IAMRISK-1790 Support captcha for Passwordless

[robinbijlani]

Changes

This adds support for captcha in Passwordless flows (Classic Universal Login).

For context, to allow this, the Authentication API has some changes:

• POST /passwordless/challenge can be hit to know if a captcha should be shown for Passwordless flows.
• POST /passwordless/start will now verify the captcha field if one is required.

Here are a few demo recordings of the behavior:

☝️ This recording shows the one clunky UX issue I found. When using restart() to go back to the first pane, I can't figure out how to clear out the captcha field from the model. (I tried several implementations of ('../../field/index').clearFields(m, ['captcha']); combined with swap() but I am think I'm somewhat foggy on how the model binding works here.)

References

https://auth0team.atlassian.net/browse/IAMRISK-1790

Testing

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of the platform/language

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All code quality tools/guidelines have been run/followed
• All relevant assets have been compiled

[ktraff-auth0]

Do we need to think about recaptcha enterprise here too?

[robinbijlani]

Thank you for the callout. Since recaptcha_v2 and recaptcha_enterprise both offer the same UX, I've made the error messages match everywhere we are showing captcha. 👍

[ktraff-auth0]

Is this check necessary? Should get handle non-objects (just thinking of lodash)?

[robinbijlani]

I copied it from the captcha() function above, but it looks like this isn't needed for the current tests. 🤔 For now I removed it from both, but maybe @stevehobbsdev can double check this.

[stevehobbsdev]

I can't figure out how to clear out the captcha field from the model. (I tried several implementations of ('../../field/index').clearFields(m, ['captcha']); combined with swap() but I am think I'm somewhat foggy on how the model binding works here.)

@robinbijlani there is a reset helper on the captcha field that should allow you to reset it, did you try this one?

This is used on Captcha for non-passwordless when you click on the 'change captcha' button to get a new code, so I'm wondering if it can be re-used for your scenario when you hit the back button.

import * as captchaField from '../field/captcha';

// ....

export function setCaptcha(m, value, wasInvalid) {
  m = captchaField.reset(m, wasInvalid);
  return set(m, 'captcha', Immutable.fromJS(value));
}

I noticed in your first video that when you click on that button the field doesn't reset, whereas today it does (for non-Passwordless captcha), so wondering if there's some issue with passwordlessCaptchaField.reset (but it looks ok when compared to captchaField.reset) 🤔

[robinbijlani]

@stevehobbsdev Thank you for the guidance! I realized my mistake was that while we have a passwordlessCaptcha prop on the model (to store info about the captcha challenge we display), we have no separate field to enter the passwordless captcha, and are reusing the existing captcha one. Now things seem to be behaving like I would expect:

[robinbijlani]

Also, the Browserstack failure is expected, right? 🤔

No browserstack username!
No browserstack password!

[robinbijlani]

@stevehobbsdev Also, I know you're OOF until Monday, but when you get back, if this looks good I'd love for a new release of Lock to be cut. (I want to bump the default version used from auth0-server if it ends up being higher than 11.34.x, which is currently used.)

[stevehobbsdev]

Also, the Browserstack failure is expected, right?

@robinbijlani Yes, as these changes come from a fork, the Browserstack run does not get the secrets required to execute. I will check the E2E tests locally.