c/zVgsKKuz/172: enabled reCaptcha for the Contact webform

[nsineok]

Checklist before requesting a review

• Subject includes ticket number as [#123] Verb in past tense.
• Ticket number #123 added to description
• Added context in Changed section
• Self-reviewed code and commented in commented complex areas.
• Added tests for fix/feature.
• Relevant tests run and passed locally.

https://trello.com/c/zVgsKKuz/172-reusable-contact-us-form

Changed

1. Installed the reCaptcha v3 contrib module.
2. Installed the Image Captcha submodule.
3. Added the web/sites/default/includes/modules/settings.captcha.php file where captcha is disabled for the Local and CI environments.
4. Added credentials to the Captcha settings.
5. Added Captcha settings for the Contact webform.
6. Modified the phpUnit test for accepting disabled captcha settings in the settings.*.php file
7. Added recaptcha URLs to the CSP setting (Security Kit module)

Screenshots

Summary by CodeRabbit

Summary by CodeRabbit

• New Features
  • Introduced CAPTCHA and reCAPTCHA v3 modules and configurations for enhanced form protection.
  • Enabled reCAPTCHA v3 on the contact webform.
  • Added environment variable support for reCAPTCHA v3 credentials.
• Configuration
  • Added default CAPTCHA settings for multiple forms, initially disabled.
  • Updated security settings to allow required Google reCAPTCHA domains.
• Chores
  • Updated Docker and environment settings for easier credential management.
• Tests
  • Improved test coverage for CAPTCHA disabling in local and CI environments.

[coderabbitai]

Walkthrough

The changes introduce reCAPTCHA v3 integration and CAPTCHA configuration to a Drupal-based project. This includes updating dependencies, enabling the necessary modules, and providing default configuration files for CAPTCHA and reCAPTCHA v3 on various forms. Environment-specific settings for CAPTCHA disabling and reCAPTCHA credentials are introduced, with corresponding updates to environment variables and automated tests. Security settings are adjusted to permit Google reCAPTCHA domains, and Docker Compose is updated to support the new environment variables. No changes are made to exported or public code entities; all changes are either configuration or test updates.

Changes

File(s)	Change Summary
composer.json	Added drupal/recaptcha_v3 dependency with version constraint ^2.0.
config/default/captcha.settings.yml	Added default CAPTCHA settings configuration file, globally disabling CAPTCHA by default and setting challenge type and messages.
config/default/captcha.captcha_point.*.yml (contact_message_personal_form, node_civictheme_alert_form, node_civictheme_event_form, node_civictheme_page_form, user_login_form, user_pass, user_register_form)	Added new CAPTCHA configuration files for various forms with default CAPTCHA type, all disabled by default.
config/default/captcha.captcha_point.webform_submission_contact_form.yml	Added CAPTCHA configuration enabling reCAPTCHA v3 on the webform contact form.
config/default/recaptcha_v3.recaptcha_v3_action.recaptcha3.yml	Added reCAPTCHA v3 action configuration with threshold and default challenge.
config/default/recaptcha_v3.settings.yml	Added default reCAPTCHA v3 settings including site key, secret key, badge visibility, hostname verification, and error messages.
config/default/core.extension.yml	Enabled captcha and recaptcha_v3 modules in the Drupal core extension configuration.
config/default/seckit.settings.yml	Updated Content Security Policy to allow scripts, frames, and connections from Google reCAPTCHA and Google domains.
web/sites/default/includes/modules/settings.captcha.php	Added settings file to disable CAPTCHA in CI/local environments and set reCAPTCHA v3 credentials from environment variables.
docker-compose.yml	Added DRUPAL_RECAPTCHA_SITE_KEY and DRUPAL_RECAPTCHA_SECRET_KEY environment variables to the default environment configuration.
tests/phpunit/Drupal/EnvironmentSettingsTest.php	Updated tests to assert that CAPTCHA is disabled in CI and local environments.
tests/behat/features/seckit.feature	Updated security header test to expect additional Google reCAPTCHA domains in Content-Security-Policy directives.
web/autoload.php	Updated docblock comments; no code or logic changes.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Webform
    participant CAPTCHA Module
    participant reCAPTCHA v3 Module
    participant Drupal Config

    User ->> Webform: Submits contact form
    Webform ->> CAPTCHA Module: Request CAPTCHA challenge (per config)
    CAPTCHA Module ->> Drupal Config: Check form-specific CAPTCHA config
    alt reCAPTCHA v3 enabled
        CAPTCHA Module ->> reCAPTCHA v3 Module: Initiate reCAPTCHA v3 challenge
        reCAPTCHA v3 Module ->> User: Display reCAPTCHA v3 widget
        User ->> reCAPTCHA v3 Module: Complete challenge
        reCAPTCHA v3 Module ->> CAPTCHA Module: Return verification result
    else Default CAPTCHA
        CAPTCHA Module ->> User: Display default CAPTCHA challenge
        User ->> CAPTCHA Module: Submit response
        CAPTCHA Module ->> CAPTCHA Module: Validate response
    end
    CAPTCHA Module ->> Webform: Return validation result
    Webform ->> User: Show success or error message

Loading

sequenceDiagram
    participant CI/Local Environment
    participant Drupal Settings Loader
    participant CAPTCHA Module

    CI/Local Environment ->> Drupal Settings Loader: Load settings.captcha.php
    Drupal Settings Loader ->> CAPTCHA Module: Set disable_captcha = TRUE
    CAPTCHA Module -->> All Forms: CAPTCHA checks bypassed

Loading

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Lite

📥 Commits

Reviewing files that changed from the base of the PR and between 0ea881c and 9216b66.

📒 Files selected for processing (2)

• config/default/seckit.settings.yml (1 hunks)
• tests/behat/features/seckit.feature (1 hunks)

🔇 Additional comments (5)

tests/behat/features/seckit.feature (2)

11-11: Approve updated connect-src CSP test
The test assertion correctly includes the new reCaptcha domains and uses single spacing without extra whitespace.

---

17-17: Approve updated script-src CSP test
The test assertion now properly includes the reCaptcha domains and maintains consistent spacing.

config/default/seckit.settings.yml (3)

9-9: Approve addition of reCaptcha domains to script-src
The script-src directive has been updated to allow the required reCaptcha endpoints. Whitespace and quoting appear consistent.

---

14-14: Approve addition of reCaptcha domains to frame-src
The frame-src directive now whitelists https://www.recaptcha.net and https://www.google.com, aligning with the integration.

---

18-18: Approve addition of reCaptcha domains to connect-src
The connect-src directive correctly includes the new reCaptcha sources without any extra spacing.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 10

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Lite

📥 Commits

Reviewing files that changed from the base of the PR and between 36a95d7 and 3221589.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (15)

• composer.json (1 hunks)
• config/default/captcha.captcha_point.contact_message_personal_form.yml (1 hunks)
• config/default/captcha.captcha_point.node_civictheme_alert_form.yml (1 hunks)
• config/default/captcha.captcha_point.node_civictheme_event_form.yml (1 hunks)
• config/default/captcha.captcha_point.node_civictheme_page_form.yml (1 hunks)
• config/default/captcha.captcha_point.user_login_form.yml (1 hunks)
• config/default/captcha.captcha_point.user_pass.yml (1 hunks)
• config/default/captcha.captcha_point.user_register_form.yml (1 hunks)
• config/default/captcha.captcha_point.webform_submission_contact_add_form.yml (1 hunks)
• config/default/captcha.settings.yml (1 hunks)
• config/default/core.extension.yml (3 hunks)
• config/default/image_captcha.settings.yml (1 hunks)
• config/default/recaptcha_v3.settings.yml (1 hunks)
• web/autoload.php (1 hunks)
• web/sites/default/includes/modules/settings.captcha.php (1 hunks)

🔇 Additional comments (11)

composer.json (1)

26-26:

Details

❓ Verification inconclusive

Verify recaptcha_v3 version and compatibility.

The new requirement "drupal/recaptcha_v3": "^2.0" aligns with the integration of reCAPTCHA v3, but please confirm that version 2.x supports Drupal 11 and is available on Packagist.

You can run a quick check against Packagist:

---

🏁 Script executed:

curl -s https://repo.packagist.org/p2/drupal/recaptcha_v3.json | jq '.[].versions | keys'

Length of output: 161

---

🏁 Script executed:

#!/bin/bash
# Check for composer repositories block
grep -R '"repositories"' -n composer.json || echo "No 'repositories' key found in composer.json"
# Check for Drupal packages repository entry
grep -R 'packages\.drupal\.org' -n composer.json || echo "No Drupal repository (packages.drupal.org) found in composer.json"

Length of output: 173

---

Verify drupal/recaptcha_v3 v2.x availability & Drupal 11 compatibility
The drupal/recaptcha_v3 package is hosted on the Drupal composer repository (https://packages.drupal.org/8), not packagist.org, so your Packagist API check returned 404. Please confirm that version 2.x of this module is published there and supports Drupal 11.

• Location: composer.json, line 26
• Verification options:

composer show drupal/recaptcha_v3 --all | grep versions

or

curl -s https://updates.drupal.org/release-history/recaptcha_v3/8.x-2.x

or review the release list at:
https://www.drupal.org/project/recaptcha_v3/releases

web/autoload.php (1)

7-7: Confirm updated scaffold attribution.

The docblock line was simplified to “This file was generated by drupal-scaffold.”. The change is purely cosmetic, and core autoload behavior remains unchanged.

config/default/core.extension.yml (3)

11-11: Enable Captcha module
The captcha module has been correctly added to the core.extension.yml under module: with weight 0, following alphabetical ordering.

---

42-42: Enable Image Captcha submodule
The image_captcha module is correctly listed alphabetically and enabled to support image-based CAPTCHA.

---

66-66:

Details

✅ Verification successful

Enable reCAPTCHA v3 module and verify Composer dependency
The recaptcha_v3 module has been added with weight 0. Ensure that the corresponding Composer dependency (drupal/recaptcha_v3) is declared so the module is available.

---

🏁 Script executed:

#!/bin/bash
# Verify that drupal/recaptcha_v3 is present in composer.json
rg -n '"drupal/recaptcha_v3"' composer.json

Length of output: 87

---

Composer dependency for reCAPTCHA v3 verified
Found "drupal/recaptcha_v3": "^2.0" in composer.json (line 26). No further action required.

config/default/captcha.captcha_point.contact_message_personal_form.yml (1)

1-10: Correct default Captcha point configuration
The file properly defines the CAPTCHA point for contact_message_personal_form with a unique UUID, English language, default type, and disabled status, including the _core block.

config/default/captcha.captcha_point.user_pass.yml (1)

1-10: Correct default Captcha point for user_pass form
This configuration is consistent with other CAPTCHA point files: it includes a unique UUID, _core default_config_hash, English language, default captcha type, and is disabled by default.

config/default/captcha.captcha_point.user_register_form.yml (1)

1-9: Approve new CAPTCHA point for user registration form
The configuration correctly adds a disabled (status: false) CAPTCHA point for user_register_form, aligning with the plan to enable only the contact form by default.

config/default/captcha.captcha_point.user_login_form.yml (1)

1-9: Approve new CAPTCHA point for user login form
This adds a disabled (status: false) CAPTCHA for the user_login_form, consistent with the intended rollout of CAPTCHA only on selected forms initially.

config/default/captcha.settings.yml (1)

11-11: Verify whitelist_ips type
The whitelist_ips key is set to an empty string. If the schema expects a list of IP addresses, this should be an empty array ([]). Please confirm the expected type and adjust accordingly to avoid runtime errors.

config/default/image_captcha.settings.yml (1)

5-15: Verify font URI paths
The uri fields use relative paths under modules/contrib. Consider using a Drupal stream wrapper (e.g., module://image_captcha/fonts/...) or validate that these paths remain correct in all environments.

[coderabbitai]

⚠️ Potential issue

Missing _core default_config_hash section
The _core section containing default_config_hash is absent. Add it to ensure Drupal can track and import this configuration correctly.

Include:

_core:
  default_config_hash: <generated_hash>

[coderabbitai]

🧹 Nitpick (assertive)

Unify boolean/integer settings
Flags like image_captcha_rtl_support, image_captcha_bilinear_interpolation, image_captcha_dot_noise, and image_captcha_line_noise use integer values (0). For clarity, consider using boolean (false) if supported, or document that these fields accept numeric levels.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

web/sites/default/includes/modules/settings.captcha.php (1)

10-12: Guard against undefined environment setting and simplify condition.

Accessing $settings['environment'] without checking may trigger notices if the key is missing. Consider updating to:

-if ($settings['environment'] == ENVIRONMENT_CI || $settings['environment'] == ENVIRONMENT_LOCAL) {
-  $settings['disable_captcha'] = TRUE;
-}
+if (!empty($settings['environment']) && in_array($settings['environment'], [ENVIRONMENT_CI, ENVIRONMENT_LOCAL], true)) {
+  $settings['disable_captcha'] = TRUE;
+}

This avoids undefined index notices and uses strict comparison.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Lite

📥 Commits

Reviewing files that changed from the base of the PR and between 06a3018 and b4ab3df.

📒 Files selected for processing (8)

• config/default/captcha.captcha_point.webform_submission_contact_form.yml (1 hunks)
• config/default/captcha.settings.yml (1 hunks)
• config/default/core.extension.yml (2 hunks)
• config/default/recaptcha_v3.recaptcha_v3_action.recaptcha3.yml (1 hunks)
• config/default/recaptcha_v3.settings.yml (1 hunks)
• config/default/seckit.settings.yml (1 hunks)
• docker-compose.yml (1 hunks)
• web/sites/default/includes/modules/settings.captcha.php (1 hunks)

🔇 Additional comments (5)

config/default/core.extension.yml (1)

11-11: Module additions look good!

The addition of captcha and recaptcha_v3 modules with weight 0 properly enables the required functionality for the Contact webform reCaptcha integration.

Also applies to: 65-65

docker-compose.yml (1)

68-70: reCaptcha environment variables look good!

The environment variables for reCaptcha v3 credentials are correctly added with sensible defaults (empty strings). This supports the credentials configuration in settings.captcha.php.

config/default/recaptcha_v3.recaptcha_v3_action.recaptcha3.yml (1)

1-8:

Details

✅ Verification successful

Verify reCaptcha v3 threshold value.

The configuration looks good overall. The threshold value is set to 0.5, which is a middle ground for the reCaptcha v3 score (0.0 to 1.0). Depending on your security needs, you might want to adjust this:

• Higher values (e.g., 0.7) create stricter checks but may increase false positives
• Lower values (e.g., 0.3) are more lenient but may allow more spam

Consider whether 0.5 is appropriate for your use case and security requirements.

---

🌐 Web query:

What is the recommended threshold value for reCaptcha v3?

💡 Result:

The recommended threshold value for reCAPTCHA v3 is 0.5, which is the default setting established by Google for this verification system[1][4]. This threshold represents a middle ground on the scoring scale that ranges from 0.0 (most likely a bot) to 1.0 (definitely human)[3][5].

Understanding reCAPTCHA v3 Thresholds

reCAPTCHA v3 works by analyzing user interactions with your site and assigning a score that reflects the probability of the user being human versus an automated bot. The system operates invisibly in the background without interrupting the user experience[3].

Score Interpretation

• Higher scores (closer to 1.0): Indicate a high probability of genuine human interaction. These users are typically considered legitimate and can proceed without additional verification[5].
• Lower scores (closer to 0.0): Suggest possible bot activity. These users might require additional verification steps to confirm their legitimacy[5][6].

Finding the Right Threshold

While 0.5 is the recommended starting point, the ideal threshold may vary depending on your specific needs:

• Google officially states that "by default, you can use a threshold of 0.5" as a safe starting value[1].
• Over time, you can adjust this threshold based on reviewing traffic patterns in your reCAPTCHA logs or the Google reCAPTCHA admin console.
• Some website owners report needing to lower the threshold (to values like 0.2 or 0.3) to prevent legitimate users from being blocked, while others may need to raise it to better filter out spam[2].

Practical Considerations

Setting the threshold involves balancing security against user experience:

• Too high a threshold may block legitimate users, causing frustration and potentially lost customers[2].
• Too low a threshold may allow spam and bot traffic to pass through your protections[2].

