clerk · nikosdouvlis · Jan 16, 2025 · Jan 16, 2025
diff --git a/.changeset/healthy-bees-turn.md b/.changeset/healthy-bees-turn.md
@@ -0,0 +1,6 @@
+---
+'@clerk/clerk-js': patch
+'@clerk/types': patch
+---
+
+Skip fraud protection if client has bypass enabled
diff --git a/packages/clerk-js/src/core/auth/CaptchaHeartbeat.ts b/packages/clerk-js/src/core/auth/CaptchaHeartbeat.ts
@@ -22,7 +22,7 @@ export class CaptchaHeartbeat {
   }
 
   private async challengeAndSend() {
-    if (!this.clerk.client) {
+    if (!this.clerk.client || this.clientBypass()) {
       return;
     }
 
@@ -38,6 +38,10 @@ export class CaptchaHeartbeat {
     return !!this.clerk.__unstable__environment?.displayConfig.captchaHeartbeat;
   }
 
+  private clientBypass() {
+    return this.clerk.client?.captchaBypass;
+  }
+
   private intervalInMs() {
     return this.clerk.__unstable__environment?.displayConfig.captchaHeartbeatIntervalMs ?? 10 * 60 * 1000;
   }

diff --git a/packages/clerk-js/src/core/fraudProtection.test.ts b/packages/clerk-js/src/core/fraudProtection.test.ts
@@ -7,11 +7,11 @@ describe('FraudProtectionService', () => {
   let mockClerk: Clerk;
   let mockClient: typeof Client;
   let solveCaptcha: any;
-  let mockManaged: jest.Mock;
+  let mockManagedInModal: jest.Mock;
 
   function MockCaptchaChallenge() {
     // @ts-ignore - we don't need to implement the entire class
-    this.managed = mockManaged;
+    this.managedInModal = mockManagedInModal;
   }
 
   const createCaptchaError = () => {
@@ -22,7 +22,7 @@ describe('FraudProtectionService', () => {
   };
 
   beforeEach(() => {
-    mockManaged = jest.fn().mockResolvedValue(
+    mockManagedInModal = jest.fn().mockResolvedValue(
       new Promise(r => {
         solveCaptcha = r;
       }),
@@ -54,7 +54,7 @@ describe('FraudProtectionService', () => {
     await fn1res;
 
     // only one will need to call the captcha as the other will be blocked
-    expect(mockManaged).toHaveBeenCalledTimes(0);
+    expect(mockManagedInModal).toHaveBeenCalledTimes(0);
     expect(mockClient.getOrCreateInstance().sendCaptchaToken).toHaveBeenCalledTimes(0);
     expect(fn1).toHaveBeenCalledTimes(1);
   });
@@ -67,7 +67,7 @@ describe('FraudProtectionService', () => {
     const fn1 = jest.fn().mockRejectedValueOnce(unrelatedError);
     const fn1res = sut.execute(mockClerk, fn1);
     expect(fn1res).rejects.toEqual(unrelatedError);
-    expect(mockManaged).toHaveBeenCalledTimes(0);
+    expect(mockManagedInModal).toHaveBeenCalledTimes(0);
     expect(mockClient.getOrCreateInstance().sendCaptchaToken).toHaveBeenCalledTimes(0);
     expect(fn1).toHaveBeenCalledTimes(1);
   });
@@ -87,7 +87,7 @@ describe('FraudProtectionService', () => {
     await Promise.all([fn1res, fn2res]);
 
     // only one will need to call the captcha as the other will be blocked
-    expect(mockManaged).toHaveBeenCalledTimes(1);
+    expect(mockManagedInModal).toHaveBeenCalledTimes(1);
     expect(mockClient.getOrCreateInstance().sendCaptchaToken).toHaveBeenCalledTimes(1);
     expect(fn1).toHaveBeenCalledTimes(2);
   });
@@ -107,7 +107,7 @@ describe('FraudProtectionService', () => {
     await Promise.all([fn1res, fn2res]);
 
     // captcha will only be called once
-    expect(mockManaged).toHaveBeenCalledTimes(1);
+    expect(mockManagedInModal).toHaveBeenCalledTimes(1);
     expect(mockClient.getOrCreateInstance().sendCaptchaToken).toHaveBeenCalledTimes(1);
     // but all failed requests will be retried
     expect(fn1).toHaveBeenCalledTimes(2);
@@ -134,7 +134,7 @@ describe('FraudProtectionService', () => {
     solveCaptcha();
     await Promise.all([fn1res, fn2res]);
 
-    expect(mockManaged).toHaveBeenCalledTimes(1);
+    expect(mockManagedInModal).toHaveBeenCalledTimes(1);
     expect(mockClient.getOrCreateInstance().sendCaptchaToken).toHaveBeenCalledTimes(1);
     expect(fn1).toHaveBeenCalledTimes(2);
     expect(fn2).toHaveBeenCalledTimes(1);
@@ -167,7 +167,7 @@ describe('FraudProtectionService', () => {
     // but the other requests will be unblocked and retried
     await Promise.all([fn2res, fn3res]);
 
-    expect(mockManaged).toHaveBeenCalledTimes(1);
+    expect(mockManagedInModal).toHaveBeenCalledTimes(1);
     expect(mockClient.getOrCreateInstance().sendCaptchaToken).toHaveBeenCalledTimes(1);
 
     expect(fn1).toHaveBeenCalledTimes(2);

diff --git a/packages/clerk-js/src/core/fraudProtection.ts b/packages/clerk-js/src/core/fraudProtection.ts
@@ -62,6 +62,6 @@ export class FraudProtection {
   }
 
   public managedChallenge(clerk: Clerk) {
-    return new this.CaptchaChallengeImpl(clerk).managed();
+    return new this.CaptchaChallengeImpl(clerk).managedInModal();
   }
 }
diff --git a/packages/clerk-js/src/core/resources/Client.ts b/packages/clerk-js/src/core/resources/Client.ts
@@ -20,6 +20,7 @@ export class Client extends BaseResource implements ClientResource {
   signUp: SignUpResource = new SignUp();
   signIn: SignInResource = new SignIn();
   lastActiveSessionId: string | null = null;
+  captchaBypass = false;
   cookieExpiresAt: Date | null = null;
   createdAt: Date | null = null;
   updatedAt: Date | null = null;
@@ -116,6 +117,7 @@ export class Client extends BaseResource implements ClientResource {
       this.signUp = new SignUp(data.sign_up);
       this.signIn = new SignIn(data.sign_in);
       this.lastActiveSessionId = data.last_active_session_id;
+      this.captchaBypass = data.captcha_bypass || false;
       this.cookieExpiresAt = data.cookie_expires_at ? unixEpochToDate(data.cookie_expires_at) : null;
       this.createdAt = unixEpochToDate(data.created_at || undefined);
       this.updatedAt = unixEpochToDate(data.updated_at || undefined);
@@ -133,6 +135,7 @@ export class Client extends BaseResource implements ClientResource {
       sign_up: this.signUp.__internal_toSnapshot(),
       sign_in: this.signIn.__internal_toSnapshot(),
       last_active_session_id: this.lastActiveSessionId,
+      captcha_bypass: this.captchaBypass,
       cookie_expires_at: this.cookieExpiresAt ? this.cookieExpiresAt.getTime() : null,
       created_at: this.createdAt?.getTime() ?? null,
       updated_at: this.updatedAt?.getTime() ?? null,

diff --git a/packages/clerk-js/src/core/resources/SignUp.ts b/packages/clerk-js/src/core/resources/SignUp.ts
@@ -34,7 +34,7 @@ import {
   getOKXWalletIdentifier,
   windowNavigate,
 } from '../../utils';
-import { getCaptchaToken, retrieveCaptchaInfo } from '../../utils/captcha';
+import { CaptchaChallenge } from '../../utils/captcha/CaptchaChallenge';
 import { createValidatePassword } from '../../utils/passwords/password';
 import { normalizeUnsafeMetadata } from '../../utils/resourceParams';
 import {
@@ -81,54 +81,25 @@ export class SignUp extends BaseResource implements SignUpResource {
     this.fromJSON(data);
   }
 
-  create = async (params: SignUpCreateParams): Promise<SignUpResource> => {
-    const paramsWithCaptcha: Record<string, unknown> = params;
-
-    if (!__BUILD_DISABLE_RHC__) {
-      const {
-        captchaSiteKey,
-        canUseCaptcha,
-        captchaURL,
-        captchaWidgetType,
-        captchaProvider,
-        captchaPublicKeyInvisible,
-      } = retrieveCaptchaInfo(SignUp.clerk);
-
-      if (
-        !this.shouldBypassCaptchaForAttempt(params) &&
-        canUseCaptcha &&
-        captchaSiteKey &&
-        captchaURL &&
-        captchaPublicKeyInvisible
-      ) {
-        try {
-          const captchaParams = await getCaptchaToken({
-            siteKey: captchaSiteKey,
-            widgetType: captchaWidgetType,
-            invisibleSiteKey: captchaPublicKeyInvisible,
-            scriptUrl: captchaURL,
-            captchaProvider,
-          });
-
-          paramsWithCaptcha.captchaToken = captchaParams.captchaToken;
-          paramsWithCaptcha.captchaWidgetType = captchaParams.captchaWidgetType;
-        } catch (e) {
-          if (e.captchaError) {
-            paramsWithCaptcha.captchaError = e.captchaError;
-          } else {
-            throw new ClerkRuntimeError(e.message, { code: 'captcha_unavailable' });
-          }
-        }
+  create = async (_params: SignUpCreateParams): Promise<SignUpResource> => {
+    let params: Record<string, unknown> = _params;
+
+    if (!__BUILD_DISABLE_RHC__ && !this.clientBypass() && !this.shouldBypassCaptchaForAttempt(params)) {
+      const captchaChallenge = new CaptchaChallenge(SignUp.clerk);
+      const captchaParams = await captchaChallenge.managedOrInvisible();
+      if (!captchaParams) {
+        throw new ClerkRuntimeError('', { code: 'captcha_unavailable' });
       }
+      params = { ...params, ...captchaParams };
     }
 
     if (params.transfer && this.shouldBypassCaptchaForAttempt(params)) {
-      paramsWithCaptcha.strategy = SignUp.clerk.client?.signIn.firstFactorVerification.strategy;
+      params.strategy = SignUp.clerk.client?.signIn.firstFactorVerification.strategy;
     }
 
     return this._basePost({
       path: this.pathRoot,
-      body: normalizeUnsafeMetadata(paramsWithCaptcha),
+      body: normalizeUnsafeMetadata(params),
     });
   };
 
@@ -429,6 +400,10 @@ export class SignUp extends BaseResource implements SignUpResource {
     };
   }
 
+  private clientBypass() {
+    return SignUp.clerk.client?.captchaBypass;
+  }
+
   /**
    * We delegate bot detection to the following providers, instead of relying on turnstile exclusively
    */