Add recaptcha enterprise support to the link API (which calls signUp)

prameshj · prameshj · commit 6e3fe1e66941 · 2023-10-17T15:52:01.000-07:00
diff --git a/packages/auth/src/core/credentials/email.test.ts b/packages/auth/src/core/credentials/email.test.ts
@@ -308,7 +308,210 @@ describe('core/credentials/email', () => {
           idToken: 'id-token-2',
           returnSecureToken: true,
           email: 'some-email',
-          password: 'some-password'
+          password: 'some-password',
+          clientType: RecaptchaClientType.WEB
+        });
+      });
+      context('#recaptcha', () => {
+        beforeEach(async () => {
+      apiMock = mockEndpoint(Endpoint.SIGN_UP, {
+        idToken: 'id-token',
+        refreshToken: 'refresh-token',
+        expiresIn: '1234',
+        localId: serverUser.localId!
+      });
+
+        });
+
+        afterEach(() => {
+          sinon.restore();
+        });
+
+        const recaptchaConfigResponseEnforce = {
+          recaptchaKey: 'foo/bar/to/site-key',
+          recaptchaEnforcementState: [
+            { provider: 'EMAIL_PASSWORD_PROVIDER', enforcementState: 'ENFORCE' }
+          ]
+        };
+        const recaptchaConfigResponseOff = {
+          recaptchaKey: 'foo/bar/to/site-key',
+          recaptchaEnforcementState: [
+            { provider: 'EMAIL_PASSWORD_PROVIDER', enforcementState: 'OFF' }
+          ]
+        };
+
+        it('calls sign up with password with recaptcha enabled', async () => {
+          const recaptcha = new MockGreCAPTCHATopLevel();
+          if (typeof window === 'undefined') {
+            return;
+          }
+          window.grecaptcha = recaptcha;
+          sinon
+            .stub(recaptcha.enterprise, 'execute')
+            .returns(Promise.resolve('recaptcha-response'));
+          mockEndpointWithParams(
+            Endpoint.GET_RECAPTCHA_CONFIG,
+            {
+              clientType: RecaptchaClientType.WEB,
+              version: RecaptchaVersion.ENTERPRISE
+            },
+            recaptchaConfigResponseEnforce
+          );
+          await _initializeRecaptchaConfig(auth);
+
+          const idTokenResponse = await credential._linkToIdToken(
+          auth,
+          'id-token-2'
+        );
+        expect(idTokenResponse.idToken).to.eq('id-token');
+        expect(idTokenResponse.refreshToken).to.eq('refresh-token');
+        expect(idTokenResponse.expiresIn).to.eq('1234');
+        expect(idTokenResponse.localId).to.eq(serverUser.localId);
+        expect(apiMock.calls[0].request).to.eql({
+          captchaResponse: 'recaptcha-response',
+          recaptchaVersion: RecaptchaVersion.ENTERPRISE,
+          idToken: 'id-token-2',
+          returnSecureToken: true,
+          email: 'some-email',
+          password: 'some-password',
+          clientType: 'CLIENT_TYPE_WEB'
+        });
+        });
+
+        it('calls sign up with password with recaptcha disabled', async () => {
+          const recaptcha = new MockGreCAPTCHATopLevel();
+          if (typeof window === 'undefined') {
+            return;
+          }
+          window.grecaptcha = recaptcha;
+          sinon
+            .stub(recaptcha.enterprise, 'execute')
+            .returns(Promise.resolve('recaptcha-response'));
+          mockEndpointWithParams(
+            Endpoint.GET_RECAPTCHA_CONFIG,
+            {
+              clientType: RecaptchaClientType.WEB,
+              version: RecaptchaVersion.ENTERPRISE
+            },
+            recaptchaConfigResponseOff
+          );
+          await _initializeRecaptchaConfig(auth);
+        const idTokenResponse = await credential._linkToIdToken(
+          auth,
+          'id-token-2'
+        );
+        expect(idTokenResponse.idToken).to.eq('id-token');
+        expect(idTokenResponse.refreshToken).to.eq('refresh-token');
+        expect(idTokenResponse.expiresIn).to.eq('1234');
+        expect(idTokenResponse.localId).to.eq(serverUser.localId);
+        expect(apiMock.calls[0].request).to.eql({
+          idToken: 'id-token-2',
+          returnSecureToken: true,
+          email: 'some-email',
+          password: 'some-password',
+          clientType: 'CLIENT_TYPE_WEB'
+        });
+        });
+
+        it('calls sign up with password with recaptcha forced refresh', async () => {
+          if (typeof window === 'undefined') {
+            return;
+          }
+          // Mock recaptcha js loading method but not set window.recaptcha to simulate recaptcha token retrieval failure
+          sinon
+            .stub(jsHelpers, '_loadJS')
+            .returns(Promise.resolve(new Event('')));
+          window.grecaptcha = undefined;
+
+          const getRecaptchaConfigMock = mockEndpointWithParams(
+            Endpoint.GET_RECAPTCHA_CONFIG,
+            {
+              clientType: RecaptchaClientType.WEB,
+              version: RecaptchaVersion.ENTERPRISE
+            },
+            recaptchaConfigResponseEnforce
+          );
+          await _initializeRecaptchaConfig(auth);
+          auth._agentRecaptchaConfig!.siteKey = 'cached-site-key';
+
+          await expect(credential._linkToIdToken(auth, 'id-token-2')).to.be.rejectedWith(
+            'No reCAPTCHA enterprise script loaded.'
+          );
+          // Should call getRecaptchaConfig once to refresh the cached recaptcha config
+          expect(getRecaptchaConfigMock.calls.length).to.eq(2);
+          expect(auth._agentRecaptchaConfig?.siteKey).to.eq('site-key');
+        });
+
+        it('calls fallback to recaptcha flow when receiving MISSING_RECAPTCHA_TOKEN error', async () => {
+          if (typeof window === 'undefined') {
+            return;
+          }
+
+          // First call without recaptcha token should fail with MISSING_RECAPTCHA_TOKEN error
+          mockEndpointWithParams(
+            Endpoint.SIGN_UP,
+            {
+              idToken: 'id-token-2',
+              email: 'some-email',
+              password: 'some-password',
+              returnSecureToken: true,
+              clientType: RecaptchaClientType.WEB
+            },
+            {
+              error: {
+                code: 400,
+                message: ServerError.MISSING_RECAPTCHA_TOKEN
+              }
+            },
+            400
+          );
+
+          // Second call with a valid recaptcha token (captchaResp) should succeed
+          mockEndpointWithParams(
+            Endpoint.SIGN_UP,
+            {
+              captchaResponse: 'recaptcha-response',
+              clientType: RecaptchaClientType.WEB,
+              email: 'some-email',
+              password: 'some-password',
+              recaptchaVersion: RecaptchaVersion.ENTERPRISE,
+              returnSecureToken: true
+            },
+            {
+              idToken: 'id-token',
+              refreshToken: 'refresh-token',
+              expiresIn: '1234',
+              localId: serverUser.localId!
+            }
+          );
+
+          // Mock recaptcha js loading method and manually set window.recaptcha
+          sinon
+            .stub(jsHelpers, '_loadJS')
+            .returns(Promise.resolve(new Event('')));
+          const recaptcha = new MockGreCAPTCHATopLevel();
+          window.grecaptcha = recaptcha;
+          const stub = sinon.stub(recaptcha.enterprise, 'execute');
+          stub
+            .withArgs('site-key', {
+              action: RecaptchaActionName.SIGN_IN_WITH_PASSWORD
+            })
+            .returns(Promise.resolve('recaptcha-response'));
+
+          mockEndpointWithParams(
+            Endpoint.GET_RECAPTCHA_CONFIG,
+            {
+              clientType: RecaptchaClientType.WEB,
+              version: RecaptchaVersion.ENTERPRISE
+            },
+            recaptchaConfigResponseEnforce
+          );
+
+          const idTokenResponse = await credential._linkToIdToken(auth, "id-token-2");
+          expect(idTokenResponse.idToken).to.eq('id-token');
+          expect(idTokenResponse.refreshToken).to.eq('refresh-token');
+          expect(idTokenResponse.expiresIn).to.eq('1234');
+          expect(idTokenResponse.localId).to.eq(serverUser.localId);
         });
       });
     });
diff --git a/packages/auth/src/core/credentials/email.ts b/packages/auth/src/core/credentials/email.ts
@@ -33,6 +33,7 @@ import { _fail } from '../util/assert';
 import { AuthCredential } from './auth_credential';
 import { handleRecaptchaFlow } from '../../platform_browser/recaptcha/recaptcha_enterprise_verifier';
 import { RecaptchaActionName, RecaptchaClientType } from '../../api';
+import { SignUpRequest } from '../../api/authentication/sign_up';
 /**
  * Interface that represents the credentials returned by {@link EmailAuthProvider} for
  * {@link ProviderId}.PASSWORD
@@ -146,12 +147,19 @@ export class EmailAuthCredential extends AuthCredential {
   ): Promise<IdTokenResponse> {
     switch (this.signInMethod) {
       case SignInMethod.EMAIL_PASSWORD:
-        return linkEmailPassword(auth, {
+        const request: SignUpRequest = {
           idToken,
           returnSecureToken: true,
           email: this._email,
-          password: this._password
-        });
+          password: this._password,
+          clientType: RecaptchaClientType.WEB
+        }
+        return handleRecaptchaFlow(
+          auth,
+          request,
+          RecaptchaActionName.SIGN_UP_PASSWORD,
+          linkEmailPassword
+        );
       case SignInMethod.EMAIL_LINK:
         return signInWithEmailLinkForLinking(auth, {
           idToken,
