Merge pull request #15906 from overleaf/jdt-disable-staging-captchas-if-trusted

allow for list of trusted users to skip captchas

GitOrigin-RevId: d398e98f63e4dc800a5b4ac59c8c9b672a200a15

services/web/app/src/Features/Captcha/CaptchaMiddleware.js

@@ -26,6 +26,11 @@ async function initializeDeviceHistory(req) {
 }
 
 async function canSkipCaptcha(req, res) {
+  const trustedUser =
+    req.body?.email && Settings.recaptcha.trustedUsers.includes(req.body.email)
+  if (trustedUser) {
+    return res.json(true)
+  }
   await initializeDeviceHistory(req)
   const canSkip = req.deviceHistory.has(req.body?.email)
   Metrics.inc('captcha_pre_flight', 1, {
@@ -36,6 +41,9 @@ async function canSkipCaptcha(req, res) {
 
 function validateCaptcha(action) {
   return expressify(async function (req, res, next) {
+    const trustedUser =
+      req.body?.email &&
+      Settings.recaptcha.trustedUsers.includes(req.body.email)
     if (!Settings.recaptcha?.siteKey || Settings.recaptcha.disabled[action]) {
       if (action === 'login') {
         AuthenticationController.setAuditInfo(req, { captcha: 'disabled' })
@@ -43,6 +51,11 @@ function validateCaptcha(action) {
       Metrics.inc('captcha', 1, { path: action, status: 'disabled' })
       return next()
     }
+    if (trustedUser && action === 'login') {
+      AuthenticationController.setAuditInfo(req, { captcha: 'trusted' })
+      Metrics.inc('captcha', 1, { path: action, status: 'trusted' })
+      return next()
+    }
     const reCaptchaResponse = req.body['g-recaptcha-response']
     if (action === 'login') {
       await initializeDeviceHistory(req)

services/web/config/settings.defaults.js

@@ -680,6 +680,10 @@ module.exports = {
     endpoint:
       process.env.RECAPTCHA_ENDPOINT ||
       'https://www.google.com/recaptcha/api/siteverify',
+    trustedUsers: (process.env.CAPTCHA_TRUSTED_USERS || '')
+      .split(',')
+      .map(x => x.trim())
+      .filter(x => x !== ''),
     disabled: {
       invite: true,
       login: true,