Fixing that a captcha is required on external login and registration - hotfix (Lombiq Technologies: GOV-44) (#17489)

Piedone · web-flow · commit b8016936eeb4 · 2025-02-18T03:23:26.000+01:00
diff --git a/src/OrchardCore.Modules/OrchardCore.ReCaptcha/Users/Handlers/LoginFormEventEventHandler.cs b/src/OrchardCore.Modules/OrchardCore.ReCaptcha/Users/Handlers/LoginFormEventEventHandler.cs
@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.Identity;
 using OrchardCore.ReCaptcha.Services;
 using OrchardCore.Users;
 using OrchardCore.Users.Events;
@@ -7,10 +8,12 @@ namespace OrchardCore.ReCaptcha.Users.Handlers;
 public class LoginFormEventEventHandler : ILoginFormEvent
 {
     private readonly ReCaptchaService _reCaptchaService;
+    private readonly SignInManager<IUser> _signInManager;
 
-    public LoginFormEventEventHandler(ReCaptchaService reCaptchaService)
+    public LoginFormEventEventHandler(ReCaptchaService reCaptchaService, SignInManager<IUser> signInManager)
     {
         _reCaptchaService = reCaptchaService;
+        _signInManager = signInManager;
     }
 
     public Task IsLockedOutAsync(IUser user)
@@ -23,14 +26,16 @@ public Task LoggedInAsync(IUser user)
         return Task.CompletedTask;
     }
 
-    public Task LoggingInAsync(string userName, Action<string, string> reportError)
+    public async Task LoggingInAsync(string userName, Action<string, string> reportError)
     {
-        if (_reCaptchaService.IsThisARobot())
+        // When logging in via an external provider, authentication security is already handled by the provider.
+        // Therefore, using a CAPTCHA is unnecessary and impractical, as users wouldn't be able to complete it anyway.
+        if (!_reCaptchaService.IsThisARobot() || await _signInManager.GetExternalLoginInfoAsync() != null)
         {
-            return _reCaptchaService.ValidateCaptchaAsync(reportError);
+            return;
         }
 
-        return Task.CompletedTask;
+        await _reCaptchaService.ValidateCaptchaAsync(reportError);
     }
 
     public Task LoggingInFailedAsync(string userName)
diff --git a/src/OrchardCore.Modules/OrchardCore.ReCaptcha/Users/Handlers/RegistrationFormEventHandler.cs b/src/OrchardCore.Modules/OrchardCore.ReCaptcha/Users/Handlers/RegistrationFormEventHandler.cs
@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.Identity;
 using OrchardCore.ReCaptcha.Services;
 using OrchardCore.Users;
 using OrchardCore.Users.Events;
@@ -7,19 +8,28 @@ namespace OrchardCore.ReCaptcha.Users.Handlers;
 public class RegistrationFormEventHandler : IRegistrationFormEvents
 {
     private readonly ReCaptchaService _reCaptchaService;
+    private readonly SignInManager<IUser> _signInManager;
 
-    public RegistrationFormEventHandler(ReCaptchaService recaptchaService)
+    public RegistrationFormEventHandler(ReCaptchaService reCaptchaService, SignInManager<IUser> signInManager)
     {
-        _reCaptchaService = recaptchaService;
+        _reCaptchaService = reCaptchaService;
+        _signInManager = signInManager;
     }
 
     public Task RegisteredAsync(IUser user)
     {
         return Task.CompletedTask;
     }
 
-    public Task RegistrationValidationAsync(Action<string, string> reportError)
+    public async Task RegistrationValidationAsync(Action<string, string> reportError)
     {
-        return _reCaptchaService.ValidateCaptchaAsync(reportError);
+        // When logging in via an external provider, authentication security is already handled by the provider.
+        // Therefore, using a CAPTCHA is unnecessary and impractical, as users wouldn't be able to complete it anyway.
+        if (await _signInManager.GetExternalLoginInfoAsync() != null)
+        {
+            return;
+        }
+
+        await _reCaptchaService.ValidateCaptchaAsync(reportError);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+using Microsoft.AspNetCore.Identity;`
`1`	`2`	`using OrchardCore.ReCaptcha.Services;`
`2`	`3`	`using OrchardCore.Users;`
`3`	`4`	`using OrchardCore.Users.Events;`
`@@ -7,10 +8,12 @@ namespace OrchardCore.ReCaptcha.Users.Handlers;`
`7`	`8`	`public class LoginFormEventEventHandler : ILoginFormEvent`
`8`	`9`	`{`
`9`	`10`	`private readonly ReCaptchaService _reCaptchaService;`
	`11`	`+ private readonly SignInManager<IUser> _signInManager;`
`10`	`12`
`11`		`- public LoginFormEventEventHandler(ReCaptchaService reCaptchaService)`
	`13`	`+ public LoginFormEventEventHandler(ReCaptchaService reCaptchaService, SignInManager<IUser> signInManager)`
`12`	`14`	`{`
`13`	`15`	`_reCaptchaService = reCaptchaService;`
	`16`	`+ _signInManager = signInManager;`
`14`	`17`	`}`
`15`	`18`
`16`	`19`	`public Task IsLockedOutAsync(IUser user)`
`@@ -23,14 +26,16 @@ public Task LoggedInAsync(IUser user)`
`23`	`26`	`return Task.CompletedTask;`
`24`	`27`	`}`
`25`	`28`
`26`		`- public Task LoggingInAsync(string userName, Action<string, string> reportError)`
	`29`	`+ public async Task LoggingInAsync(string userName, Action<string, string> reportError)`
`27`	`30`	`{`
`28`		`- if (_reCaptchaService.IsThisARobot())`
	`31`	`+ // When logging in via an external provider, authentication security is already handled by the provider.`
	`32`	`+ // Therefore, using a CAPTCHA is unnecessary and impractical, as users wouldn't be able to complete it anyway.`
	`33`	`+ if (!_reCaptchaService.IsThisARobot() \|\| await _signInManager.GetExternalLoginInfoAsync() != null)`
`29`	`34`	`{`
`30`		`- return _reCaptchaService.ValidateCaptchaAsync(reportError);`
	`35`	`+ return;`
`31`	`36`	`}`
`32`	`37`
`33`		`- return Task.CompletedTask;`
	`38`	`+ await _reCaptchaService.ValidateCaptchaAsync(reportError);`
`34`	`39`	`}`
`35`	`40`
`36`	`41`	`public Task LoggingInFailedAsync(string userName)`