Guard ArkoseLabs challenge behind a header check

This replicates reCAPTCHA's header check so that ArkoseLabs only shows up when the `X-GitLab-Show-Login-Captcha` header is set. This should ensure that we don't challenge automated QA users.

Guard ArkoseLabs challenge behind a header check
This replicates reCAPTCHA's header check so that ArkoseLabs only shows up when the `X-GitLab-Show-Login-Captcha` header is set. This should ensure that we don't challenge automated QA users.
09c4a2b9 · Paul Gascou-Vaillancourt · Paul Gascou-Vaillancourt · ffcd1d69 · 09c4a2b9 · 09c4a2b9
Commit 09c4a2b9 authored Mar 29, 2022 by Paul Gascou-Vaillancourt Committed by Paul Gascou-Vaillancourt Mar 30, 2022
4 changed files
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -39,7 +39,7 @@ class SessionsController < Devise::SessionsController
  after_action :log_failed_login, if: :action_new_and_failed_login?
  after_action :verify_known_sign_in, only: [:create]

-  helper_method :captcha_enabled?, :captcha_on_login_required?
+  helper_method :captcha_enabled?, :captcha_on_login_required?, :arkose_labs_enabled?

  # protect_from_forgery is already prepended in ApplicationController but
  # authenticate_with_two_factor which signs in the user is prepended before
@@ -111,6 +111,10 @@ class SessionsController < Devise::SessionsController
    Gitlab::Recaptcha.enabled_on_login? && unverified_anonymous_user?
  end

+  def arkose_labs_enabled?
+    false
+  end
+
  # From https://github.com/plataformatec/devise/wiki/How-To:-Use-Recaptcha-with-Devise#devisepasswordscontroller
  def check_captcha
    return unless user_params[:password].present?

--- a/app/views/devise/sessions/_new_base.html.haml
+++ b/app/views/devise/sessions/_new_base.html.haml
@@ -16,7 +16,7 @@
        - else
          = link_to _('Forgot your password?'), new_password_path(:user)
    %div
-    - if Feature.enabled?(:arkose_labs_login_challenge)
+    - if arkose_labs_enabled?
      = render_if_exists 'devise/sessions/arkose_labs'
    - elsif captcha_enabled? || captcha_on_login_required?
      = recaptcha_tags nonce: content_security_policy_nonce

--- a/ee/app/controllers/ee/sessions_controller.rb
+++ b/ee/app/controllers/ee/sessions_controller.rb
@@ -79,6 +79,11 @@ module EE
      super
    end

+    override :arkose_labs_enabled?
+    def arkose_labs_enabled?
+      ::Feature.enabled?(:arkose_labs_login_challenge, default_enabled: :yaml) && request.headers[::SessionsController::CAPTCHA_HEADER]
+    end
+
    override :check_captcha
    def check_captcha
      if ::Feature.enabled?(:arkose_labs_login_challenge, default_enabled: :yaml)

--- a/spec/frontend/fixtures/sessions.rb
+++ b/spec/frontend/fixtures/sessions.rb
@@ -12,6 +12,7 @@ RSpec.describe 'Sessions (JavaScript fixtures)' do

    before do
      set_devise_mapping(context: @request)
+      allow(controller).to receive(:arkose_labs_enabled?).and_return(true)
    end

    it 'sessions/new.html' do