hCaptcha: Improve support for SiteKey verification
Closed, ResolvedPublic
Actions

Description

Summary

In T410024: ConfirmEdit hCaptcha: Verify sitekey in `siteverify` response was the sitekey given to the client as part of validating the captcha, we implemented code to restrict which SiteKey can be used by a client as part of a request. In doing so, we missed that API creations are using SiteKeys that won't map back to a value returned from getSiteKeyForAction().

Acceptance criteria

Functionality from T410024 remains in place
API account creation and editing is supported in a way that also restricts with SiteKey a request can send

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
hCaptcha: Persist the captcha consequence in the user session	mediawiki/extensions/ConfirmEdit	wmf/1.46.0-wmf.5	+236 -3
hCaptcha: Persist the captcha consequence in the user session	mediawiki/extensions/ConfirmEdit	master	+236 -3
hCaptcha: Clean up `getAllowedSiteKeysForCurrentAction`	mediawiki/extensions/ConfirmEdit	master	+5 -25
hCaptcha: Allow providing a set of valid keys for site verify per action	mediawiki/extensions/ConfirmEdit	wmf/1.46.0-wmf.3	+284 -35
hCaptcha: Define valid SiteKeys for account creation and edit triggers	operations/mediawiki-config	master	+20 -0
hCaptcha: Allow providing a set of valid keys for site verify per action	mediawiki/extensions/ConfirmEdit	master	+284 -35

Customize query in gerrit

Related Objects

Mentioned In: T410863: hCaptcha: SiteKey mismatch error on "always challenge" workflow
Mentioned Here: T410863: hCaptcha: SiteKey mismatch error on "always challenge" workflow
T410024: ConfirmEdit hCaptcha: Verify sitekey in `siteverify` response was the sitekey given to the client as part of validating the captcha

Event Timeline

kostajh created this task.Nov 20 2025, 4:11 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2025, 4:11 PM

kostajh triaged this task as High priority.Nov 20 2025, 4:12 PM

kostajh added a project: ConfirmEdit (CAPTCHA extension).

kostajh added a project: Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)).

hector.arroyo changed the task status from Open to In Progress.Nov 21 2025, 1:33 PM

hector.arroyo claimed this task.

hector.arroyo moved this task from Backlog to In progress on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.

Change #1208333 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Make site keys specific to the requested action take precedence

https://gerrit.wikimedia.org/r/1208333

gerritbot added a project: Patch-For-Review.Nov 21 2025, 1:36 PM

kostajh moved this task from Backlog to Ready on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Nov 24 2025, 10:50 AM

Change #1210627 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[operations/mediawiki-config@master] hCaptcha: Define list of valid SiteKeys for createaccount trigger

https://gerrit.wikimedia.org/r/1210627

Change #1208333 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Allow providing a set of valid keys for site verify per action

https://gerrit.wikimedia.org/r/1208333

Change #1210737 had a related patch set uploaded (by Kosta Harlan; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.3] hCaptcha: Allow providing a set of valid keys for site verify per action

https://gerrit.wikimedia.org/r/1210737

Change #1210771 had a related patch set uploaded (by Samuel (WMF); author: Samuel (WMF)):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Clean up `getAllowedSiteKeysForCurrentAction`

https://gerrit.wikimedia.org/r/1210771

The main patch (ConfirmEdit #1208333) was reviewed and merged yesterday, a backport (ConfirmEdit #1210737) is scheduled, a patch updating config (mediawiki-config #1210627) exists and a follow-up (ConfirmEdit #1210771) is being reviewed now, so moving this ticket to In Review.

hector.arroyo moved this task from Backlog to Awaiting Code Review on the ConfirmEdit (CAPTCHA extension) board.Nov 25 2025, 9:07 AM

Change #1210627 merged by jenkins-bot:

[operations/mediawiki-config@master] hCaptcha: Define valid SiteKeys for account creation and edit triggers

https://gerrit.wikimedia.org/r/1210627

Change #1210737 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.3] hCaptcha: Allow providing a set of valid keys for site verify per action

https://gerrit.wikimedia.org/r/1210737

Mentioned in SAL (#wikimedia-operations) [2025-11-25T09:32:09Z] <kharlan@deploy2002> Started scap sync-world: Backport for [[gerrit:1210627|hCaptcha: Define valid SiteKeys for account creation and edit triggers (T410657)]], [[gerrit:1210737|hCaptcha: Allow providing a set of valid keys for site verify per action (T410657 T410863)]]

Stashbot mentioned this in T410863: hCaptcha: SiteKey mismatch error on "always challenge" workflow.Nov 25 2025, 9:32 AM

Mentioned in SAL (#wikimedia-operations) [2025-11-25T09:36:24Z] <kharlan@deploy2002> kharlan: Backport for [[gerrit:1210627|hCaptcha: Define valid SiteKeys for account creation and edit triggers (T410657)]], [[gerrit:1210737|hCaptcha: Allow providing a set of valid keys for site verify per action (T410657 T410863)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-11-25T09:43:12Z] <kharlan@deploy2002> Finished scap sync-world: Backport for [[gerrit:1210627|hCaptcha: Define valid SiteKeys for account creation and edit triggers (T410657)]], [[gerrit:1210737|hCaptcha: Allow providing a set of valid keys for site verify per action (T410657 T410863)]] (duration: 11m 03s)

