ArkoseLabs challenge: using password manager browser extension prevents the token input from being populated
When signing-in with the ArkoseLabs challenge enabled, using a password manager might cause the ArkoseLabs token input to be populated after the POST request is triggered, causing the sign-in attempt to fail as the backend expects an input that isn't actually there.
Here's how to reproduce this on Google Chrome in the GDK:
- Make sure you have the 1Password Chrome extension installed.
- Checkout the
master
branch. - Enable the echo
arkose_labs_login_challenge
feature flag:echo "Feature.enable(:arkose_labs_login_challenge)" | rails c
- Expose the
ARKOSE_LABS_PUBLIC_KEY
and restart the GDK in the same terminal:export ARKOSE_LABS_PUBLIC_KEY="9F5BDFCD-E895-43B5-8D96-B24E0107B685" gdk restart
- Apply the following patch to bypass the actual token verification step which is not relevant here:
diff --git a/ee/app/services/arkose/user_verification_service.rb b/ee/app/services/arkose/user_verification_service.rb index f531c630675..7a9f25a75bf 100644 --- a/ee/app/services/arkose/user_verification_service.rb +++ b/ee/app/services/arkose/user_verification_service.rb @@ -12,6 +12,7 @@ def initialize(session_token:, user:) end def execute + return true response = Gitlab::HTTP.perform_request(Net::HTTP::Post, arkose_verify_url, body: body).parsed_response logger.info(build_message(response))
ARKOSE_LABS_PRIVATE_KEY
variable by using the private development key that can be found in GitLab's 1Password engineering vault. - Sign-out of your running GDK instance.
- Try signing-in as your usual user with a wrong password at least twice for your account to be marked as needing a challenge.
- Load the sign-page again and click on the 1Password icon in the toolbar (do not click on the credentials suggestions right in the form). In the pop-up, click on
Auto fill
. -
Click on the
Sign in
button (do not select any other element in the page before clicking on the button).- You should see the following error message:
Login failed. Please retry from your primary device and network.
.
- You should see the following error message:
This issue is due to the fact that we rely on the onSuppress
callback to re-submit the form once we have initialized the ArkoseLabs challenge. This callback seems to be called too early for the ArkoseLabs token to be actually populated.
The solution is to rely solely on the onCompleted
callback. At this point, we're guaranteed to have receive a token back from ArkoseLabs. We can then wait one tick to make sure the DOM has been updated to populate the arkose_labs_token
hidden input and finally re-submit the form.