fix: require reCAPTCHA token when reCAPTCHA is enabled (#12409)

Co-authored-by: openhands <openhands@all-hands.dev>
Co-authored-by: hieptl <hieptl.developer@gmail.com>

enterprise/server/routes/auth.py

@@ -176,7 +176,18 @@ async def keycloak_callback(
     user_id = user_info['sub']
 
     # reCAPTCHA verification with Account Defender
-    if RECAPTCHA_SITE_KEY and recaptcha_token:
+    if RECAPTCHA_SITE_KEY:
+        if not recaptcha_token:
+            logger.warning(
+                'recaptcha_token_missing',
+                extra={
+                    'user_id': user_id,
+                    'email': email,
+                },
+            )
+            error_url = f'{request.base_url}login?recaptcha_blocked=true'
+            return RedirectResponse(error_url, status_code=302)
+
         user_ip = request.client.host if request.client else 'unknown'
         user_agent = request.headers.get('User-Agent', '')
 

frontend/src/components/features/auth/login-content.tsx

@@ -12,7 +12,6 @@ import { TermsAndPrivacyNotice } from "#/components/shared/terms-and-privacy-not
 import { useRecaptcha } from "#/hooks/use-recaptcha";
 import { useConfig } from "#/hooks/query/use-config";
 import { displayErrorToast } from "#/utils/custom-toast-handlers";
-import { ENABLE_RECAPTCHA } from "#/utils/feature-flags";
 
 export interface LoginContentProps {
   githubAuthUrl: string | null;
@@ -39,7 +38,7 @@ export function LoginContent({
 
   // reCAPTCHA - only need token generation, verification happens at backend callback
   const { isReady: recaptchaReady, executeRecaptcha } = useRecaptcha({
-    siteKey: ENABLE_RECAPTCHA() ? config?.RECAPTCHA_SITE_KEY : undefined,
+    siteKey: config?.RECAPTCHA_SITE_KEY,
   });
 
   const gitlabAuthUrl = useAuthUrl({

frontend/src/utils/feature-flags.ts

@@ -20,4 +20,3 @@ export const ENABLE_TRAJECTORY_REPLAY = () =>
 export const USE_PLANNING_AGENT = () => loadFeatureFlag("USE_PLANNING_AGENT");
 export const ENABLE_PUBLIC_CONVERSATION_SHARING = () =>
   loadFeatureFlag("PUBLIC_CONVERSATION_SHARING");
-export const ENABLE_RECAPTCHA = () => loadFeatureFlag("RECAPTCHA");