[IAMRISK-3010] Added support for auth0_v2 captcha failOpen

[alexkoumarianos-okta]

Changes

Made changes to allow auth0_v2 to handle failOpen by passing a distinct dummy token.

References

https://auth0team.atlassian.net/browse/IAMRISK-3010

Testing

• This change adds unit test coverage
• This change adds integration test coverage
• This change has been tested on the latest version of the platform/language

[frederikprijck]

Can we reuse the code we already have for this, as it seems to be identical apart from two things:

• onerror vs error-callback
• arkose is not doing delete window[callbackName]. Why is that different here?

[alexkoumarianos-okta]

The naming comes directly from the APIs so we can't align them directly. I didn't work on the arkose changes but aside from skipping the delete they also send in the arkose script and I know they handle the callback a bit differently further up in the tree. I will look into it to get some more insight and get back to you!

[frederikprijck]

I didnt mean to align the names. I just mean that it may be possible to reuse the same code. Along the lines of:

if (provider === ARKOSE_PROVIDER || provider === AUTH0_V2_CAPTCHA_PROVIDER) {
  const errorCallbackName = provider === ARKOSE_PROVIDER ? 'onerror' : 'error-callback';
  attributes[errorCallbackName] = () => {
        if (this.state.retryCount < MAX_RETRY) {
          removeScript(scriptUrl);
          loadScript(scriptUrl, attributes);
          this.setState(prevState => ({
            retryCount: prevState.retryCount + 1
          }));
          return;
        }
        removeScript(scriptUrl);
        this.changeHandler('BYPASS_CAPTCHA');
      };
    window[callbackName] = callback;
}

Anyway, not saying you have to make this change. But it felt like it was doing the exact same thing so maybe worth considering but can approve if you believe it makes no sense.

[frederikprijck]

The above doesnt do the delete window[callbackName], so maybe it needs to be added again. But anyway, I just wanted to show what I meant.

[srijonsaha]

See my other comment but we can definitely combine the Arkose & Auth0 V2 error handling here. The attributes here refers to the attributes of the script tag and we're trying to add error handling in the case the script fails to load to the DOM and this is not the same as error-callback param from the provider API which is after the script is loaded and when there are provider API related errors.

[srijonsaha]

Same thing as auth0.js PR (https://github.com/auth0/auth0.js/pull/1382/files#r1433514962). It should be attached to the onerror attribute of the script tag.

[codecov]

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (51db442) 42.19% compared to head (f6efcd9) 42.35%.

❗ Current head f6efcd9 differs from pull request most recent head 4048dc1. Consider uploading reports for the commit 4048dc1 to get more accurate results

Files	Patch %	Lines
src/field/captcha/third_party_captcha.jsx	87.50%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2507      +/-   ##
==========================================
+ Coverage   42.19%   42.35%   +0.15%     
==========================================
  Files         120      120              
  Lines        3076     3081       +5     
  Branches      334      335       +1     
==========================================
+ Hits         1298     1305       +7     
+ Misses       1684     1682       -2     
  Partials       94       94              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[TSLarson]

LGTM