Page MenuHomePhabricator
Create Task
Maniphest T426056

hCaptcha: SiteVerify responses with 'already-seen-response' during standard editing flow
Open, Needs TriagePublic
Actions

Description

Summary

It seems that somehow a fresh hCaptcha response token is being considered by the siteverify API as already seen but only in reproducible situations. It seems there is some kind of race condition that causes the hCaptcha token to be verified twice

Background

  • All such logs are at https://logstash.wikimedia.org/goto/388a342650ad79d8087bad1e0fd94390
    • Some of these may be expected, which happens if a user makes more than one API request with the same hCaptcha token (as it can only be used once)
    • However, not all of these are that and I have seen this happen when triggering the AbuseFilter consequence while using DiscussionTools to edit
  • We should ensure that the siteverify API gets called once per request
    • It seems that currently this does not happen and multiple calls to HCaptcha::passCaptcha will make multiple calls to that API

Acceptance criteria

  • The siteverify API no longer returns already-seen-response for users using hCaptcha as expected (users who make two API requests with the same hCaptcha token are expected to still fail)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
hCaptcha: cache siteverify resultmediawiki/extensions/ConfirmEditmaster+142 -27
hCaptcha: refactor passCaptcha()mediawiki/extensions/ConfirmEditmaster+50 -4
HCaptcha: Add test for force show CAPTCHA mid requestmediawiki/extensions/ConfirmEditmaster+67 -0
hCaptcha: cache siteverify resultmediawiki/extensions/ConfirmEditmaster+297 -46
Customize query in gerrit

Event Timeline

Dreamy_Jazz created this task.May 12 2026, 12:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 12 2026, 12:57 PM
MPostoronca-WMF claimed this task.May 12 2026, 2:47 PM
MPostoronca-WMF moved this task from Backlog to In progress on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.
gerritbot added a comment.May 13 2026, 7:32 AM

Change #1286753 had a related patch set uploaded (by Mpostoronca; author: Mpostoronca):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: cache siteverify result

https://gerrit.wikimedia.org/r/1286753

gerritbot added a project: Patch-For-Review.May 13 2026, 7:32 AM
gerritbot added a comment.May 13 2026, 8:14 AM

Change #1286807 had a related patch set uploaded (by Mpostoronca; author: Mpostoronca):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: refactor passCaptcha() function

https://gerrit.wikimedia.org/r/1286807

MPostoronca-WMF moved this task from In progress to Needs review on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.May 13 2026, 9:48 AM
OKryva-WMF added a project: Bot detection and mitigation (WE4.10 hCaptcha).May 13 2026, 11:52 AM
gerritbot added a comment.Fri, May 15, 9:26 PM

Change #1287948 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/ConfirmEdit@master] HCaptcha: Add test for force show CAPTCHA mid request

https://gerrit.wikimedia.org/r/1287948

gerritbot added a comment.Fri, May 15, 9:49 PM

Change #1286753 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: cache siteverify result

https://gerrit.wikimedia.org/r/1286753

ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.3; 2026-05-19).Fri, May 15, 10:01 PM
gerritbot added a comment.Mon, May 18, 10:58 AM

Change #1288512 had a related patch set uploaded (by Mpostoronca; author: Mpostoronca):

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: cache siteverify result

https://gerrit.wikimedia.org/r/1288512

gerritbot added a comment.Mon, May 18, 2:27 PM

Change #1288512 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: cache siteverify result

https://gerrit.wikimedia.org/r/1288512

gerritbot added a comment.Mon, May 18, 2:36 PM

Change #1287948 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] HCaptcha: Add test for force show CAPTCHA mid request

https://gerrit.wikimedia.org/r/1287948

Dreamy_Jazz moved this task from Backlog to QA on the Bot detection and mitigation (WE4.10 hCaptcha) board.Mon, May 18, 2:41 PM
Dreamy_Jazz moved this task from Needs review to QA in Prod on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.
gerritbot added a comment.Wed, May 20, 4:48 PM

Change #1286807 merged by jenkins-bot:

[mediawiki/extensions/ConfirmEdit@master] hCaptcha: refactor passCaptcha()

https://gerrit.wikimedia.org/r/1286807

ReleaseTaggerBot edited projects, added: MW-1.47-notes (1.47.0-wmf.4; 2026-05-26); removed: MW-1.47-notes (1.47.0-wmf.3; 2026-05-19).Wed, May 20, 5:00 PM
Maintenance_bot removed a project: Patch-For-Review.Wed, May 20, 5:31 PM
OKryva-WMF edited projects, added: Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)); removed: Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)).Mon, May 25, 12:38 PM
OKryva-WMF moved this task from Backlog to QA in Prod on the Product Safety and Integrity (Sprint Iris (May 25 - Jun 12)) board.Mon, May 25, 12:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits