Skip to content

Bypass reCAPTCHA for Gitlab QA

Eugie Limpin requested to merge qa-recaptcha-bypass into master

Resolves: https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/1469

What does this MR do and why?

Update the condition to present reCAPTCHA to check for the presence of ENV['GITLAB_QA_USER_AGENT'] value. If it is present and the current request's user agent matches it's value, the condition returns false. This enables QA tests to bypass reCAPTCHA.

This change affects the following features that use reCAPTCHA when recaptcha_enabled application setting is true:

  • Sign in
    • When login_recaptcha_protection_enabled setting is true AND exceeded_failed_login_attempts? || exceeded_anonymous_sessions?
    • When 'X-GitLab-Show-Login-Captcha' header is set
  • Signup
  • Password reset
  • Resend email confirmation instructions
  • Top-level group creation
    • When recaptcha_on_top_level_group_creation ops feature flag is enabled

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

  1. Take note of your browser user agent

    In Firefox and Chrome you can do this by typing navigator.userAgent in the developer console

  2. Start GDK

  3. Enable recaptcha_enabled application setting and configure reCAPTCHA credentials

    $ rails console
> ApplicationSetting.first.update(recaptcha_enabled: true)
=> true
# These are test keys from Google. See https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha.-what-should-i-do
ApplicationSetting.first.update(recaptcha_site_key: "6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI")
=> true
ApplicationSetting.first.update(recaptcha_private_key: "6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe")
=> true

  4. Go to the registration page: http://localhost/users/sign_up

  5. Verify that reCAPTCHA is presented

    Screenshot Screen_Shot_2022-09-19_at_3.31.10_PM

  6. Stop GDK, set GITLAB_QA_USER_AGENT environment variable with the value you took note of in (1), then restart GDK

    $ gdk stop
$ echo GITLAB_QA_USER_AGENT="<your browser's user agent>"
$ gdk restart

  7. Go to the registration page: http://localhost/users/sign_up

  8. Verify that reCAPTCHA is NOT presented

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports