Page MenuHomePhabricator
Create Task
Maniphest T405595

hCaptcha: Create mechanism to allow the showcaptcha consequence in AbuseFilter to always challenge the user
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

Summary

WMF's hCaptcha instance is set up in 99.9% passive and invisible mode. But when an AbuseFilter defines showcaptcha as its consequence, it should display a challenge.

Technical notes

We can use a separate sitekey for this, and find a way to swap the sitekey in use when showcaptcha is used in AbuseFilter.

Acceptance criteria

  • showcaptcha in AbuseFilter always displays a challenge when hCaptcha is enabled

Details

Other Assignee
Dreamy_Jazz
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handlingmediawiki/extensions/ConfirmEditwmf/1.46.0-wmf.2+47 -27
Show more helpful error message on edit page when hCaptcha forcedmediawiki/extensions/ConfirmEditmaster+103 -22
Create tests for SimpleCaptcha::confirmEditMergedmediawiki/extensions/ConfirmEditmaster+185 -0
Use FancyCaptcha for AbuseFilter consequencemediawiki/extensions/ConfirmEditmaster+589 -20
Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabledmediawiki/extensions/ConfirmEditmaster+124 -7
MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handlingmediawiki/extensions/ConfirmEditmaster+47 -27
Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabledmediawiki/extensions/ConfirmEditwmf/1.46.0-wmf.2+124 -7
hCaptcha: Define configuration for "always challenge" modeoperations/mediawiki-configmaster+4 -0
hCaptcha: Use FancyCaptcha for API edits and page creationsoperations/mediawiki-configmaster+5 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

kostajh created this task.Sep 25 2025, 2:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 25 2025, 2:15 PM
XXBlackburnXx subscribed.Sep 28 2025, 6:26 PM
kostajh edited projects, added Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)); removed Trust and Safety Product Sprint (Sprint Dadar Gulung (September 8 - September 26)).Sep 29 2025, 7:57 AM
Dreamy_Jazz added projects: ConfirmEdit (CAPTCHA extension), AbuseFilter.Sep 29 2025, 1:25 PM
kostajh updated the task description. (Show Details)Sep 30 2025, 11:54 AM
kostajh set the point value for this task to 0.5.
kostajh added a comment.Sep 30 2025, 11:58 AM

We can use this site key (c0343ab6-480e-4d5c-abc0-f86255586384) for a configuration that will result in an "always challenge" mode when hCaptcha is loaded.

kostajh changed the point value for this task from 0.5 to 1.Sep 30 2025, 11:59 AM

For whoever picks this up: please check in with other engineers about the approach before starting on the work.

kostajh added a comment.Oct 14 2025, 2:16 PM

We're also discussing using FancyCaptcha for the showcaptcha consequence.

kostajh assigned this task to sguebo_WMF.Oct 14 2025, 2:16 PM
kostajh mentioned this in T406364: hCaptcha VisualEditor: Fix execution for captcha error handler when in invisible mode / secure enclave mode.
kostajh moved this task from Backlog to In progress on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.
gerritbot added a comment.Oct 15 2025, 3:06 AM

Change #1196204 had a related patch set uploaded (by Samuel (WMF); author: Samuel (WMF)):

[mediawiki/extensions/ConfirmEdit@master] WIP: Use FancyCaptcha for AbuseFilter consequence

https://gerrit.wikimedia.org/r/1196204

gerritbot added a project: Patch-For-Review.Oct 15 2025, 3:06 AM
sguebo_WMF changed the task status from Open to In Progress.Oct 15 2025, 4:17 AM
kostajh moved this task from Priority backlog to In progress on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.Oct 15 2025, 11:48 AM
Dreamy_Jazz moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)) board.Oct 17 2025, 1:41 PM
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)); removed Product Safety and Integrity (Sprint Apfel Strudel (Sep 29 - Oct 17)).Oct 20 2025, 2:25 PM
OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)) board.Oct 20 2025, 2:26 PM
sguebo_WMF mentioned this in T408358: Update ConfirmEditHandlerTest to use Config parameter in constructor.Oct 27 2025, 3:49 AM
sguebo_WMF added a subtask: T408358: Update ConfirmEditHandlerTest to use Config parameter in constructor.
kostajh claimed this task.Nov 7 2025, 2:54 PM
kostajh added a subscriber: sguebo_WMF.
gerritbot added a comment.Nov 7 2025, 3:05 PM

Change #1203037 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ConfirmEdit@master] [WIP] Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabled

https://gerrit.wikimedia.org/r/1203037

OKryva-WMF edited projects, added Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)); removed Product Safety and Integrity (Sprint Mint Choc Chip Ice Cream (Oct 20 - Nov 7)).Mon, Nov 10, 12:14 PM
OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Mon, Nov 10, 12:14 PM
gerritbot added a comment.Mon, Nov 10, 9:03 PM

Change #1203547 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[operations/mediawiki-config@master] hCaptcha: Use FancyCaptcha for API edits and page creations

https://gerrit.wikimedia.org/r/1203547

gerritbot added a comment.Tue, Nov 11, 2:51 PM

Change #1203547 merged by jenkins-bot:

[operations/mediawiki-config@master] hCaptcha: Use FancyCaptcha for API edits and page creations

https://gerrit.wikimedia.org/r/1203547

Stashbot mentioned this in T409822: hCaptcha: Disable addurl rule for the editing trial.Tue, Nov 11, 2:52 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-11T14:52:03Z] <kharlan@deploy2002> Started scap sync-world: Backport for [[gerrit:1203547|hCaptcha: Use FancyCaptcha for API edits and page creations (T405595)]], [[gerrit:1203797|hCaptcha: Disable addurl trigger for hCaptcha edits (T409822)]]

Stashbot added a comment.Tue, Nov 11, 2:54 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-11T14:54:47Z] <kharlan@deploy2002> kharlan: Backport for [[gerrit:1203547|hCaptcha: Use FancyCaptcha for API edits and page creations (T405595)]], [[gerrit:1203797|hCaptcha: Disable addurl trigger for hCaptcha edits (T409822)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Tue, Nov 11, 3:04 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-11T15:04:40Z] <kharlan@deploy2002> Finished scap sync-world: Backport for [[gerrit:1203547|hCaptcha: Use FancyCaptcha for API edits and page creations (T405595)]], [[gerrit:1203797|hCaptcha: Disable addurl trigger for hCaptcha edits (T409822)]] (duration: 12m 38s)

kostajh updated Other Assignee, added: Dreamy_Jazz.Wed, Nov 12, 12:50 PM
gerritbot added a comment.Wed, Nov 12, 1:06 PM

Change #1203037 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabled

https://gerrit.wikimedia.org/r/1203037

gerritbot added a comment.Wed, Nov 12, 1:41 PM

Change #1204576 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.2] Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabled

https://gerrit.wikimedia.org/r/1204576

gerritbot added a comment.Wed, Nov 12, 1:47 PM

Change #1204581 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[operations/mediawiki-config@master] hCaptcha: Define configuration for "always challenge" mode

https://gerrit.wikimedia.org/r/1204581

gerritbot added a comment.Wed, Nov 12, 1:51 PM

Change #1204581 merged by jenkins-bot:

[operations/mediawiki-config@master] hCaptcha: Define configuration for "always challenge" mode

https://gerrit.wikimedia.org/r/1204581

gerritbot added a comment.Wed, Nov 12, 2:00 PM

Change #1204576 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.2] Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabled

https://gerrit.wikimedia.org/r/1204576

Stashbot added a comment.Wed, Nov 12, 2:01 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-12T14:01:28Z] <kharlan@deploy2002> Started scap sync-world: Backport for [[gerrit:1204367|hCaptcha instrumentation: Log editor_interface for editAttempStep (T409701)]], [[gerrit:1204576|Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabled (T405595)]], [[gerrit:1204581|hCaptcha: Define configuration for "always challenge" mode (T405595)]]

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.3; 2025-11-19).Wed, Nov 12, 2:01 PM
Stashbot mentioned this in T409701: hCaptcha: Log challenge event as "saveFailure" in EditAttemptStep.Wed, Nov 12, 2:01 PM
Stashbot added a comment.Wed, Nov 12, 2:27 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-12T14:27:19Z] <kharlan@deploy2002> kharlan: Backport for [[gerrit:1204367|hCaptcha instrumentation: Log editor_interface for editAttempStep (T409701)]], [[gerrit:1204576|Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabled (T405595)]], [[gerrit:1204581|hCaptcha: Define configuration for "always challenge" mode (T405595)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can

gerritbot added a comment.Wed, Nov 12, 2:29 PM

Change #1204588 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ConfirmEdit@master] MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handling

https://gerrit.wikimedia.org/r/1204588

Stashbot added a comment.Wed, Nov 12, 2:48 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-12T14:48:36Z] <kharlan@deploy2002> Finished scap sync-world: Backport for [[gerrit:1204367|hCaptcha instrumentation: Log editor_interface for editAttempStep (T409701)]], [[gerrit:1204576|Support an "always challenge" SiteKey when shouldForceShowCaptcha is enabled (T405595)]], [[gerrit:1204581|hCaptcha: Define configuration for "always challenge" mode (T405595)]] (duration: 47m 08s)

