Add hCaptcha support

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java

@@ -28,6 +28,7 @@ import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguratio
 import org.whispersystems.textsecuregcm.configuration.DynamoDbTables;
 import org.whispersystems.textsecuregcm.configuration.FcmConfiguration;
 import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguration;
+import org.whispersystems.textsecuregcm.configuration.HCaptchaConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
 import org.whispersystems.textsecuregcm.configuration.OneTimeDonationConfiguration;
@@ -193,6 +194,11 @@ public class WhisperServerConfiguration extends Configuration {
   @JsonProperty
   private RecaptchaConfiguration recaptcha;
 
+  @Valid
+  @NotNull
+  @JsonProperty
+  private HCaptchaConfiguration hCaptcha;
+
   @Valid
   @NotNull
   @JsonProperty
@@ -281,6 +287,10 @@ public class WhisperServerConfiguration extends Configuration {
     return recaptcha;
   }
 
+  public HCaptchaConfiguration getHCaptchaConfiguration() {
+    return hCaptcha;
+  }
+
   public VoiceVerificationConfiguration getVoiceVerificationConfiguration() {
     return voiceVerification;
   }

service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java

@@ -83,6 +83,8 @@ import org.whispersystems.textsecuregcm.auth.TurnTokenGenerator;
 import org.whispersystems.textsecuregcm.auth.WebsocketRefreshApplicationEventListener;
 import org.whispersystems.textsecuregcm.badges.ConfiguredProfileBadgeConverter;
 import org.whispersystems.textsecuregcm.badges.ResourceBundleLevelTranslator;
+import org.whispersystems.textsecuregcm.captcha.CaptchaChecker;
+import org.whispersystems.textsecuregcm.captcha.HCaptchaClient;
 import org.whispersystems.textsecuregcm.configuration.DirectoryServerConfiguration;
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
 import org.whispersystems.textsecuregcm.controllers.AccountController;
@@ -153,7 +155,7 @@ import org.whispersystems.textsecuregcm.push.ProvisioningManager;
 import org.whispersystems.textsecuregcm.push.PushLatencyManager;
 import org.whispersystems.textsecuregcm.push.PushNotificationManager;
 import org.whispersystems.textsecuregcm.push.ReceiptSender;
-import org.whispersystems.textsecuregcm.recaptcha.RecaptchaClient;
+import org.whispersystems.textsecuregcm.captcha.RecaptchaClient;
 import org.whispersystems.textsecuregcm.redis.ConnectionEventLogger;
 import org.whispersystems.textsecuregcm.redis.FaultTolerantRedisCluster;
 import org.whispersystems.textsecuregcm.redis.ReplicatedJedisPool;
@@ -518,13 +520,18 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     MessageSender            messageSender      = new MessageSender(clientPresenceManager, messagesManager, pushNotificationManager, pushLatencyManager);
     ReceiptSender            receiptSender      = new ReceiptSender(accountsManager, messageSender, receiptSenderExecutor);
     TurnTokenGenerator       turnTokenGenerator = new TurnTokenGenerator(dynamicConfigurationManager);
+
     RecaptchaClient recaptchaClient = new RecaptchaClient(
         config.getRecaptchaConfiguration().getProjectPath(),
         config.getRecaptchaConfiguration().getCredentialConfigurationJson(),
         dynamicConfigurationManager);
+    HttpClient hcaptchaHttpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_2).connectTimeout(Duration.ofSeconds(10)).build();
+    HCaptchaClient hCaptchaClient = new HCaptchaClient(config.getHCaptchaConfiguration().apiKey(), hcaptchaHttpClient, dynamicConfigurationManager);
+    CaptchaChecker captchaChecker = new CaptchaChecker(List.of(recaptchaClient, hCaptchaClient));
+
     PushChallengeManager pushChallengeManager = new PushChallengeManager(pushNotificationManager, pushChallengeDynamoDb);
     RateLimitChallengeManager rateLimitChallengeManager = new RateLimitChallengeManager(pushChallengeManager,
-        recaptchaClient, dynamicRateLimiters);
+        captchaChecker, dynamicRateLimiters);
 
     MessagePersister messagePersister = new MessagePersister(messagesCache, messagesManager, accountsManager, dynamicConfigurationManager, Duration.ofMinutes(config.getMessageCacheConfiguration().getPersistDelayMinutes()));
     ChangeNumberManager changeNumberManager = new ChangeNumberManager(messageSender, accountsManager);
@@ -661,7 +668,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
     environment.jersey().register(
         new AccountController(pendingAccountsManager, accountsManager, rateLimiters,
             registrationServiceClient, dynamicConfigurationManager, turnTokenGenerator, config.getTestDevices(),
-            recaptchaClient, pushNotificationManager, changeNumberManager, backupCredentialsGenerator,
+            captchaChecker, pushNotificationManager, changeNumberManager, backupCredentialsGenerator,
             clientPresenceManager, clock));
 
     environment.jersey().register(new KeysController(rateLimiters, keys, accountsManager));

service/src/main/java/org/whispersystems/textsecuregcm/captcha/AssessmentResult.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+/**
+ * A captcha assessment
+ *
+ * @param valid whether the captcha was passed
+ * @param score string representation of the risk level
+ */
+public record AssessmentResult(boolean valid, String score) {
+
+  public static AssessmentResult invalid() {
+    return new AssessmentResult(false, "");
+  }
+
+  /**
+   * Map a captcha score in [0.0, 1.0] to a low cardinality discrete space in [0, 100] suitable for use in metrics
+   */
+  static String scoreString(final float score) {
+    final int x = Math.round(score * 10); // [0, 10]
+    return Integer.toString(x * 10); // [0, 100] in increments of 10
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaChecker.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.micrometer.core.instrument.Metrics;
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import javax.ws.rs.BadRequestException;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+public class CaptchaChecker {
+  private static final String ASSESSMENTS_COUNTER_NAME = name(RecaptchaClient.class, "assessments");
+
+  @VisibleForTesting
+  static final String SEPARATOR = ".";
+
+  private final Map<String, CaptchaClient> captchaClientMap;
+
+  public CaptchaChecker(final List<CaptchaClient> captchaClients) {
+    this.captchaClientMap = captchaClients.stream()
+        .collect(Collectors.toMap(CaptchaClient::scheme, Function.identity()));
+  }
+
+  /**
+   * Check if a solved captcha should be accepted
+   * <p>
+   *
+   * @param input expected to contain a prefix indicating the captcha scheme, sitekey, token, and action. The expected
+   *              format is {@code version-prefix.sitekey.[action.]token}
+   * @param ip    IP of the solver
+   * @return An {@link AssessmentResult} indicating whether the solution should be accepted, and a score that can be
+   * used for metrics
+   * @throws IOException         if there is an error validating the captcha with the underlying service
+   * @throws BadRequestException if input is not in the expected format
+   */
+  public AssessmentResult verify(final String input, final String ip) throws IOException {
+    /*
+     * For action to be optional, there is a strong assumption that the token will never contain a {@value  SEPARATOR}.
+     * Observation suggests {@code token} is base-64 encoded. In practice, an action should always be present, but we
+     * don’t need to be strict.
+     */
+    final String[] parts = input.split("\\" + SEPARATOR, 4);
+
+    // we allow missing actions, if we're missing 1 part, assume it's the action
+    if (parts.length < 3) {
+      throw new BadRequestException("too few parts");
+    }
+
+    int idx = 0;
+    final String prefix = parts[idx++];
+    final String siteKey = parts[idx++];
+    final String action = parts.length == 3 ? null : parts[idx++];
+    final String token = parts[idx];
+
+    final CaptchaClient client = this.captchaClientMap.get(prefix);
+    if (client == null) {
+      throw new BadRequestException("invalid captcha scheme");
+    }
+    final AssessmentResult result = client.verify(siteKey, action, token, ip);
+    Metrics.counter(ASSESSMENTS_COUNTER_NAME,
+            "action", String.valueOf(action),
+            "valid", String.valueOf(result.valid()),
+            "score", result.score(),
+            "provider", prefix)
+        .increment();
+    return result;
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaClient.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import javax.annotation.Nullable;
+import java.io.IOException;
+
+public interface CaptchaClient {
+
+  /**
+   * @return the identifying captcha scheme that this CaptchaClient handles
+   */
+  String scheme();
+
+  /**
+   * Verify a provided captcha solution
+   *
+   * @param siteKey identifying string for the captcha service
+   * @param action  an optional action indicating the purpose of the captcha
+   * @param token   the captcha solution that will be verified
+   * @param ip      the ip of the captcha solve
+   * @return An {@link AssessmentResult} indicating whether the solution should be accepted
+   * @throws IOException if the underlying captcha provider returns an error
+   */
+  AssessmentResult verify(
+      final String siteKey,
+      final @Nullable String action,
+      final String token,
+      final String ip) throws IOException;
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/HCaptchaClient.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright 2021-2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+import io.micrometer.core.instrument.Metrics;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import javax.annotation.Nullable;
+import javax.ws.rs.core.Response;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicCaptchaConfiguration;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
+import org.whispersystems.textsecuregcm.util.SystemMapper;
+
+public class HCaptchaClient implements CaptchaClient {
+
+  private static final Logger logger = LoggerFactory.getLogger(HCaptchaClient.class);
+  private static final String PREFIX = "signal-hcaptcha";
+  private static final String ASSESSMENT_REASON_COUNTER_NAME = name(HCaptchaClient.class, "assessmentReason");
+  private static final String INVALID_REASON_COUNTER_NAME = name(HCaptchaClient.class, "invalidReason");
+  private final String apiKey;
+  private final HttpClient client;
+  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
+
+  public HCaptchaClient(
+      final String apiKey,
+      final HttpClient client,
+      final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager) {
+    this.apiKey = apiKey;
+    this.client = client;
+    this.dynamicConfigurationManager = dynamicConfigurationManager;
+  }
+
+  @Override
+  public String scheme() {
+    return PREFIX;
+  }
+
+  @Override
+  public AssessmentResult verify(final String siteKey, final @Nullable String action, final String token,
+      final String ip)
+      throws IOException {
+
+    final DynamicCaptchaConfiguration config = dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration();
+    if (!config.isAllowHCaptcha()) {
+      logger.warn("Received request to verify an hCaptcha, but hCaptcha is not enabled");
+      return AssessmentResult.invalid();
+    }
+
+    final String body = String.format("response=%s&secret=%s&remoteip=%s",
+        URLEncoder.encode(token, StandardCharsets.UTF_8),
+        URLEncoder.encode(this.apiKey, StandardCharsets.UTF_8),
+        ip);
+    HttpRequest request = HttpRequest.newBuilder()
+        .uri(URI.create("https://hcaptcha.com/siteverify"))
+        .header("Content-Type", "application/x-www-form-urlencoded")
+        .POST(HttpRequest.BodyPublishers.ofString(body))
+        .build();
+
+    HttpResponse<String> response;
+    try {
+      response = this.client.send(request, HttpResponse.BodyHandlers.ofString());
+    } catch (InterruptedException e) {
+      throw new IOException(e);
+    }
+
+    if (response.statusCode() != Response.Status.OK.getStatusCode()) {
+      logger.warn("failure submitting token to hCaptcha (code={}): {}", response.statusCode(), response);
+      throw new IOException("hCaptcha http failure : " + response.statusCode());
+    }
+
+    final HCaptchaResponse hCaptchaResponse = SystemMapper.getMapper()
+        .readValue(response.body(), HCaptchaResponse.class);
+
+    logger.debug("received hCaptcha response: {}", hCaptchaResponse);
+
+    if (!hCaptchaResponse.success) {
+      for (String errorCode : hCaptchaResponse.errorCodes) {
+        Metrics.counter(INVALID_REASON_COUNTER_NAME,
+            "action", String.valueOf(action),
+            "reason", errorCode).increment();
+      }
+      return AssessmentResult.invalid();
+    }
+
+    // hcaptcha uses the inverse scheme of recaptcha (for hcaptcha, a low score is less risky)
+    float score = 1.0f - hCaptchaResponse.score;
+    if (score < 0.0f || score > 1.0f) {
+      logger.error("Invalid score {} from hcaptcha response {}", hCaptchaResponse.score, hCaptchaResponse);
+      return AssessmentResult.invalid();
+    }
+    final String scoreString = AssessmentResult.scoreString(score);
+
+    for (String reason : hCaptchaResponse.scoreReasons) {
+      Metrics.counter(ASSESSMENT_REASON_COUNTER_NAME,
+          "action", String.valueOf(action),
+          "reason", reason,
+          "score", scoreString).increment();
+    }
+    return new AssessmentResult(score >= config.getScoreFloor().floatValue(), scoreString);
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/HCaptchaResponse.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.time.Duration;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Verify response returned by hcaptcha
+ * <p>
+ * see <a href="https://docs.hcaptcha.com/#verify-the-user-response-server-side">...</a>
+ */
+public class HCaptchaResponse {
+
+  @JsonProperty
+  boolean success;
+
+  @JsonProperty(value = "challenge-ts")
+  Duration challengeTs;
+
+  @JsonProperty
+  String hostname;
+
+  @JsonProperty
+  boolean credit;
+
+  @JsonProperty(value = "error-codes")
+  List<String> errorCodes = Collections.emptyList();
+
+  @JsonProperty
+  float score;
+
+  @JsonProperty(value = "score-reasons")
+  List<String> scoreReasons = Collections.emptyList();
+
+  public HCaptchaResponse() {
+  }
+
+  @Override
+  public String toString() {
+    return "HCaptchaResponse{" +
+        "success=" + success +
+        ", challengeTs=" + challengeTs +
+        ", hostname='" + hostname + '\'' +
+        ", credit=" + credit +
+        ", errorCodes=" + errorCodes +
+        ", score=" + score +
+        ", scoreReasons=" + scoreReasons +
+        '}';
+  }
+}

service/src/main/java/org/whispersystems/textsecuregcm/captcha/RecaptchaClient.java

@@ -3,15 +3,15 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-package org.whispersystems.textsecuregcm.recaptcha;
+package org.whispersystems.textsecuregcm.captcha;
 
 import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
 
 import com.google.api.gax.core.FixedCredentialsProvider;
+import com.google.api.gax.rpc.ApiException;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.cloud.recaptchaenterprise.v1.RecaptchaEnterpriseServiceClient;
 import com.google.cloud.recaptchaenterprise.v1.RecaptchaEnterpriseServiceSettings;
-import com.google.common.annotations.VisibleForTesting;
 import com.google.recaptchaenterprise.v1.Assessment;
 import com.google.recaptchaenterprise.v1.Event;
 import com.google.recaptchaenterprise.v1.RiskAnalysis;
@@ -21,22 +21,18 @@ import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Objects;
 import javax.annotation.Nonnull;
-import javax.ws.rs.BadRequestException;
-import org.apache.commons.lang3.StringUtils;
+import javax.annotation.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicCaptchaConfiguration;
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
 import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
 
-public class RecaptchaClient {
+public class RecaptchaClient implements CaptchaClient {
+
   private static final Logger log = LoggerFactory.getLogger(RecaptchaClient.class);
 
-  @VisibleForTesting
-  static final String SEPARATOR = ".";
-  @VisibleForTesting
-  static final String V2_PREFIX = "signal-recaptcha-v2" + RecaptchaClient.SEPARATOR;
-  private static final String ASSESSMENTS_COUNTER_NAME = name(RecaptchaClient.class, "assessments");
-
+  private static final String V2_PREFIX = "signal-recaptcha-v2";
   private static final String INVALID_REASON_COUNTER_NAME = name(RecaptchaClient.class, "invalidReason");
   private static final String ASSESSMENT_REASON_COUNTER_NAME = name(RecaptchaClient.class, "assessmentReason");
 
@@ -61,57 +57,20 @@ public class RecaptchaClient {
     }
   }
 
-  /**
-   * Parses the sitekey, token, and action (if any) from {@code input}. The expected input format is: {@code [version
-   * prefix.]sitekey.[action.]token}.
-   * <p>
-   * For action to be optional, there is a strong assumption that the token will never contain a {@value  SEPARATOR}.
-   * Observation suggests {@code token} is base-64 encoded. In practice, an action should always be present, but we
-   * don’t need to be strict.
-   */
-  static String[] parseInputToken(final String input) {
-    String[] parts = StringUtils.removeStart(input, V2_PREFIX).split("\\" + SEPARATOR, 3);
-
-    if (parts.length == 1) {
-      throw new BadRequestException("too few parts");
-    }
-
-    if (parts.length == 2) {
-      // we got some parts, assume it is action that is missing
-      return new String[]{parts[0], null, parts[1]};
-    }
-
-    return parts;
+  @Override
+  public String scheme() {
+    return V2_PREFIX;
   }
 
-  /**
-   * A captcha assessment
-   *
-   * @param valid whether the captcha was passed
-   * @param score string representation of the risk level
-   */
-  public record AssessmentResult(boolean valid, String score) {
-    public static AssessmentResult invalid() {
-      return new AssessmentResult(false, "");
+  @Override
+  public org.whispersystems.textsecuregcm.captcha.AssessmentResult verify(final String sitekey,
+      final @Nullable String expectedAction,
+      final String token, final String ip) throws IOException {
+    final DynamicCaptchaConfiguration config = dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration();
+    if (!config.isAllowRecaptcha()) {
+      log.warn("Received request to verify a recaptcha, but recaptcha is not enabled");
+      return AssessmentResult.invalid();
     }
-  }
-
-  /*
-   * recaptcha enterprise scores are from [0.0, 1.0] in increments of .1
-   * map to [0, 100] for easier interpretation
-   */
-  @VisibleForTesting
-  static String scoreString(final float score) {
-    return Integer.toString((int) (score * 100));
-  }
-
-
-  public AssessmentResult verify(final String input, final String ip) {
-    final String[] parts = parseInputToken(input);
-
-    final String sitekey = parts[0];
-    final String expectedAction = parts[1];
-    final String token = parts[2];
 
     Event.Builder eventBuilder = Event.newBuilder()
         .setSiteKey(sitekey)
@@ -123,32 +82,30 @@ public class RecaptchaClient {
     }
 
     final Event event = eventBuilder.build();
-    final Assessment assessment = client.createAssessment(projectPath, Assessment.newBuilder().setEvent(event).build());
-
-    Metrics.counter(ASSESSMENTS_COUNTER_NAME,
-            "action", String.valueOf(expectedAction),
-            "valid", String.valueOf(assessment.getTokenProperties().getValid()))
-        .increment();
-
+    final Assessment assessment;
+    try {
+      assessment = client.createAssessment(projectPath, Assessment.newBuilder().setEvent(event).build());
+    } catch (ApiException e) {
+      throw new IOException(e);
+    }
 