Some site owners report that a significant percentage of valid users might receive scores as low as 0.0, which would require them to complete additional verification steps if the threshold is set too high[7].

If you're experiencing frequent false positives (legitimate users being identified as bots), you might need to adjust your threshold downward. Conversely, if you're seeing increased spam activity, you might need to increase the threshold[2][6].

Citations:

• 1: https://developers.google.com/recaptcha/docs/v3
• 2: https://www.nopcommerce.com/en/boards/topic/96121/recaptcha-v3-score-threshold-issue
• 3: https://www.capsolver.com/blog/reCAPTCHA/recaptcha-v3-solver-human-score
• 4: https://www.tendenci.com/help-files/how-use-google-recaptcha-tendenci-site/
• 5: https://formspree.io/blog/recaptcha-3/
• 6: https://friendlycaptcha.com/insights/recaptcha-v3/
• 7: https://wordpress.org/support/topic/many-valid-users-get-recaptcha-score-of-0-0/
• 8: https://www.drupal.org/project/recaptcha_v3/issues/3132056

---

Threshold value confirmed: 0.5 is the recommended default

The reCAPTCHA v3 threshold is correctly set to 0.5, which aligns with Google’s official recommendation. No changes are required at this time. Continue to monitor your reCAPTCHA traffic in the admin console and adjust the threshold as needed to balance security and user experience.

File requiring no changes:

• config/default/recaptcha_v3.recaptcha_v3_action.recaptcha3.yml (Lines 1–8)

config/default/captcha.captcha_point.webform_submission_contact_form.yml (1)

1-8: Enable reCAPTCHA v3 on Contact webform
The configuration correctly sets captchaType: recaptcha_v3/recaptcha3 with status: true for webform_submission_contact_form.
Please verify that the formId (webform_submission_contact_form) exactly matches the machine name of your Contact webform to avoid import/runtime mismatches.

config/default/recaptcha_v3.settings.yml (1)

3-4: Document environment-based credential injection
site_key and secret_key are intentionally left blank here. Ensure these are populated via your environment-specific settings (e.g., settings.captcha.php or Drupal’s config override) prior to deploying to production.

[coderabbitai]

🧹 Nitpick (assertive)

Consider setting default values for empty credentials.

The implementation correctly checks if environment variables exist before setting the credentials, but the module might expect these keys to always be present in the configuration. Consider setting default empty values even when environment variables are not defined:

 if (!empty(getenv('DRUPAL_RECAPTCHA_SITE_KEY')) && !empty(getenv('DRUPAL_RECAPTCHA_SECRET_KEY'))) {
   $config['recaptcha_v3.settings']['site_key'] = getenv('DRUPAL_RECAPTCHA_SITE_KEY');
   $config['recaptcha_v3.settings']['secret_key'] = getenv('DRUPAL_RECAPTCHA_SECRET_KEY');
+} else {
+  $config['recaptcha_v3.settings']['site_key'] = '';
+  $config['recaptcha_v3.settings']['secret_key'] = '';
 }

This ensures the settings are always present in the configuration.

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

Fix default_challenge path separator
The default_challenge notation should use a forward slash (/) instead of a backslash.

Apply this patch:

-default_challenge: captcha\Math
+default_challenge: captcha/Math

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	default_challenge: captcha\Math
	default_challenge: captcha/Math

[coderabbitai]

🧹 Nitpick (assertive)

Unify boolean and integer representations
Fields like enable_globally, default_validation, and persistence mix integers (0/1) with booleans (false/true). For consistency, convert them to boolean literals:

-enable_globally: 0
+enable_globally: false

-default_validation: 1
+default_validation: true

-persistence: 1
+persistence: true

Also applies to: 13-14

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Lite

📥 Commits

Reviewing files that changed from the base of the PR and between b4ab3df and 58ed87d.

📒 Files selected for processing (1)

• tests/behat/features/seckit.feature (1 hunks)

🔇 Additional comments (1)

tests/behat/features/seckit.feature (1)

11-11: Extend connect-src to include reCAPTCHA domains
The updated test now correctly asserts that the connect-src directive contains both https://www.recaptcha.net and https://www.google.com. This aligns with your CSP configuration changes.