[PR #1476] [MERGED] Feature/use hcaptcha if bot #51132

New Issue

Closed

opened 2026-05-01 14:44:07 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-01 14:44:07 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/bitwarden/android/pull/1476
Author: @MGibson1
Created: 7/23/2021
Status: ✅ Merged
Merged: 8/4/2021
Merged by: @MGibson1

Base: master ← Head: feature/use-hcaptcha-if-bot

---

📝 Commits (7)

• 3047073 Add captcha to login models and methods
• 152084e Add captcha web auth to login
• b1cac34 Extract captcha to abstract base class
• b0c38af Add Captcha to register
• 2d233d5 Null out captcha token after each successful challenge
• 45321fd Merge branch 'master' into feature/use-hcaptcha-if-bot
• bd55131 Cancel > close

📊 Changes

18 files changed (+334 additions, -54 deletions)

View changed files

📝 src/App/Pages/Accounts/LoginPage.xaml (+1 -1)
📝 src/App/Pages/Accounts/LoginPageViewModel.cs (+55 -5)
📝 src/App/Pages/Accounts/RegisterPage.xaml (+1 -1)
📝 src/App/Pages/Accounts/RegisterPageViewModel.cs (+45 -3)
➕ src/App/Pages/CaptchaProtectedViewModel.cs (+88 -0)
📝 src/App/Resources/AppResources.Designer.cs (+24 -12)
📝 src/App/Resources/AppResources.resx (+6 -0)
📝 src/Core/Abstractions/IApiService.cs (+1 -1)
📝 src/Core/Abstractions/IAuthService.cs (+1 -1)
📝 src/Core/Models/Domain/AuthResult.cs (+2 -0)
📝 src/Core/Models/Request/RegisterRequest.cs (+1 -0)
📝 src/Core/Models/Request/TokenRequest.cs (+8 -1)
📝 src/Core/Models/Response/ErrorResponse.cs (+6 -0)
➕ src/Core/Models/Response/IdentityCaptchaResponse.cs (+13 -0)
➕ src/Core/Models/Response/IdentityResponse.cs (+50 -0)
📝 src/Core/Models/Response/IdentityTwoFactorResponse.cs (+3 -0)
📝 src/Core/Services/ApiService.cs (+7 -17)
📝 src/Core/Services/AuthService.cs (+22 -12)

📄 Description

Overview

Adding captcha responses to Login and Registration failures due to suspected bot requests. The basic flow is to attempt the request, fail with a captcha siteKey in the response, use that site key to show a web auth and retrieve a captcha token, and finally reattempt the request with the acquired token.

I couldn't find a good example for DI to a parent ViewModel in the solution already. I chose abstract properties to pass required services to the parent CaptchaProtectedViewModel because I still want to have the dependencies gathered at the highest level and passed down. It didn't make sense to me to grab the dependencies multiple times, but this would be my second favorite approach.

Files Changed

• loginPage.xaml/registerPage.xaml: On my simulator I was getting long load times for the second request attempt post-captcha that was displaying the login or register page again. I'm disabling the submit buttons until the second attempt is completed.
• LoginPageViewModel: Inherits from CaptchaProtectedViewModel to get all the captcha handling goodies. Add loading binding to disable submit and handle captcha required by reattempting once the base class set _captchaToken.
• RegisterPageViewModel: Same as LoginPageViewModel, except the captcha requirement comes in as an ApiException. This is due to the differences in failure modes server-side. Indentity failures are just failed auth requests, whereas API failures are returned as Bad Requests and thrown.
• CaptchaProtectedViewModel: Initialize a WebAuthenticator when captcha is required and retrieve a token response on success. If we don't get a token, signal failure. The EncodeB64 method matches the... odd... way we're encoding iframe data in the web vault (https://github.com/bitwarden/jslib/blob/master/common/src/misc/iframe_component.ts#L30-L34 && https://stackoverflow.com/questions/30106476/using-javascripts-atob-to-decode-base64-doesnt-properly-decode-utf-8-strings)
• AppResources: Localize Captcha strings
• ApiService: Parse out IdentityCaptchaResponse as well as Token and Two Factor. This is primarily handled in the new return class.
• AuthService: Add Captcha to login. A two factor captcha bypass token is stored for subsequent calls

Screenshots

Login PreCaptcha

Login/register captcha

Login/register captcha with images (pixel 3a)

