Fix invite captcha handling for org invites (#1539)

* fix(invite): reset captcha and relax token checks

* fix(invite): allow optional captcha token

* refactor(invite): reuse captcha reset

Author: riderx

src/pages/settings/organization/Members.vue

@@ -123,6 +123,14 @@ async function checkRbacEnabled() {
 
 const isInviteNewUserDialogOpen = ref(false)
 
+function resetInviteCaptcha() {
+  if (captchaElement.value) {
+    captchaElement.value.reset()
+  }
+  captchaToken.value = ''
+  updateInviteNewUserButton()
+}
+
 function updateInviteNewUserButton() {
   const buttons = dialogStore.dialogOptions?.buttons
   if (!buttons)
@@ -1032,9 +1040,7 @@ async function showInviteNewUserDialog(email: string, roleType: Database['public
   isInviteNewUserDialogOpen.value = true
 
   // Reset captcha if available
-  if (captchaElement.value) {
-    captchaElement.value.reset()
-  }
+  resetInviteCaptcha()
 
   dialogStore.openDialog({
     title: t('invite-new-user-dialog-header', 'Invite New User'),
@@ -1101,6 +1107,7 @@ async function handleInviteNewUserSubmit() {
     if (error) {
       console.error('Invitation failed:', error)
       toast.error(t('invitation-failed', 'Invitation failed'))
+      resetInviteCaptcha()
       return false
     }
 
@@ -1116,6 +1123,7 @@ async function handleInviteNewUserSubmit() {
   catch (error) {
     console.error('Invitation failed:', error)
     toast.error(t('invitation-failed', 'Invitation failed'))
+    resetInviteCaptcha()
     return false
   }
   finally {

supabase/functions/_backend/private/invite_new_user_to_org.ts

@@ -26,7 +26,7 @@ const inviteUserSchema = z.object({
     'org_admin',
     'org_super_admin',
   ]),
-  captcha_token: z.string().check(z.minLength(1)),
+  captcha_token: z.optional(z.string().check(z.minLength(1))),
   first_name: z.string().check(z.minLength(1)),
   last_name: z.string().check(z.minLength(1)),
 })
@@ -108,7 +108,13 @@ async function validateInvite(c: Context, rawBody: any) {
   }
 
   // Verify captcha token with Cloudflare Turnstile
-  await verifyCaptchaToken(c, body.captcha_token)
+  const captchaSecret = getEnv(c, 'CAPTCHA_SECRET_KEY')
+  if (captchaSecret.length > 0) {
+    if (!body.captcha_token) {
+      throw simpleError('invalid_request', 'Captcha token is required')
+    }
+    await verifyCaptchaToken(c, body.captcha_token, captchaSecret)
+  }
 
   // Use authenticated client - RLS will enforce access based on JWT
   const supabase = supabaseClient(c, authorization)
@@ -236,29 +242,24 @@ app.post('/', middlewareAuth, async (c) => {
     invited_first_name: `${newInvitation?.first_name ?? body.first_name}`,
     invited_last_name: `${newInvitation?.last_name ?? body.last_name}`,
   }, 'org:invite_new_capgo_user_to_org')
-  if (!bentoEvent) {
-    throw simpleError('failed_to_invite_user', 'Failed to invite user', {}, 'Failed to track bento event')
+  if (bentoEvent === false) {
+    cloudlog({ requestId: c.get('requestId'), context: 'invite_new_user_to_org bento', message: 'Failed to track bento event' })
   }
   return c.json(BRES)
 })
 
 // Function to verify Cloudflare Turnstile token
-async function verifyCaptchaToken(c: Context, token: string) {
-  const captchaSecret = getEnv(c, 'CAPTCHA_SECRET_KEY')
-  if (!captchaSecret) {
-    throw simpleError('captcha_secret_key_not_set', 'CAPTCHA_SECRET_KEY not set')
-  }
-
+async function verifyCaptchaToken(c: Context, token: string, captchaSecret: string) {
   // "/siteverify" API endpoint.
   const url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify'
   const result = await fetch(url, {
-    body: JSON.stringify({
+    body: new URLSearchParams({
       secret: captchaSecret,
       response: token,
     }),
     method: 'POST',
     headers: {
-      'Content-Type': 'application/json',
+      'Content-Type': 'application/x-www-form-urlencoded',
     },
   })