Add Cloudflare Turnstile Support (#1633)

* First pass at Cloudflare Turnstile

* Fix parameter passing for captcha detection

* Prettier

* Finishing touches for CloudFlareTurnstile

* Minor updates

* Bubble up error from captcha provider, use isError instead of direct instance with PirError

* Add tests

* Make sitekey optional in isCaptchaMatch

* Fix accidental deletion

* Address PR feedback

* Update function call

* Trim down cloudflare-captcha.html

Author: brianhall

injected/integration-test/broker-protection-tests/broker-protection-captcha.spec.js

@@ -5,6 +5,8 @@ import {
     createSolveRecaptchaAction,
     createGetImageCaptchaInfoAction,
     createSolveImageCaptchaAction,
+    createGetCloudFlareCaptchaInfoAction,
+    createSolveCloudFlareCaptchaAction,
 } from '../mocks/broker-protection/captcha.js';
 import { BROKER_PROTECTION_CONFIGS } from './tests-config.js';
 
@@ -121,7 +123,7 @@ test.describe('Broker Protection Captcha', () => {
             test('returns an error response when the selector is not an svg or image tag', async ({ createConfiguredDbp }) => {
                 const dbp = await createConfiguredDbp(BROKER_PROTECTION_CONFIGS.default);
                 await dbp.navigatesTo(imageCaptchaTargetPage);
-                await dbp.receivesInlineAction(createGetRecaptchaInfoAction({ selector: '#svg-captcha-rendering' }));
+                await dbp.receivesInlineAction(createGetImageCaptchaInfoAction({ selector: '#svg-captcha-rendering' }));
 
                 await dbp.isCaptchaError();
             });
@@ -138,4 +140,50 @@ test.describe('Broker Protection Captcha', () => {
             });
         });
     });
+
+    test.describe('cloudflare turnstile', () => {
+        const cloudFlareCaptchaTargetPage = 'cloudflare-captcha.html';
+
+        test.describe('getCaptchaInfo', () => {
+            test('returns the expected response for the correct action data', async ({ createConfiguredDbp }) => {
+                const dbp = await createConfiguredDbp(BROKER_PROTECTION_CONFIGS.default);
+                await dbp.navigatesTo(cloudFlareCaptchaTargetPage);
+                await dbp.receivesInlineAction(createGetCloudFlareCaptchaInfoAction({ selector: '#captcha-widget' }));
+                const sucessResponse = await dbp.getSuccessResponse();
+
+                dbp.isCaptchaMatch(sucessResponse, {
+                    captchaType: 'cloudFlareTurnstile',
+                    targetPage: cloudFlareCaptchaTargetPage,
+                    siteKey: '0x4AAAAAAA34NY6rivjWMWoq',
+                });
+            });
+
+            test('returns an error if the sitekey attribute is missing', async ({ createConfiguredDbp }) => {
+                const dbp = await createConfiguredDbp(BROKER_PROTECTION_CONFIGS.default);
+                await dbp.navigatesTo(cloudFlareCaptchaTargetPage);
+                await dbp.receivesInlineAction(createGetCloudFlareCaptchaInfoAction({ selector: '#missing-sitekey' }));
+
+                await dbp.isCaptchaError();
+            });
+        });
+
+        test.describe('solveCaptchaInfo', () => {
+            test('returns an error if the callback attribute is missing', async ({ createConfiguredDbp }) => {
+                const dbp = await createConfiguredDbp(BROKER_PROTECTION_CONFIGS.default);
+                await dbp.navigatesTo(cloudFlareCaptchaTargetPage);
+                await dbp.receivesInlineAction(createSolveCloudFlareCaptchaAction({ selector: '#missing-callback' }));
+
+                await dbp.isCaptchaError();
+            });
+
+            test('solves the captcha for the correct action data', async ({ createConfiguredDbp }) => {
+                const dbp = await createConfiguredDbp(BROKER_PROTECTION_CONFIGS.default);
+                await dbp.navigatesTo(cloudFlareCaptchaTargetPage);
+                await dbp.receivesInlineAction(createSolveCloudFlareCaptchaAction({ selector: '#captcha-widget' }));
+                dbp.getSuccessResponse();
+
+                await dbp.isCaptchaTokenFilled("//input[@name='cf-turnstile-response']");
+            });
+        });
+    });
 });

injected/integration-test/mocks/broker-protection/captcha.js

@@ -46,6 +46,18 @@ export function createGetImageCaptchaInfoAction(actionOverrides = {}) {
     });
 }
 
+/**
+ * @param {Partial<PirAction>} [actionOverrides]
+ */
+export function createGetCloudFlareCaptchaInfoAction(actionOverrides = {}) {
+    return createGetCaptchaInfoAction({
+        action: {
+            captchaType: 'cloudFlareTurnstile',
+            ...actionOverrides,
+        },
+    });
+}
+
 /**
  * @param {object} params
  * @param {Omit<PirAction, 'id' | 'actionType'>} params.action
@@ -90,6 +102,18 @@ export function createSolveImageCaptchaAction(actionOverrides = {}) {
     });
 }
 
+/**
+ * @param {Partial<PirAction>} [actionOverrides]
+ */
+export function createSolveCloudFlareCaptchaAction(actionOverrides = {}) {
+    return createSolveCaptchaAction({
+        action: {
+            captchaType: 'cloudFlareTurnstile',
+            ...actionOverrides,
+        },
+    });
+}
+
 // Captcha responses
 
 /**

injected/integration-test/page-objects/broker-protection.js

@@ -94,11 +94,12 @@ export class BrokerProtectionPage {
      * @param {object} captchaParams
      * @param {string} captchaParams.captchaType
      * @param {string} captchaParams.targetPage
+     * @param {string} [captchaParams.siteKey]
      *
      * @return {void}
      */
-    isCaptchaMatch(response, { captchaType, targetPage }) {
-        const expectedResponse = createCaptchaResponse({ captchaType, targetPage });
+    isCaptchaMatch(response, { captchaType, targetPage, ...overrides }) {
+        const expectedResponse = createCaptchaResponse({ captchaType, targetPage, ...overrides });
 
         switch (captchaType) {
             case 'image':

injected/integration-test/test-pages/broker-protection/pages/cloudflare-captcha.html

@@ -0,0 +1,34 @@
+<html>
+
+<head>
+    <title>Beenverified</title>
+</head>
+
+<body>
+    <div id="root">
+        <div class="MuiBox-root css-0"><input type="hidden" name="captchaResponse">
+            <div id="captcha-widget" data-sitekey="0x4AAAAAAA34NY6rivjWMWoq"
+                data-callback="handleCaptchaCallback" style="margin-top: 20px; outline: currentcolor;">
+                <div><input type="hidden" name="cf-turnstile-response"
+                        id="cf-chl-widget-tzmlk_response"></div>
+            </div>
+        </div>
+        <div class="MuiBox-root css-0"><input type="hidden" name="captchaResponse">
+            <div id="missing-sitekey" data-callback="handleCaptchaCallback"
+                style="margin-top: 20px; outline: currentcolor;">
+                <div><input type="hidden" name="cf-turnstile-response-error"
+                        id="cf-chl-widget-tzmlk_response"></div>
+            </div>
+        </div>
+        <div class="MuiBox-root css-0"><input type="hidden" name="captchaResponse">
+            <div id="missing-callback" data-sitekey="0x4AAAAAAA34NY6rivjWMWoq"
+                style="margin-top: 20px; outline: currentcolor;">
+                <div><input type="hidden" name="cf-turnstile-response-error"
+                        id="cf-chl-widget-tzmlk_response"></div>
+            </div>
+        </div>
+    </div>
+    <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async="" data-testid="hcaptcha-script"></script>
+</body>
+
+</html>

injected/src/features/broker-protection/captcha-services/captcha.service.js

@@ -67,7 +67,7 @@ export async function getCaptchaInfo(action, root = document) {
         return createError(captchaContainer.error.message);
     }
 
-    const captchaProvider = getCaptchaProvider(captchaContainer, captchaType);
+    const captchaProvider = getCaptchaProvider(root, captchaContainer, captchaType);
     if (PirError.isError(captchaProvider)) {
         return createError(captchaProvider.error.message);
     }
@@ -77,6 +77,10 @@ export async function getCaptchaInfo(action, root = document) {
         return createError(`could not extract captcha identifier from the container with selector ${selector}`);
     }
 
+    if (PirError.isError(captchaIdentifier)) {
+        return createError(captchaIdentifier.error.message);
+    }
+
     const response = {
         url: removeUrlQueryParams(window.location.href), // query params (which may include PII)
         siteKey: captchaIdentifier,

injected/src/features/broker-protection/captcha-services/factory.js

@@ -25,11 +25,12 @@ export class CaptchaFactory {
 
     /**
      * Detect the captcha provider based on the element
+     * @param {Document | HTMLElement} root
      * @param {HTMLElement} element - The element to check
      * @returns {import('./providers/provider.interface').CaptchaProvider|null}
      */
-    detectProvider(element) {
-        return this._getAllProviders().find((provider) => provider.isSupportedForElement(element)) || null;
+    detectProvider(root, element) {
+        return this._getAllProviders().find((provider) => provider.isSupportedForElement(root, element)) || null;
     }
 
     /**

injected/src/features/broker-protection/captcha-services/get-captcha-provider.js

@@ -3,21 +3,21 @@ import { captchaFactory } from './providers/registry';
 
 /**
  * Gets the captcha provider for the getCaptchaInfo action
- *
+ * @param {Document | HTMLElement} root
  * @param {HTMLElement} captchaContainer
  * @param {string} captchaType
  */
-export function getCaptchaProvider(captchaContainer, captchaType) {
+export function getCaptchaProvider(root, captchaContainer, captchaType) {
     const captchaProvider = captchaFactory.getProviderByType(captchaType);
     if (!captchaProvider) {
         return PirError.create(`[getCaptchaProvider] could not find captcha provider with type ${captchaType}`);
     }
 
-    if (captchaProvider.isSupportedForElement(captchaContainer)) {
+    if (captchaProvider.isSupportedForElement(root, captchaContainer)) {
         return captchaProvider;
     }
 
-    const detectedProvider = captchaFactory.detectProvider(captchaContainer);
+    const detectedProvider = captchaFactory.detectProvider(root, captchaContainer);
     if (!detectedProvider) {
         return PirError.create(
             `[getCaptchaProvider] could not detect captcha provider for ${captchaType} captcha and element ${captchaContainer}`,

injected/src/features/broker-protection/captcha-services/providers/cloudflare-turnstile.js

@@ -1,57 +1,136 @@
+import { getElementByTagName, getElementWithSrcStart } from '../../utils/utils';
+import { safeCallWithError } from '../../utils/safe-call';
+import { getAttributeValue } from '../utils/attribute';
+import { injectTokenIntoElement } from '../utils/token';
+import { stringifyFunction } from '../utils/stringify-function';
 import { PirError } from '../../types';
 
+/**
+ * @typedef {Object} CloudFlareTurnstileProviderConfig
+ * @property {string} providerUrl - The captcha provider URL
+ * @property {string} responseElementName - The name of the captcha response element
+ */
+
 /**
  * @import { CaptchaProvider } from './provider.interface';
  * @implements {CaptchaProvider}
  */
 export class CloudFlareTurnstileProvider {
+    /**
+     * @type {CloudFlareTurnstileProviderConfig}
+     */
+    #config;
+
+    constructor() {
+        this.#config = {
+            providerUrl: 'https://challenges.cloudflare.com/turnstile/v0',
+            responseElementName: 'cf-turnstile-response',
+        };
+    }
+
     getType() {
-        return 'cloudflareTurnstile';
+        return 'cloudFlareTurnstile';
     }
 
     /**
+     * @param {Document | HTMLElement} root
      * @param {HTMLElement} _captchaContainerElement
+     * @returns {boolean} Whether the captcha is supported for the element
      */
-    isSupportedForElement(_captchaContainerElement) {
-        // TODO: Implement
-        return false;
+    isSupportedForElement(root, _captchaContainerElement) {
+        // Typically we look within captcha container for isSupportedForElement, but CloudFlare puts the iFrame into the shadow DOM,
+        // so we need to look at the script tags on the page instead
+        return !!this._getCaptchaScript(root);
     }
 
     /**
-     * @param {HTMLElement} _captchaContainerElement - The element containing the captcha
+     * @param {HTMLElement} captchaContainerElement - The element containing the captcha
      */
-    getCaptchaIdentifier(_captchaContainerElement) {
-        // TODO: Implement
-        return Promise.resolve(null);
+    getCaptchaIdentifier(captchaContainerElement) {
+        const sitekeyAttribute = 'data-sitekey';
+
+        return Promise.resolve(
+            safeCallWithError(() => getAttributeValue({ element: captchaContainerElement, attrName: sitekeyAttribute }), {
+                errorMessage: `[CloudFlareTurnstileProvider.getCaptchaIdentifier] could not extract site key from attribute: ${sitekeyAttribute}`,
+            }),
+        );
     }
 
     getSupportingCodeToInject() {
-        // TODO: Implement
         return null;
     }
 
     /**
-     * @param {HTMLElement} _captchaContainerElement - The element containing the captcha
+     * @param {HTMLElement} captchaContainerElement - The element containing the captcha
+     * @returns {boolean} Whether the captcha can be solved
+     */
+    canSolve(captchaContainerElement) {
+        const callbackAttribute = 'data-callback';
+
+        const hasCallback = safeCallWithError(() => getAttributeValue({ element: captchaContainerElement, attrName: callbackAttribute }), {
+            errorMessage: `[CloudFlareTurnstileProvider.canSolve] could not extract callback function name from attribute: ${callbackAttribute}`,
+        });
+
+        if (PirError.isError(hasCallback)) {
+            return false;
+        }
+
+        const hasResponseElement = safeCallWithError(() => getElementByTagName(captchaContainerElement, this.#config.responseElementName), {
+            errorMessage: `[CloudFlareTurnstileProvider.canSolve] could not find response element: ${this.#config.responseElementName}`,
+        });
+
+        if (PirError.isError(hasResponseElement)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * @param {HTMLElement} captchaContainerElement - The element containing the captcha
+     * @param {string} token - The solved captcha token
      */
-    canSolve(_captchaContainerElement) {
-        // TODO: Implement
-        return false;
+    injectToken(captchaContainerElement, token) {
+        return injectTokenIntoElement({ captchaContainerElement, elementName: this.#config.responseElementName, token });
     }
 
     /**
-     * @param {HTMLElement} _captchaContainerElement - The element containing the captcha
-     * @param {string} _token - The solved captcha token
+     * @param {HTMLElement} captchaContainerElement - The element containing the captcha
+     * @param {string} token - The solved captcha token
      */
-    injectToken(_captchaContainerElement, _token) {
-        // TODO: Implement
-        return PirError.create('Not implemented');
+    getSolveCallback(captchaContainerElement, token) {
+        const callbackAttribute = 'data-callback';
+
+        const callbackFunctionName = safeCallWithError(
+            () => getAttributeValue({ element: captchaContainerElement, attrName: callbackAttribute }),
+            {
+                errorMessage: `[CloudFlareTurnstileProvider.getSolveCallback] could not extract callback function name from attribute: ${callbackAttribute}`,
+            },
+        );
+
+        if (PirError.isError(callbackFunctionName)) {
+            return callbackFunctionName;
+        }
+
+        return stringifyFunction({
+            /**
+             * @param {Object} args - The arguments passed to the function
+             * @param {string} args.callbackFunctionName - The callback function name
+             * @param {string} args.token - The solved captcha token
+             */
+            functionBody: function cloudflareCaptchaCallback(args) {
+                window[args.callbackFunctionName](args.token);
+            },
+            functionName: 'cloudflareCaptchaCallback',
+            args: { callbackFunctionName, token },
+        });
     }
 
     /**
-     * @param {HTMLElement} _captchaContainerElement - The element containing the captcha
-     * @param {string} _token - The solved captcha token
+     * @private
+     * @param {Document | HTMLElement} root - The root element to search in
      */
-    getSolveCallback(_captchaContainerElement, _token) {
-        return null;
+    _getCaptchaScript(root) {
+        return getElementWithSrcStart(root, this.#config.providerUrl);
     }
 }

injected/src/features/broker-protection/captcha-services/providers/hcaptcha.js

@@ -10,9 +10,10 @@ export class HCaptchaProvider {
     }
 
     /**
+     * @param {Document | HTMLElement} _root
      * @param {HTMLElement} _captchaContainerElement - The element to check
      */
-    isSupportedForElement(_captchaContainerElement) {
+    isSupportedForElement(_root, _captchaContainerElement) {
         // TODO: Implement
         return false;
     }