     if (assessment.getTokenProperties().getValid()) {
       final float score = assessment.getRiskAnalysis().getScore();
       log.debug("assessment for {} was valid, score: {}", expectedAction, score);
       for (RiskAnalysis.ClassificationReason reason : assessment.getRiskAnalysis().getReasonsList()) {
         Metrics.counter(ASSESSMENT_REASON_COUNTER_NAME,
-            "action", String.valueOf(expectedAction),
-            "score", scoreString(score),
-            "reason", reason.name())
+                "action", String.valueOf(expectedAction),
+                "score", AssessmentResult.scoreString(score),
+                "reason", reason.name())
             .increment();
       }
       return new AssessmentResult(
-          score >=
-              dynamicConfigurationManager.getConfiguration().getCaptchaConfiguration().getScoreFloor().floatValue(),
-          scoreString(score));
+          score >= config.getScoreFloor().floatValue(),
+          AssessmentResult.scoreString(score));
     } else {
       Metrics.counter(INVALID_REASON_COUNTER_NAME,
-          "action", String.valueOf(expectedAction),
-          "reason", assessment.getTokenProperties().getInvalidReason().name())
+              "action", String.valueOf(expectedAction),
+              "reason", assessment.getTokenProperties().getInvalidReason().name())
           .increment();
       return AssessmentResult.invalid();
     }

service/src/main/java/org/whispersystems/textsecuregcm/configuration/HCaptchaConfiguration.java

@@ -0,0 +1,11 @@
+/*
+ * Copyright 2021-2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.configuration;
+
+import javax.validation.constraints.NotBlank;
+
+public record HCaptchaConfiguration(@NotBlank String apiKey) {
+}

service/src/main/java/org/whispersystems/textsecuregcm/configuration/dynamic/DynamicCaptchaConfiguration.java

@@ -1,3 +1,8 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
 package org.whispersystems.textsecuregcm.configuration.dynamic;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -17,6 +22,12 @@ public class DynamicCaptchaConfiguration {
   @NotNull
   private BigDecimal scoreFloor;
 
+  @JsonProperty
+  private boolean allowHCaptcha = false;
+
+  @JsonProperty
+  private boolean allowRecaptcha = true;
+
   @JsonProperty
   @NotNull
   private Set<String> signupCountryCodes = Collections.emptySet();
@@ -46,4 +57,22 @@ public class DynamicCaptchaConfiguration {
   public Set<String> getSignupRegions() {
     return signupRegions;
   }
+
+  public boolean isAllowHCaptcha() {
+    return allowHCaptcha;
+  }
+
+  public boolean isAllowRecaptcha() {
+    return allowRecaptcha;
+  }
+
+  @VisibleForTesting
+  public void setAllowHCaptcha(final boolean allowHCaptcha) {
+    this.allowHCaptcha = allowHCaptcha;
+  }
+
+  @VisibleForTesting
+  public void setScoreFloor(final BigDecimal scoreFloor) {
+    this.scoreFloor = scoreFloor;
+  }
 }

service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java

@@ -19,6 +19,7 @@ import io.dropwizard.auth.Auth;
 import io.micrometer.core.instrument.Metrics;
 import io.micrometer.core.instrument.Tag;
 import io.micrometer.core.instrument.Tags;
+import java.io.IOException;
 import java.security.SecureRandom;
 import java.time.Clock;
 import java.time.Duration;
@@ -63,6 +64,8 @@ import org.whispersystems.textsecuregcm.auth.StoredRegistrationLock;
 import org.whispersystems.textsecuregcm.auth.StoredVerificationCode;
 import org.whispersystems.textsecuregcm.auth.TurnToken;
 import org.whispersystems.textsecuregcm.auth.TurnTokenGenerator;
+import org.whispersystems.textsecuregcm.captcha.AssessmentResult;
+import org.whispersystems.textsecuregcm.captcha.CaptchaChecker;
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicCaptchaConfiguration;
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
 import org.whispersystems.textsecuregcm.entities.AccountAttributes;
@@ -87,7 +90,6 @@ import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
 import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
 import org.whispersystems.textsecuregcm.push.PushNotification;
 import org.whispersystems.textsecuregcm.push.PushNotificationManager;
-import org.whispersystems.textsecuregcm.recaptcha.RecaptchaClient;
 import org.whispersystems.textsecuregcm.registration.ClientType;
 import org.whispersystems.textsecuregcm.registration.MessageTransport;
 import org.whispersystems.textsecuregcm.registration.RegistrationServiceClient;
@@ -100,8 +102,8 @@ import org.whispersystems.textsecuregcm.storage.StoredVerificationCodeManager;
 import org.whispersystems.textsecuregcm.storage.UsernameNotAvailableException;
 import org.whispersystems.textsecuregcm.storage.UsernameReservationNotFoundException;
 import org.whispersystems.textsecuregcm.util.Constants;
-import org.whispersystems.textsecuregcm.util.Hex;
 import org.whispersystems.textsecuregcm.util.HeaderUtils;
+import org.whispersystems.textsecuregcm.util.Hex;
 import org.whispersystems.textsecuregcm.util.ImpossiblePhoneNumberException;
 import org.whispersystems.textsecuregcm.util.NonNormalizedPhoneNumberException;
 import org.whispersystems.textsecuregcm.util.Optionals;
@@ -152,7 +154,7 @@ public class AccountController {
   private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
   private final TurnTokenGenerator                 turnTokenGenerator;
   private final Map<String, Integer>               testDevices;
-  private final RecaptchaClient recaptchaClient;
+  private final CaptchaChecker                     captchaChecker;
   private final PushNotificationManager            pushNotificationManager;
   private final ExternalServiceCredentialGenerator backupServiceCredentialGenerator;
 
@@ -172,7 +174,7 @@ public class AccountController {
       DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager,
       TurnTokenGenerator turnTokenGenerator,
       Map<String, Integer> testDevices,
-      RecaptchaClient recaptchaClient,
+      CaptchaChecker captchaChecker,
       PushNotificationManager pushNotificationManager,
       ChangeNumberManager changeNumberManager,
       ExternalServiceCredentialGenerator backupServiceCredentialGenerator,
@@ -186,7 +188,7 @@ public class AccountController {
     this.dynamicConfigurationManager = dynamicConfigurationManager;
     this.testDevices = testDevices;
     this.turnTokenGenerator = turnTokenGenerator;
-    this.recaptchaClient = recaptchaClient;
+    this.captchaChecker = captchaChecker;
     this.pushNotificationManager = pushNotificationManager;
     this.backupServiceCredentialGenerator = backupServiceCredentialGenerator;
     this.changeNumberManager = changeNumberManager;
@@ -203,13 +205,13 @@ public class AccountController {
       DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager,
       TurnTokenGenerator turnTokenGenerator,
       Map<String, Integer> testDevices,
-      RecaptchaClient recaptchaClient,
+      CaptchaChecker captchaChecker,
       PushNotificationManager pushNotificationManager,
       ChangeNumberManager changeNumberManager,
       ExternalServiceCredentialGenerator backupServiceCredentialGenerator
   ) {
     this(pendingAccounts, accounts, rateLimiters,
-        registrationServiceClient, dynamicConfigurationManager, turnTokenGenerator, testDevices, recaptchaClient,
+        registrationServiceClient, dynamicConfigurationManager, turnTokenGenerator, testDevices, captchaChecker,
         pushNotificationManager, changeNumberManager,
         backupServiceCredentialGenerator, null, Clock.systemUTC());
   }
@@ -255,7 +257,7 @@ public class AccountController {
                                 @QueryParam("client")           Optional<String> client,
                                 @QueryParam("captcha")          Optional<String> captcha,
                                 @QueryParam("challenge")        Optional<String> pushChallenge)
-      throws RateLimitExceededException, ImpossiblePhoneNumberException, NonNormalizedPhoneNumberException {
+      throws RateLimitExceededException, ImpossiblePhoneNumberException, NonNormalizedPhoneNumberException, IOException {
 
     Util.requireNormalizedNumber(number);
 
@@ -266,8 +268,9 @@ public class AccountController {
     final String region = Util.getRegion(number);
 
     // if there's a captcha, assess it, otherwise check if we need a captcha
-    final Optional<RecaptchaClient.AssessmentResult> assessmentResult = captcha
-        .map(captchaToken -> recaptchaClient.verify(captchaToken, sourceHost));
+    final Optional<AssessmentResult> assessmentResult = captcha.isPresent()
+        ? Optional.of(captchaChecker.verify(captcha.get(), sourceHost))
+        : Optional.empty();
 
     assessmentResult.ifPresent(result ->
         Metrics.counter(CAPTCHA_ATTEMPT_COUNTER_NAME, Tags.of(

service/src/main/java/org/whispersystems/textsecuregcm/controllers/ChallengeController.java

@@ -12,6 +12,7 @@ import com.google.common.net.HttpHeaders;
 import io.dropwizard.auth.Auth;
 import io.micrometer.core.instrument.Metrics;
 import io.micrometer.core.instrument.Tags;
+import java.io.IOException;
 import java.util.NoSuchElementException;
 import javax.validation.Valid;
 import javax.ws.rs.Consumes;
@@ -50,7 +51,7 @@ public class ChallengeController {
   public Response handleChallengeResponse(@Auth final AuthenticatedAccount auth,
       @Valid final AnswerChallengeRequest answerRequest,
       @HeaderParam(HttpHeaders.X_FORWARDED_FOR) final String forwardedFor,
-      @HeaderParam(HttpHeaders.USER_AGENT) final String userAgent) throws RateLimitExceededException {
+      @HeaderParam(HttpHeaders.USER_AGENT) final String userAgent) throws RateLimitExceededException, IOException {
 
     Tags tags = Tags.of(UserAgentTagUtil.getPlatformTag(userAgent));
 

service/src/main/java/org/whispersystems/textsecuregcm/limits/RateLimitChallengeManager.java

@@ -5,22 +5,22 @@ import static com.codahale.metrics.MetricRegistry.name;
 import io.micrometer.core.instrument.Metrics;
 import io.micrometer.core.instrument.Tag;
 import io.micrometer.core.instrument.Tags;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import org.whispersystems.textsecuregcm.abuse.RateLimitChallengeListener;
+import org.whispersystems.textsecuregcm.captcha.CaptchaChecker;
 import org.whispersystems.textsecuregcm.controllers.RateLimitExceededException;
 import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
 import org.whispersystems.textsecuregcm.push.NotPushRegisteredException;
-import org.whispersystems.textsecuregcm.recaptcha.RecaptchaClient;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.util.Util;
 
 public class RateLimitChallengeManager {
 
   private final PushChallengeManager pushChallengeManager;
-  private final RecaptchaClient recaptchaClient;
-
+  private final CaptchaChecker captchaChecker;
   private final DynamicRateLimiters rateLimiters;
 
   private final List<RateLimitChallengeListener> rateLimitChallengeListeners =
@@ -34,11 +34,11 @@ public class RateLimitChallengeManager {
 
   public RateLimitChallengeManager(
       final PushChallengeManager pushChallengeManager,
-      final RecaptchaClient recaptchaClient,
+      final CaptchaChecker captchaChecker,
       final DynamicRateLimiters rateLimiters) {
 
     this.pushChallengeManager = pushChallengeManager;
-    this.recaptchaClient = recaptchaClient;
+    this.captchaChecker = captchaChecker;
     this.rateLimiters = rateLimiters;
   }
 
@@ -58,11 +58,11 @@ public class RateLimitChallengeManager {
   }
 
   public void answerRecaptchaChallenge(final Account account, final String captcha, final String mostRecentProxyIp, final String userAgent)
-      throws RateLimitExceededException {
+      throws RateLimitExceededException, IOException {
 
     rateLimiters.getRecaptchaChallengeAttemptLimiter().validate(account.getUuid());
 
-    final boolean challengeSuccess = recaptchaClient.verify(captcha, mostRecentProxyIp).valid();
+    final boolean challengeSuccess = captchaChecker.verify(captcha, mostRecentProxyIp).valid();
 
     final Tags tags = Tags.of(
         Tag.of(SOURCE_COUNTRY_TAG_NAME, Util.getCountryCode(account.getNumber())),