feat(clerk-js): Adjust captcha parameter handling for sign ups with Google (#3806) (#3817)

hhsnopek · brkalow · web-flow · commit 9c499ea787af · 2024-07-24T23:51:49.000Z
Co-authored-by: Bryce Kalow &lt;bryce@clerk.dev&gt;
diff --git a/.changeset/rude-wasps-wonder.md b/.changeset/rude-wasps-wonder.md
@@ -0,0 +1,5 @@
+---
+"@clerk/clerk-js": patch
+---
+
+Adjust how we pass captcha tokens to the Clerk API when signing in with Google, Microsoft, and Apple
diff --git a/packages/clerk-js/src/core/resources/SignUp.ts b/packages/clerk-js/src/core/resources/SignUp.ts
@@ -74,7 +74,13 @@ export class SignUp extends BaseResource implements SignUpResource {
     const { captchaSiteKey, canUseCaptcha, captchaURL, captchaWidgetType, captchaProvider, captchaPublicKeyInvisible } =
       retrieveCaptchaInfo(SignUp.clerk);
 
-    if (canUseCaptcha && captchaSiteKey && captchaURL && captchaPublicKeyInvisible) {
+    if (
+      !this.shouldBypassCaptchaForAttempt(params) &&
+      canUseCaptcha &&
+      captchaSiteKey &&
+      captchaURL &&
+      captchaPublicKeyInvisible
+    ) {
       try {
         const { captchaToken, captchaWidgetTypeUsed } = await getCaptchaToken({
           siteKey: captchaSiteKey,
@@ -94,6 +100,10 @@ export class SignUp extends BaseResource implements SignUpResource {
       }
     }
 
+    if (params.transfer && this.shouldBypassCaptchaForAttempt(params)) {
+      paramsWithCaptcha.strategy = SignUp.clerk.client?.signIn.firstFactorVerification.strategy;
+    }
+
     return this._basePost({
       path: this.pathRoot,
       body: normalizeUnsafeMetadata(paramsWithCaptcha),
@@ -324,4 +334,27 @@ export class SignUp extends BaseResource implements SignUpResource {
     }
     return this;
   }
+
+  /**
+   * We delegate bot detection to the following providers, instead of relying on turnstile exclusively
+   */
+  protected shouldBypassCaptchaForAttempt(params: SignUpCreateParams) {
+    if (
+      params.strategy === 'oauth_google' ||
+      params.strategy === 'oauth_microsoft' ||
+      params.strategy === 'oauth_apple'
+    ) {
+      return true;
+    }
+    if (
+      params.transfer &&
+      (SignUp.clerk.client?.signIn.firstFactorVerification.strategy === 'oauth_google' ||
+        SignUp.clerk.client?.signIn.firstFactorVerification.strategy === 'oauth_microsoft' ||
+        SignUp.clerk.client?.signIn.firstFactorVerification.strategy === 'oauth_apple')
+    ) {
+      return true;
+    }
+
+    return false;
+  }
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@clerk/clerk-js": patch
 +---
++
 +Adjust how we pass captcha tokens to the Clerk API when signing in with Google, Microsoft, and Apple