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.2; 2025-11-12); removed MW-1.46-notes (1.46.0-wmf.3; 2025-11-19).Wed, Nov 12, 3:00 PM
gerritbot added a comment.Wed, Nov 12, 3:53 PM

Change #1204618 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ConfirmEdit@master] Create tests for SimpleCaptcha::confirmEditMerged

https://gerrit.wikimedia.org/r/1204618

gerritbot added a comment.Wed, Nov 12, 4:08 PM

Change #1204588 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handling

https://gerrit.wikimedia.org/r/1204588

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.3; 2025-11-19); removed MW-1.46-notes (1.46.0-wmf.2; 2025-11-12).Wed, Nov 12, 5:00 PM
gerritbot added a comment.Wed, Nov 12, 5:26 PM

Change #1204638 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ConfirmEdit@master] Show more helpful error message on edit page when hCaptcha forced

https://gerrit.wikimedia.org/r/1204638

gerritbot added a comment.Wed, Nov 12, 6:00 PM

Change #1196204 abandoned by Dreamy Jazz:

[mediawiki/extensions/ConfirmEdit@master] Use FancyCaptcha for AbuseFilter consequence

Reason:

Given that the AbuseFilter hCaptcha consequence patch has been merged, I think we can abandon this now

https://gerrit.wikimedia.org/r/1196204

gerritbot added a comment.Wed, Nov 12, 7:18 PM

Change #1204618 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] Create tests for SimpleCaptcha::confirmEditMerged

https://gerrit.wikimedia.org/r/1204618

gerritbot added a comment.Wed, Nov 12, 7:32 PM

Change #1204638 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] Show more helpful error message on edit page when hCaptcha forced

https://gerrit.wikimedia.org/r/1204638

Dreamy_Jazz moved this task from Needs review to Needs QA on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Wed, Nov 12, 7:42 PM
Maintenance_bot removed a project: Patch-For-Review.Wed, Nov 12, 8:31 PM
kostajh moved this task from In progress to QA on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Thu, Nov 13, 9:22 AM
gerritbot added a comment.Thu, Nov 13, 4:39 PM

Change #1204927 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.2] MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handling

https://gerrit.wikimedia.org/r/1204927

gerritbot added a project: Patch-For-Review.Thu, Nov 13, 4:39 PM
gerritbot added a comment.Thu, Nov 13, 5:08 PM

Change #1204927 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.2] MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handling

https://gerrit.wikimedia.org/r/1204927

Stashbot added a comment.Thu, Nov 13, 5:16 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-13T17:16:48Z] <dreamyjazz@deploy2002> Started scap sync-world: Backport for [[gerrit:1204927|MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handling (T405595)]], [[gerrit:1204855|VisualEditor hCaptcha: Add config to disable onload handling (T409962)]]

Stashbot mentioned this in T409962: hCaptcha VisualEditor: Don't render or load hCaptcha if hCaptcha is not yet enabled for that mode.Thu, Nov 13, 5:16 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-13T17:18:50Z] <dreamyjazz@deploy2002> dreamyjazz, kharlan: Backport for [[gerrit:1204927|MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handling (T405595)]], [[gerrit:1204855|VisualEditor hCaptcha: Add config to disable onload handling (T409962)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Thu, Nov 13, 5:25 PM

Mentioned in SAL (#wikimedia-operations) [2025-11-13T17:25:36Z] <dreamyjazz@deploy2002> Finished scap sync-world: Backport for [[gerrit:1204927|MakeGlobalVariablesScriptHookHandler: Fix hCaptcha site key handling (T405595)]], [[gerrit:1204855|VisualEditor hCaptcha: Add config to disable onload handling (T409962)]] (duration: 08m 48s)

Maintenance_bot removed a project: Patch-For-Review.Thu, Nov 13, 5:30 PM
ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.2; 2025-11-12); removed MW-1.46-notes (1.46.0-wmf.3; 2025-11-19).Thu, Nov 13, 6:00 PM
dom_walden moved this task from Needs QA to Done on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Fri, Nov 14, 2:47 PM
dom_walden subscribed.

I can confirm this happens on testwiki and test2wiki. On submitting an edit which triggers a filter, I see the edit page and submitting again shows the hCaptcha challenge.

kostajh closed this task as Resolved.Fri, Nov 14, 3:37 PM
sguebo_WMF closed subtask T408358: Update ConfirmEditHandlerTest to use Config parameter in constructor as Invalid.Sun, Nov 16, 7:56 AM
hector.arroyo moved this task from QA to Done on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Thu, Nov 20, 10:14 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits