pwa-studio icon indicating copy to clipboard operation
pwa-studio copied to clipboard

Published 20 hours ago • verified publisher icon magento

[Spike]: Generalize ReCaptcha support for all payment methods (backend)

Open justinconabree opened this issue 3 years ago • 3 comments

Is your feature request related to a problem? Please describe. The backend ReCaptcha support for Braintree is done so in a way that's too specific

// \Magento\ReCaptchaPwa\Plugin\Model\CheckoutWebapiConfigProvider

if ($this->isEnabled->isCaptchaEnabledFor(self::BRAINTREE_CAPTCHA_ID)
    && $this->request->getHeader('X-ReCaptcha')
    && $paymentMethodCode === self::BRAINTREE_CAPTCHA_ID)
{
    // Validate ReCaptcha
}

If we were to change this to validate $this->isEnabled->isCaptchaEnabledFor($paymentMethodCode) it would work out of the box for all payment methods (with a few other unavoidable configurations)

We see here as well a security loophole. If the recaptcha header is missing altogether (ex placed through Postman) then it will pass. Can remove the check for the header

Describe the solution you'd like If it's enabled for the current payment method (not specifically Braintree), validate it

// \Magento\ReCaptchaPwa\Plugin\Model\CheckoutWebapiConfigProvider

if ($this->isEnabled->isCaptchaEnabledFor($paymentMethodCode)) {
    // Validate ReCaptcha
}

Describe alternatives you've considered Currently need to implement a duplicate plugin and just change the constant. As well as remove the check for the header to avoid security issues

Please let us know what packages this feature is in regards to:

  • [ ] venia-concept
  • [ ] venia-ui
  • [ ] pwa-buildpack
  • [ ] peregrine
  • [ ] pwa-devdocs
  • [ ] upward-js
  • [ ] upward-spec
  • [ ] create-pwa
  • [x] magento/pwa[-commerce]

justinconabree avatar Sep 01 '22 18:09 justinconabree

Hi @JustinConabreeAbsolunet. Thank you for your report. To speed up processing of this issue, make sure that you provided sufficient information.

Add a comment to assign the issue: @magento I am working on this

m2-assistant[bot] avatar Sep 01 '22 18:09 m2-assistant[bot]

@adobe export issue to JIRA project PWA as Story

anthoula avatar Sep 06 '22 15:09 anthoula

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/PWA-2984 is successfully created for this GitHub issue.

github-jira-sync-bot avatar Sep 06 '22 15:09 github-jira-sync-bot

Hi @justinconabree, We analysed the ticket and after going through it in detail, we have come to the conclusion that magento security option is providing the Recaptcha option only for payment method Braintree as shown in the attached screenshot. image

Hence, for generalize it, we need to have that option enabled at the magento backend also which is currently not supporting.

Could you please suggest if we still need to generalize it or any other option we can add.

glo82145 avatar May 22 '23 13:05 glo82145

We waited for more than 14 days for update on this issue, hence we are closing it. Please feel free to reopen if you are still have any update on the same.

glo82145 avatar Jun 12 '23 06:06 glo82145