config Nav to Admin>Stores>Configure>Sales>Payment Methods Select Merchant Country as United States and Save Config Configure Braintree Payments (by GENE Commerce v4.5.0) Enter known valid sandbox credentials for Merchant ID, Public Key, Private Key and Validate Credentials Enable Card Payments = Yes and Save Config Flush Magento Cache

On Frontend, successfully Sign In using Demo Customer Access credentials Answer ReCaptcha "I'm not a robot." challenge Add Affirm Water Bottle to cart Proceed to Checkout Shipping Method select Fixed Flat Rate Payment Method select Credit Card Enter Card # 4111 1111 1111 1111 Expiration: 12/2023 Security Code: 123 Answer ReCaptcha "I'm not a robot." challenge Click blue "Place Order" button Observe "spinner" appears for a moment and then automatically redirects to "Thank you for your purchase!" success page with order number Logout of Customer Account

Return to backend Nav to Admin>Stores>Configure>Security>Google reCAPTCHA Storefront> Storefront Change Enable Customer Login and Braintree payment form to reCAPTCHA V3 Invisible and Save Config Flush Magento Cache

On Frontend, successfully Sign In using Demo Customer Access credentials Verify "Protected by reCAPTCHA" badge appears next to "Sign In" button Add Affirm Water Bottle to cart Proceed to Checkout Shipping Method select Fixed Flat Rate Payment Method select Credit Card Enter Card # 4111 1111 1111 1111 Expiration: 12/2023 Security Code: 123 Verify "Protected by reCAPTCHA" badge appears to the left of "Place Order" button Click dark blue "Place Order" button Place Order button turns light blue and ... Order Page is HUNG, UNABLE TO PLACE ORDER using ReCAPTCHA V3 Invisible security

Expected result

Upon clicking Place Order button, the order is placed successfully with ReCAPTCHA V3 Invisible security enabled on Braintree Credit Card payment method, customer is redirected to the success page.

Actual result

Upon clicking dark blue Place Order button, the button turns light blue and order page is HUNG, unable to place order with ReCAPTCHA V3 Invisible security enabled on Braintree Credit Card payment method, and Customer is NOT redirected to the success page

Additional information

The issue appears to only affect protecting Braintree Credit Card payment method with reCAPTCHA, in the limited testing of an frontend Customer Sign In using any version of reCAPTCHA does not appear to affect the login.

Checkout via Credit Card protected with ReCAPTCHA V3 Invisible security was working correctly for M2.4.5-p2 in both production and sandbox environments. I also tested M2.4.6 using our Braintree production credentials instead of sandbox, but there was no difference using either set of credentials - the Place Order hangs and attempting to place an order protected with either version of V2 or V3 Invisible ReCAPTCHA fails.

Release note

No response

Triage and priority

• [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [X] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant[bot]]

Hi @n2diving-dgx. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

• @magento give me 2.4-develop instance - upcoming 2.4.x release
• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this
• To learn more about issue processing workflow, refer to the Code Contributions.

---

Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[n2diving-dgx]

Hopefully some other user with different Google reCaptcha and Braintree credentials would test in their environment to confirm the issue with protecting Braintree checkout via credit cards as described above is reproduceable on M2.4.6 using credentials other than mine.

[m2-assistant[bot]]

Hi @engcom-Dash. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
• 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
• 4. Verify that the issue is reproducible on 2.4-develop branch
     Details

     - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
     - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
     - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

[engcom-Dash]

@magento give me 2.4-develop instance

[magento-deployment-service[bot]]

Hi @engcom-Dash. Thank you for your request. I'm working on Magento instance for you.

[magento-deployment-service[bot]]

Hi @engcom-Dash, here is your Magento Instance: https://1b3463814a34b1f892a4768bc32ddd33.instances-prod.magento-community.engineering Admin access: https://1b3463814a34b1f892a4768bc32ddd33.instances-prod.magento-community.engineering/admin_118a Login: 5c67384a Password: f3a11763eef9

[engcom-Dash]

Hi @n2diving-dgx ,

Issue Confirmed !

Verified the issue in 2.4.4 local instance and 2.4.6 magento instance and its reproducible,Hence we are confirming the issue.

Preconditions: Magento Version 2.4.4 Magento version 2.4.6 PHP version 8.1

Steps to reproduce:

1.Install Fresh 2.4.6 Magento instance 2.Go to Backend and Configuration and Security 3.Select Google recaptcha Store Frontend 4.Enter API website and Secret key of Recaptcha invisible v3 5.Save Configuration and clear cache. 6.Again go to Configuration and Sales and Payment methods 7.Select Braintree Payment Configuration 8.Enter Public key ,Private key and validate the credentials and enable card payment 9.save Configuration and clear cache 10.Go to front login with customer 11.Select any product and place the order with Credit card and enter card details as per main description 12.Trying to place order with Recaptcha invisible with v3

Kindly refer the below screenshots:( Recaptcha Invisible v3)

In magento 2.4.6 version Order Page is HUNG, UNABLE TO PLACE ORDER using ReCAPTCHA V3 Invisible security.Same thing we are trying to reproduce in 2.4.4 instance and we can place the order successfully.

Kindly refer the below screenshots:

In 2.4.4 instance we can place the order successfully both RECAPTCHA V2 AND INVISIBLE V3 But in magento 2.4.6 instance we got Actual result as per the description,Hence we confirming the issue.

Regards,

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-8315 is successfully created for this GitHub issue.

[m2-assistant[bot]]

:white_check_mark: Confirmed by @engcom-Dash. Thank you for verifying the issue.
Issue Available: @engcom-Dash, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

[engcom-Hotel]

@engcom-Dash As per the discussion in triage call, we need to recheck this issue.

Thanks

[github-jira-sync-bot]

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-8329 is successfully created for this GitHub issue.

[rostilos]

@magento I am working on this

[JosephLeedy]

Any updates on this?

[mamsincl]

+1 please as happening with 2.4.6-p1

https://experienceleague.adobe.com/docs/commerce-knowledge-base/kb/support-tools/patches/v1-1-31/acsd-50345-recaptcha-issues-during-checkout.html is already part of above version and as per the description

Please note that the issue was partially fixed in Adobe Commerce 2.4.6 and is scheduled to be completely fixed in Adobe Commerce 2.4.7.

[bosskar231]

Hi, is there any patch available now for this issue.

[colyield]

+1 Got the same problem. Waiting for a solution.

[itaymesh]

+1 is there any patch available now for this issue?

[colyield]

Upgraded to 2.4.6p2, problem is still there. And just noticed that the "I am not a robot" v2 Recapcha actually is not working at all. Even if the checkbox is not checked, still can make the payment successfully..

[ThisIsRuddy]

Just spent 2 days trying to find what was causing our checkout to fail silently (2.4.6-p2).

I finally arrived in the right place!

Any update on this ridiculousness?

[ThisIsRuddy]

I analysed the ACSD-50345_1.1.4-p1.patch and it only brings in a few changes from the upgraded re-captcha (1.1.3) which are already present in 2.4.6-p2 so no fix there I'm afraid.

[Amiga4ever]

Still issue exist. I don't see any other way to block card attacks. Our big client on latest Magento build stil encounter it.. Please fix it.

[kartikmaniyar]

Thank you everyone for your feedback!

GENE Commerce is responsible for developing the Magento Braintree extension. I would like to tell you that this ReCaptcha issue is already been fixed in Magento v2.4.7-beta1 that has already been released on June 13, 2023. Here, you can find the v2.4.7-beta1 release notes for Braintree: https://experienceleague.adobe.com/docs/commerce-operations/release/notes/adobe-commerce/2-4-7.html?lang=en#braintree

We already have a patch for Google ReCaptcha v2 or V3 Invisible issue with Braintree in Magento/Adobe v2.4.6 and its patch versions. You can download the patch from this link: https://support.gene.co.uk/support/solutions/articles/35000227825-patch-for-unable-to-checkout-via-braintree-with-google-recaptcha-v2-or-v3-invisible-in-magento-v2-4-6-and-v2-4-6-p1-p2

Also if you have any technical issues or concerns regarding our Magento Braintree extension, you can reach out to us by raising a support ticket from here: https://support.gene.co.uk/support/home

[Amiga4ever]

"We already have a patch for Google ReCaptcha v2 or V3 Invisible issue with Braintree in Magento/Adobe v2.4.6 and its patch versions. You can download the patch from this link: https://support.gene.co.uk/support/solutions/articles/35000227825-patch-for-unable-to-checkout-via-braintree-with-google-recaptcha-v2-or-v3-invisible-in-magento-v2-4-6-and-v2-4-6-p1-p2"

• how to implement this patch ?

[CHallski]

@Amiga4ever Assuming you're using a deploy structure that leverages cweagans (or similar module like vaimo) for patch installation, it's as straightforward as downloading that patch, adding it to your patches folder, and adding the reference to your composer.patches.json. At that point it'll be picked up and applied the next time you run composer install.

If not then you'd have to manually apply it (git apply "patchfile"), but that won't survive for very long (any reinstall of vendor will wipe it out), so I'd only do that in a local test environment.

I've just tested this locally with a 2.4.6-p2 instance we were prepping and the patch does resolve the issue (makes sense, it's basically a clone of the relevant portion of ACSD-50345 to magento/module-re-captcha-checkout/view/frontend/web/js/model/place-order-mixin.js, applied to the Braintree core module mixin).

[matejslo]

"We already have a patch for Google ReCaptcha v2 or V3 Invisible issue with Braintree in Magento/Adobe v2.4.6 and its patch versions. You can download the patch from this link: https://support.gene.co.uk/support/solutions/articles/35000227825-patch-for-unable-to-checkout-via-braintree-with-google-recaptcha-v2-or-v3-invisible-in-magento-v2-4-6-and-v2-4-6-p1-p2"

• how to implement this patch ?

This patch dosen't work in my situation.

[digitalrisedorset]

@magento I am working on this

[digitalrisedorset]

Can I check whether we want to fix this issue on 2.4.7? or on develop? This issue has been here for a while and before I start, I'd like to understand what is the most recent situation with this issue. Also, on develop environment, I can't see any reCaptcha modules

For reference, I have now awareness where the recaptcha modules are: (thanks @TuVanDev) https://github.com/magento/security-package https://magento.stackexchange.com/questions/362719/where-is-the-code-of-packages-like-magento-recaptchaadminui-on-github

[engcom-Dash]

HI @n2diving-dgx

Thanks for reporting and collaboration.

Verified the issue on magento 2.4.7 instance but the issue is not reproducable.

Steps to reproduce:

1.Install Fresh 2.4.7 Magento instance 2.Go to Backend and Configuration and Security 3.Select Google recaptcha Store Frontend 4.Enter API website and Secret key of Recaptcha invisible v3 5.Save Configuration and clear cache. 6.Again go to Configuration and Sales and Payment methods 7.Select Braintree Payment Configuration 8.Enter Public key ,Private key and validate the credentials and enable card payment 9.save Configuration and clear cache 10.Go to front login with customer 11.Select any product and place the order with Credit card and enter card details as per main description 12.Try to place order with Recaptcha invisible with v3

We are able to place the order with creditcard and Recaptcha invisible v3 successfully.

Please refer the attached screenrecording. Do let us know if we have missed anything.

https://github.com/magento/magento2/assets/60198592/0f29c2a5-4fd7-444d-90f4-cd3485fa9102

[digitalrisedorset]

I can also place order successfully with 2.4.7 and the same recaptcha setting as in the post, so I will unassign myself from this task

[engcom-Dash]

Hi @n2diving-dgx

As per the above comments, the issue is not reproducible in 2.4.7.

We are closing the issue.

Please feel free to reopen the ticket if the issue persists again.