Login back out of captcha

Register precaptcha

Register back out of captcha

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/bitwarden/android/pull/1476 **Author:** [@MGibson1](https://github.com/MGibson1) **Created:** 7/23/2021 **Status:** ✅ Merged **Merged:** 8/4/2021 **Merged by:** [@MGibson1](https://github.com/MGibson1) **Base:** `master` ← **Head:** `feature/use-hcaptcha-if-bot` --- ### 📝 Commits (7) - [`3047073`](https://github.com/bitwarden/android/commit/30470731a1ea5aa059242a3af8e093fab1b2f7bc) Add captcha to login models and methods - [`152084e`](https://github.com/bitwarden/android/commit/152084eebec0d95b812c2ca5c9b8bc1fee4586d1) Add captcha web auth to login - [`b1cac34`](https://github.com/bitwarden/android/commit/b1cac34e5aacb9a57663b9df4d8f2d18ac356323) Extract captcha to abstract base class - [`b0c38af`](https://github.com/bitwarden/android/commit/b0c38af7108e1c5d96691471bffff87f250b0412) Add Captcha to register - [`2d233d5`](https://github.com/bitwarden/android/commit/2d233d5471660069a43115b06dd11a6fc2bbdb5e) Null out captcha token after each successful challenge - [`45321fd`](https://github.com/bitwarden/android/commit/45321fddc93d3aaf7ea2fb5d4c4806d5d4aee17a) Merge branch 'master' into feature/use-hcaptcha-if-bot - [`bd55131`](https://github.com/bitwarden/android/commit/bd5513195ebbe5e4e8d8a2a8bf89ca92469e4752) Cancel > close ### 📊 Changes **18 files changed** (+334 additions, -54 deletions) <details> <summary>View changed files</summary> 📝 `src/App/Pages/Accounts/LoginPage.xaml` (+1 -1) 📝 `src/App/Pages/Accounts/LoginPageViewModel.cs` (+55 -5) 📝 `src/App/Pages/Accounts/RegisterPage.xaml` (+1 -1) 📝 `src/App/Pages/Accounts/RegisterPageViewModel.cs` (+45 -3) ➕ `src/App/Pages/CaptchaProtectedViewModel.cs` (+88 -0) 📝 `src/App/Resources/AppResources.Designer.cs` (+24 -12) 📝 `src/App/Resources/AppResources.resx` (+6 -0) 📝 `src/Core/Abstractions/IApiService.cs` (+1 -1) 📝 `src/Core/Abstractions/IAuthService.cs` (+1 -1) 📝 `src/Core/Models/Domain/AuthResult.cs` (+2 -0) 📝 `src/Core/Models/Request/RegisterRequest.cs` (+1 -0) 📝 `src/Core/Models/Request/TokenRequest.cs` (+8 -1) 📝 `src/Core/Models/Response/ErrorResponse.cs` (+6 -0) ➕ `src/Core/Models/Response/IdentityCaptchaResponse.cs` (+13 -0) ➕ `src/Core/Models/Response/IdentityResponse.cs` (+50 -0) 📝 `src/Core/Models/Response/IdentityTwoFactorResponse.cs` (+3 -0) 📝 `src/Core/Services/ApiService.cs` (+7 -17) 📝 `src/Core/Services/AuthService.cs` (+22 -12) </details> ### 📄 Description # Overview Adding captcha responses to Login and Registration failures due to suspected bot requests. The basic flow is to attempt the request, fail with a captcha siteKey in the response, use that site key to show a web auth and retrieve a captcha token, and finally reattempt the request with the acquired token. I couldn't find a good example for DI to a parent ViewModel in the solution already. I chose abstract properties to pass required services to the parent `CaptchaProtectedViewModel` because I still want to have the dependencies gathered at the highest level and passed down. It didn't make sense to me to grab the dependencies multiple times, but this would be my second favorite approach. # Files Changed * **loginPage.xaml/registerPage.xaml**: On my simulator I was getting long load times for the second request attempt post-captcha that was displaying the login or register page again. I'm disabling the submit buttons until the second attempt is completed. * **LoginPageViewModel**: Inherits from CaptchaProtectedViewModel to get all the captcha handling goodies. Add loading binding to disable submit and handle captcha required by reattempting once the base class set `_captchaToken`. * **RegisterPageViewModel**: Same as **`LoginPageViewModel`**, except the captcha requirement comes in as an ApiException. This is due to the differences in failure modes server-side. Indentity failures are just failed auth requests, whereas API failures are returned as Bad Requests and thrown. * **CaptchaProtectedViewModel**: Initialize a `WebAuthenticator` when captcha is required and retrieve a token response on success. If we don't get a token, signal failure. The `EncodeB64` method matches the... odd... way we're encoding iframe data in the web vault (https://github.com/bitwarden/jslib/blob/master/common/src/misc/iframe_component.ts#L30-L34 && https://stackoverflow.com/questions/30106476/using-javascripts-atob-to-decode-base64-doesnt-properly-decode-utf-8-strings) * **AppResources**: Localize Captcha strings * **ApiService**: Parse out IdentityCaptchaResponse as well as Token and Two Factor. This is primarily handled in the new return class. * **AuthService**: Add Captcha to login. A two factor captcha bypass token is stored for subsequent calls # Screenshots ## Login PreCaptcha <img width="326" alt="image" src="https://user-images.githubusercontent.com/18214891/126824419-14d7f45e-2bf7-4017-a903-037508ca8a99.png"> ## Login/register captcha <img width="326" alt="image" src="https://user-images.githubusercontent.com/18214891/126824451-d3d778fc-ceca-433a-8c6a-7e40ae1613a9.png"> ## Login/register captcha with images (pixel 3a) <img width="326" alt="image" src="https://user-images.githubusercontent.com/18214891/126824966-5fac18a3-3aae-4778-b5f9-5ce1281269d7.png"> ## Login back out of captcha <img width="326" alt="image" src="https://user-images.githubusercontent.com/18214891/126824514-bb811e5a-3e04-4a2c-a7ab-d70ad1d7bf2e.png"> ## Register precaptcha <img width="326" alt="image" src="https://user-images.githubusercontent.com/18214891/126824624-e2aea994-5b3a-4b8b-a99b-59e39ac49588.png"> ## Register back out of captcha <img width="326" alt="image" src="https://user-images.githubusercontent.com/18214891/126824670-48c21f6d-5e14-49de-a450-e835ce6519d2.png"> --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-05-01 14:44:07 -05:00

GiteaMirror closed this issue 2026-05-01 14:44:09 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

crowdin-pull

cron-sync-privileged-browsers/60-sync

agalles/fdroid-only

sdlc/sdk-update

remove-retrofit-dependency

release/hotfix-v2026.4.1-bwpm

beta-for-qa

target-sdk-37

PM-33982/build-device-screen

new-item-types/PM-32806_passport

new-item-types/PM-32808_drivers-license

BWA-99/show-next-totp

BWA-99/add-preview-next-totp-code-setting

renovate/glidecompose

sync-min-sdk

release/2026.4-rc51

fix/security-sast-22741894-bvwj

related-origin-passkey-creation

release/2026.4-rc50

platform/android-breaking-change-detection

innovation-sprint-2026-send-folder

release/2026.3-rc49

PM-34193-vault-lockout

android-collections

llm/add-resolving-sdk-updates-skill

QA-1523/sanity-test-saucelabs

release/2026.3-rc48

PM-26577-app-links-support

PM-26896-autofill-fix

release/2026.2-rc47

pr-6572

release/2026.2-rc46

release/2026.1-rc45

PM-30644/added-logs-for-debug

PM-30644/quicktile-nav-not-showing-migration

minor-gradle-updates

release/2026.1-rc42

release/2026.1-rc44

release/2026.1-rc43

PM-28834/set-landscape-on-horizonos-devices

PM-28468/validate-and-navigate-to-vault-migration

PM-20026/force-ltr-passwords-and-codes

release/2025.12-rc41

cmcg/testCoverage

PM-29014/talkback-support-for-passwords

release/2025.12-rc40

BRE-1305/publish_test

accept-user-certs

autofill-permissions

release/2025.11-rc39

PM-22479/check-all-certificates-validate-asset-links

release/2025.10-rc38

agalles/android-latest

retro-agent

PM-27001/skip-account-selection-only-one-exists-cxp

release/2025.10-rc37

agalles/test-1118

release/2025.10-rc36

PM-20593-token-refresh

QA-1126b/adding-native-sanity-test

release/2025.9-rc35

pm-25933/sdk-update-password

release/2025.9-rc34

release/2025.8-rc33

agalles/20250821-release

debug-release-issues

pm-24249-allow-automated-prs-for-sdk-updates

release/2025.8-rc32

release/WORKFLOW-TEST-2025.8-rc28

agalles/20250807release

release/2025.07-rc25

release/hotfix-v2025.7.0-bwa

pm-23311/export-vault-policy-bypass

release/2025.07-rc24

authenticator-pm-sync-flags-issue

release/hotfix-v2025.6.0-bwpm

release/2025.06-rc21

agalles/automate-android-fastlane-patch

release/2025.05-rc20

release/2025.04-rc19

languages/basque

release/2025.03-rc19

update-readme

qrcode/feature

innovation/archive/pm-19153-archive-items

qrcode/2-ui-fields

qrcode/1-page

hold-on-biometric-prompt-alternative

release-notes-process

release/2025.02-rc16

bwa-monorepo

PM-8223/new-device-verification-ux-improvements

pm-18451/exempt-from-policies

test-bwa

release/2025.01-rc15

release/2025.01-rc14

release/2024.12-rc13

pm-16670/sync-leave-notice

821

PM-16695/backport-lean-more-new-device-verification

release/hotfix-v2024.11.7

release/2024.11-rc1

pm-11304/collection-add-item-button

PM-14241/disabling-logs-app-crash

poc/offline-editing

new-version-calc

pm-11649/expired-link-services

pm-6702/add-feature-flag

pm-6702/email-verification-feature

pm-9933/marketing-copy-update

pm-6702/registration-flows

update-templates

pm-6701/email-verification-selfhost-registration

v2026.4.1-bwa

v2026.4.1-bwpm

v2026.4.0-bwa

v2026.4.0-bwpm

v2026.3.1-bwa

v2026.3.1-bwpm

v2026.3.0-bwpm

v2026.3.0-bwa

v2026.2.1-bwpm

v2026.2.1-bwa

v2026.2.0-bwpm

v2026.2.0-bwa

v2026.1.1-bwa

v2026.1.1-bwpm

temp-test

v2026.1.0-bwpm

v2026.1.0-bwa

v2025.12.1-bwa

v2025.12.1-bwpm

v2025.12.0-bwa

v2025.12.0-bwpm

v2025.11.1-bwpm

v2025.11.1-bwa

v2025.11.0-bwpm

v2025.11.0-bwa

v2025.10.1-bwa

v2025.10.1-bwpm

v2025.10.0-bwa

v2025.10.0-bwpm

v2025.9.1-bwa

v2025.9.1-bwpm

v2025.9.0-bwa

v2025.9.0-bwpm

v2025.8.1-bwa

v2025.8.1-bwpm

v2025.8.0-bwa

v2025.8.0-bwpm

v2025.7.2-bwa

v2025.7.2-bwpm

v2025.7.1-bwa

v2025.7.1-bwpm

v2025.7.0-bwa

v2025.7.0-bwpm

v2025.6.1-bwpm

v2025.6.0-bwa

v2025.6.0-bwpm

v2025.1.0-bwa

v2025.5.0-bwa

v2025.5.0-bwpm

v2025.5.999

2025.4.0

v2025.4.0

untagged-4731eaadac73f3dfbbb8

v2025.3.0

v2025.2.0

untagged-815a165c5d70ffe75bc7

v2025.1.2

v2025.1.1

v2025.1.0

v2024.12.0

untagged-5a76b6392a4c8998c63a

v2024.11.7

v2024.11.6

v2024.11.5

v2024.11.4

v2024.11.3

v2024.11.2

v2024.11.1

v2024.11.0

v2024.10.2

v2024.10.1

v2024.10.0

v2024.9.0

v2024.8.1

v2024.8.0

v2024.7.3

v2024.7.2

v2024.7.1

v2024.7.0

v2024.6.1

v2024.6.0

v2024.5.1

v2024.4.1

v2024.4.2

v2024.4.0

v2024.3.3

v2024.3.1

v2024.3.0

v2024.2.1

v2024.2.0

v2024.1.1

v2024.1.0

v2023.12.0

v2023.10.0

v2023.9.2

maui-single-project-android

v2023.9.1

v2023.9.0

v2023.8.0

v2023.7.0

v2023.5.0

v2023.4.0

v2023.3.2

v2023.3.1

v2023.3.0

v2023.2.0

v2023.1.0

v2022.11.0

v2022.10.0

v2022.9.1

v2022.9.0

v2022.8.0

v2022.6.2

v2022.6.1

v2022.6.0

v2022.05.0

v2.18.0

v2.17.0

v2.16.4

v2.16.3

v2.16.2

v2.16.1

v2.15.0

v2.14.2

v2.14.1

v2.14.0

v2.13.0

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.1

v2.9.0

v2.8.2

v2.8.1

v2.8.0

v2.7.2

v2.7.0

v2.6.1

v2.6.0

v2.5.6

v.2.5.5

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.8

v2.2.7

v2.2.6

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.0

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.22.1

v1.22.0

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.0

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.4

v1.14.1

v1.14.0

v1.13.0

v1.12.2

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.0

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.5

v1.6.1

v1.6.0

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.0

v1.3.0

v1.2.1

v1.2.0

v1.1.0

v1.0.0

v0.0.6

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

app:authenticator

app:password-manager

bug

bug-passkey

customer-support

duplicate

enhancement

good first issue

help wanted

needs-reply

needs-response

pull-request

Mirrored from GitHub Pull Request

question

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/android#51132