Change #1210771 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Clean up `getAllowedSiteKeysForCurrentAction`

https://gerrit.wikimedia.org/r/1210771

Maintenance_bot removed a project: Patch-For-Review.Nov 25 2025, 11:31 AM

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.5; 2025-12-02).Nov 25 2025, 12:00 PM

kostajh moved this task from Ready to In progress on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Nov 25 2025, 12:48 PM

Dreamy_Jazz moved this task from Needs review to In progress on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 26 2025, 12:50 PM

Change #1211668 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@master] hcaptcha: Persist the captcha consequence in the user session

https://gerrit.wikimedia.org/r/1211668

gerritbot added a project: Patch-For-Review.Nov 26 2025, 1:13 PM

hector.arroyo moved this task from In progress to Needs review on the Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)) board.Nov 27 2025, 12:40 PM

OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12); removed Product Safety and Integrity (Crepes au Chocolat (Sprint Nov 10 - Nov 28)).Dec 1 2025, 9:05 AM

OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.Dec 1 2025, 9:05 AM

As per this comment, we will be adding support for carrying the "always challenge" sitekey into other pages when it is first triggered as the consequence from another, so that if an AbuseFilter first triggers the captcha when editing page A and then the user edits page B wthout solving A's captcha, a new captcha is shown when trying to save page B (i.e. the "Always challenge" key is used on the first load of page B's edit form).

Steps to reproduce:

Make an edit that triggers the AbuseFilter
Navigate to another page, and attempt to make an edit

Ideal behavior: Pressing submit shows the challenge
Actual behavior: The user sees "Please resubmit the form and complete the challenge to save your edit", and after resubmitting, sees the challenge

kostajh moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.Dec 2 2025, 12:50 PM

Dreamy_Jazz moved this task from Needs review to In progress on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.Dec 2 2025, 11:48 PM

hector.arroyo moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.Dec 3 2025, 11:57 AM

After recent changes introduced during the code review this is not working anymore: I've been able to send an edit, get redirected to the edit form, and then resubmit the form without actually being asked to solve a captcha (i.e. the "always challenge" key was not there the second time).

hector.arroyo moved this task from Awaiting Code Review to Backlog on the ConfirmEdit (CAPTCHA extension) board.Dec 3 2025, 12:25 PM

In T410657#11427982, @hector.arroyo wrote:

After recent changes introduced during the code review this is not working anymore: I've been able to send an edit, get redirected to the edit form, and then resubmit the form without actually being asked to solve a captcha (i.e. the "always challenge" key was not there the second time).

This was due to a misconfiguration in my local environment, moving back to Review.

(patch is currently in work in progress, so moving back to in progress)

The patch was marked as WiP while addressing things raised during the code review.

Right now, all threads there have been solved, and tests are passing again in Jenkins. Therefore, moving this back to Review.

Change #1211668 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Persist the captcha consequence in the user session

https://gerrit.wikimedia.org/r/1211668

hector.arroyo moved this task from In progress to QA on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Dec 4 2025, 5:53 PM

hector.arroyo moved this task from Awaiting Code Review to Feature Requests/Improvements on the ConfirmEdit (CAPTCHA extension) board.

hector.arroyo moved this task from Needs review to Needs QA on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.Dec 4 2025, 5:56 PM

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.7; 2025-12-16); removed MW-1.46-notes (1.46.0-wmf.5; 2025-12-02).Dec 4 2025, 6:00 PM

Maintenance_bot removed a project: Patch-For-Review.Dec 4 2025, 6:30 PM

Change #1215234 had a related patch set uploaded (by Kosta Harlan; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.5] hCaptcha: Persist the captcha consequence in the user session

https://gerrit.wikimedia.org/r/1215234

gerritbot added a project: Patch-For-Review.Dec 4 2025, 7:02 PM

Change #1215234 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@wmf/1.46.0-wmf.5] hCaptcha: Persist the captcha consequence in the user session

https://gerrit.wikimedia.org/r/1215234

Mentioned in SAL (#wikimedia-operations) [2025-12-04T19:19:00Z] <kharlan@deploy2002> Started scap sync-world: Backport for [[gerrit:1215234|hCaptcha: Persist the captcha consequence in the user session (T410657)]]

Mentioned in SAL (#wikimedia-operations) [2025-12-04T19:21:02Z] <kharlan@deploy2002> kharlan: Backport for [[gerrit:1215234|hCaptcha: Persist the captcha consequence in the user session (T410657)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-12-04T19:30:15Z] <kharlan@deploy2002> Finished scap sync-world: Backport for [[gerrit:1215234|hCaptcha: Persist the captcha consequence in the user session (T410657)]] (duration: 11m 16s)

Maintenance_bot removed a project: Patch-For-Review.Dec 4 2025, 7:30 PM

ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.5; 2025-12-02); removed MW-1.46-notes (1.46.0-wmf.7; 2025-12-16).Dec 4 2025, 8:00 PM

EAkinloose moved this task from QA to Done on the WE4.2 Bot detection (WE4.2 hCaptcha editing trial) board.Dec 5 2025, 3:57 PM

hector.arroyo closed this task as Resolved.Dec 5 2025, 6:00 PM

hector.arroyo moved this task from Needs QA to Done on the Product Safety and Integrity (Sprint Mince Pie Dec 1 - Dec 12) board.