reCAPTCHA #1647
reCAPTCHA #1647
Conversation
|
Well I haven't tested this yet at all, but maybe you can take a look. |
|
❌ Migration check failed. Check the workflow run for details. |
|
@mwvolo this should be ready for review, though there are still some flaky feature specs |
There was a problem hiding this comment.
Pull Request Overview
Adds Google reCAPTCHA to the new Sign-up flows and removes legacy signup controllers, views, and routes.
- Introduces
recaptchagem configuration, view helpers, and verification in signup controllers - Injects reCAPTCHA widgets into student and educator signup/change-email forms
- Cleans up legacy signup code and updates feature specs to use Capybara’s
have_current_pathmatcher
Reviewed Changes
Copilot reviewed 32 out of 34 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| config/secrets.yml | Adds recaptcha.site_key and secret_key entries |
| config/initializers/recaptcha.rb | Configures Recaptcha gem, stub behavior for non-prod |
| app/controllers/newflow/signup_controller.rb | Includes RecaptchaController helper |
| app/controllers/newflow/student_signup_controller.rb | Adds verify_recaptcha_with_fallback around signup |
| app/controllers/newflow/educator_signup_controller.rb | Adds verify_recaptcha_with_fallback around signup |
| app/views/newflow/**/*_signup_form.html.erb | Injects <%= recaptcha_with_disclaimer_and_fallback %> |
| app/views/newflow/signup/_change_signup_email_form_template… | Injects recaptcha into email-change form |
| config/routes.rb | Removes legacy signup routes |
| app/views/legacy/signup/** and app/controllers/legacy/**/* | Entire legacy signup flow removed |
| spec/**/*.rb | Replaces expect(page.current_path) with have_current_path and related matcher updates |
Comments suppressed due to low confidence (2)
config/initializers/recaptcha.rb:47
- No existing feature specs cover the fallback case when reCAPTCHA verification fails (i.e.
force_recaptcha_failureis true). Consider adding an integration test that injectsforce_recaptcha_failure: 'true'to verify that the form re-renders with the failure message.
force_recaptcha_failure = params[:force_recaptcha_failure] == 'true'
README.md:167
- [nitpick] It would be helpful to document how to configure the new reCAPTCHA keys (e.g.
RECAPTCHA_SITE_KEYandRECAPTCHA_SECRET_KEYenvironment variables) in the README under a new "reCAPTCHA Configuration" section.
The most straightforward way to sign up is by visiting the `newflow_signup_path` without any parameters in the URL and without any state in the session.
| render :student_signup_form | ||
| } | ||
| ) | ||
| if verify_recaptcha_with_fallback |
There was a problem hiding this comment.
[nitpick] The if verify_recaptcha_with_fallback ... else blocks in both StudentSignupController and EducatorSignupController duplicate the rendering logic. Consider extracting the recaptcha check into a shared before_action or method to DRY up these controllers.
| def student_signup | |
| handle_with( | |
| StudentSignup::SignupForm, | |
| contracts_required: !contracts_not_required, | |
| client_app: get_client_app, | |
| success: lambda { | |
| user = @handler_result.outputs.user | |
| save_unverified_user(user.id) | |
| security_log(:student_signed_up, { user: user }) | |
| log_posthog(user, "student_started_signup") | |
| redirect_to student_email_verification_form_path | |
| }, | |
| failure: lambda { | |
| email = @handler_result.outputs.email | |
| error_codes = @handler_result.errors.map(&:code) | |
| security_log(:student_sign_up_failed, { reason: error_codes, email: email }) | |
| render :student_signup_form | |
| } | |
| ) | |
| if verify_recaptcha_with_fallback | |
| private | |
| def handle_recaptcha_failure(failure_view) | |
| if verify_recaptcha_with_fallback | |
| yield | |
| else | |
| instance_variable_set(:@email, unverified_user.email_addresses.first.value) if failure_view == :student_change_signup_email_form | |
| render failure_view | |
| end | |
| end | |
| def student_signup | |
| handle_recaptcha_failure(:student_signup_form) do |
| def maybe_skip_to_sign_up | ||
| if %w{signup student_signup}.include?(params[:go]) | ||
| redirect_to signup_path(set_param_to_permit_legacy_flow) | ||
| redirect_to newflow_signup_path |
There was a problem hiding this comment.
do we still use this? I think this was a Tutor thing
There was a problem hiding this comment.
we can maybe remove this then
There was a problem hiding this comment.
I saw you message asking about this, but I'm going to go ahead and merge this to unblock Roy's PRs.
We can open another one to clean up remaining legacy stuff.
| def password; end | ||
| def social; end | ||
|
|
||
| def profile |
There was a problem hiding this comment.
is stuff staying here for specs / making migration easier? I don't think (hope) this profile method isn't called.
There was a problem hiding this comment.
It's called somewhere but all it does is redirect
There was a problem hiding this comment.
Nvm I got that wrong, it doesn't just redirect. It's called from here:
There was a problem hiding this comment.
also this newflow test expects to reach it: https://github.com/openstax/accounts/blob/main/spec/features/newflow/student_login_flow_spec.rb#L54
mwvolo
left a comment
mwvolo
left a comment
There was a problem hiding this comment.
looks good to me, asked a few questions, but not blocking merge
Uh oh!
There was an error while loading. Please reload this page.