Page MenuHomePhabricator
Create Task
Maniphest T421041

hCaptcha challenge not shown when triggering AbuseFilter on Special:CreateAccount
Closed, DeclinedPublicBUG REPORT
Actions

Description

What is the problem?

When submitting Special:CreateAccount, if I trigger an AbuseFilter rule which has the showcaptcha consequence, I am not always shown the hCaptcha challenge. Happens on desktop view and MobileFrontend.

It should always show, possibly after a page reload, unless your user has the skipcaptcha right.

Examples on testwiki

Steps to reproduce problem
  1. As a user without skipcaptcha rights (or while logged out)
  2. https://test.wikipedia.org/wiki/Special:CreateAccount
  3. Create an account with Dwalden in the name (to trigger this AbuseFilter rule)

Expected behaviour: After a page reload(?), the hCaptcha visible challenge is shown.
Observed behaviour: hCaptcha challenge does not always show.

Environment

Browser: Chromium 146.
Wiki(s): https://test.wikipedia.org ConfirmEdit 1.6.0 (0d111fe) 08:41, 23 March 2026. Abuse Filter – (fa617a2) 08:40, 23 March 2026.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hCaptcha: Provide always challenge sitekey for account creationoperations/mediawiki-configmaster+2 -0
hCaptcha: Resubmit the form if a captcha consequence is triggered on CreateAccountmediawiki/extensions/ConfirmEditmaster+17 -4
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.Mar 24 2026, 9:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 24 2026, 9:00 AM
dom_walden updated the task description. (Show Details)Mar 24 2026, 9:02 AM
Dreamy_Jazz edited projects, added Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)); removed Product Safety and Integrity.Thu, May 14, 4:50 PM
Dreamy_Jazz moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.Thu, May 14, 10:42 PM
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)); removed Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)).Mon, May 25, 12:42 PM
OKryva-WMF moved this task from Backlog to Ready on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Mon, May 25, 12:42 PM
hector.arroyo claimed this task.Wed, Jun 3, 8:50 AM
Dreamy_Jazz moved this task from Ready to In progress on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Wed, Jun 3, 10:43 PM
hector.arroyo added a comment.Thu, Jun 4, 10:07 AM

Locally,

  • ✅ Setting $wgCaptchaTriggers['createaccount']=true and having a filer with account_name contains 'AF' as the condition works as expected (it seems to just trigger the normal createaccount action)
  • ❌ Setting $wgCaptchaTriggers['createaccount']=false and having the previous filter fails (it goes back to the form with an "Incorrect or missing CAPTCHA" error). Trying to submit the form the second time shows the captcha, solving it creates the account correctly.

The solution may be to just set the wgHCaptchaTriggerFormSubmission global variable when the filter is triggered (which seems to be explicitly set to false when the page is reloaded due to the AF).

image.png (828×1 px, 490 KB)

Dreamy_Jazz subscribed.EditedThu, Jun 4, 10:12 AM
In T421041#11984534, @hector.arroyo wrote:
  • ❌ Setting $wgCaptchaTriggers['createaccount']=false and having the previous filter fails (it goes back to the form with an "Incorrect or missing CAPTCHA" error). Trying to submit the form the second time shows the captcha, solving it creates the account correctly.

The solution may be to just set the wgHCaptchaTriggerFormSubmission global variable when the filter is triggered (which seems to be explicitly set to false when the page is reloaded due to the AF).

image.png (828×1 px, 490 KB)

I don't see how it would fix testwiki? Testwiki already requires hCaptcha for account creation and the task says its inconsistent not that it never shows

That appears to be a separate issue that probably needs it own task

Dreamy_Jazz added a comment.Thu, Jun 4, 10:14 AM

I wonder if its worth testing whether this is reproducable on testwiki with some of the fixes for the similar issue in the editing interfaces?

hector.arroyo added a comment.Thu, Jun 4, 10:54 AM

Anyway, we can't just re-submit the CreateAccount form automatically since, on page reload, the password field and its confirmation come empty (unless we are ok with writing the user-provided password in the HTML we send back with the error -- probably we shouldn't since the current implementation explicitly avoids doing so; or unless we implement an additional mechanism to temporarily store the user-submitted password in the user session for retrieving it back in SpecialCreateAccount if the field comes empty (which still feels potentially dangerous)).

gerritbot added a comment.Thu, Jun 4, 11:37 AM

Change #1297652 had a related patch set uploaded (by Harroyo-wmf; author: Harroyo-wmf):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: Resubmit the form if a captcha consequence is triggered on CreateAccount

https://gerrit.wikimedia.org/r/1297652

gerritbot added a project: Patch-For-Review.Thu, Jun 4, 11:37 AM
hector.arroyo removed hector.arroyo as the assignee of this task.Thu, Jun 4, 11:41 AM
hector.arroyo moved this task from In progress to Ready on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.
hector.arroyo subscribed.
Dreamy_Jazz added a comment.Thu, Jun 4, 11:42 AM

@hector.arroyo I don't think the bug is showing the challenge without an additional submission? Can we check with Dom what they mean?

dom_walden added a comment.Thu, Jun 4, 12:44 PM
In T421041#11984763, @Dreamy_Jazz wrote:

@hector.arroyo I don't think the bug is showing the challenge without an additional submission? Can we check with Dom what they mean?

Locally, I was able to create a new account which triggered the showcaptcha consequence but did not see an hCaptcha challenge.

I attempted to reproduce on testwiki. I did see a challenge when I first submitted the form, but I am guessing it would have done this anyway, regardless of whether AbuseFilter is triggered.

Dreamy_Jazz added a comment.Thu, Jun 4, 12:53 PM

I would note that production config currently does not have a different sitekey set for the AbuseFilter CAPTCHA

gerritbot added a comment.Thu, Jun 4, 1:28 PM

Change #1297692 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[operations/mediawiki-config@master] hCaptcha: Provide always challenge sitekey for account creation

https://gerrit.wikimedia.org/r/1297692

gerritbot added a comment.Thu, Jun 4, 1:32 PM

Change #1297692 merged by jenkins-bot:

[operations/mediawiki-config@master] hCaptcha: Provide always challenge sitekey for account creation

https://gerrit.wikimedia.org/r/1297692

Stashbot added a comment.Thu, Jun 4, 1:33 PM

Mentioned in SAL (#wikimedia-operations) [2026-06-04T13:33:10Z] <dreamyjazz@deploy1003> Started scap sync-world: Backport for [[gerrit:1297692|hCaptcha: Provide always challenge sitekey for account creation (T421041)]]

Stashbot added a comment.Thu, Jun 4, 1:35 PM

Mentioned in SAL (#wikimedia-operations) [2026-06-04T13:35:12Z] <dreamyjazz@deploy1003> dreamyjazz: Backport for [[gerrit:1297692|hCaptcha: Provide always challenge sitekey for account creation (T421041)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Thu, Jun 4, 1:38 PM

Mentioned in SAL (#wikimedia-operations) [2026-06-04T13:38:36Z] <dreamyjazz@deploy1003> Finished scap sync-world: Backport for [[gerrit:1297692|hCaptcha: Provide always challenge sitekey for account creation (T421041)]] (duration: 05m 27s)

Dreamy_Jazz moved this task from Ready to Needs review on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Thu, Jun 4, 1:44 PM

During testing, I found that the account creation form does not have support for AbuseFilter CAPTCHAs. Additionally the issue raised by Hector above suggests that adding support for these could be counterproductive from a UI standpoint, as a user will need to retype their password when shown the challenge

I would recommend we do not implement the always challenge sitekey support to account creation, given the additional development work needed. The user will still be shown a hCaptcha widget and possibly a challenge if hCaptcha decides the user is risky enough

Dreamy_Jazz moved this task from Needs review to In progress on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Fri, Jun 5, 10:53 AM
Dreamy_Jazz closed this task as Declined.Fri, Jun 5, 11:40 AM

We discussed this internally and decided that we will intentionally not support a "always challenge" CAPTCHA if an account creation matches an AbuseFilter that asks for a CAPTCHA. This is because:

  1. As Hector notes above, this will require changing the form to populate the password for the user on these errors (so that we can automatically resubmit with no further user input to see the AbuseFilter CAPTCHA). However, doing this would likely go against the intended design approach of the form
  2. Before hCaptcha was enabled on WMF wikis all users saw a visual challenge, so there was not a need to have #abusefilters be configured to show a CAPTCHA for account creation
  3. This will likely cause similar issues for account creation on the Wikipedia apps and therefore require updates to support

Therefore, we will formalise not allowing AbuseFilter CAPTCHAs for account creation as the technical effort / design considerations are not worth the benefits

Dreamy_Jazz mentioned this in T428247: hCaptcha: Disallow AbuseFilter CAPTCHAs for account creation.Fri, Jun 5, 11:49 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits