fix: require reCAPTCHA token when reCAPTCHA is enabled (#12409)

Co-authored-by: openhands <openhands@all-hands.dev> Co-authored-by: hieptl <hieptl.developer@gmail.com>
2026-03-22 05:37:20 +08:00 · 2026-01-14 12:34:09 -07:00
parent 6ccd42bb29
commit f28ab56cc3
3 changed files with 13 additions and 4 deletions
--- a/enterprise/server/routes/auth.py
+++ b/enterprise/server/routes/auth.py
@@ -176,7 +176,18 @@ async def keycloak_callback(
    user_id = user_info['sub']

    # reCAPTCHA verification with Account Defender
-    if RECAPTCHA_SITE_KEY and recaptcha_token:
+    if RECAPTCHA_SITE_KEY:
+        if not recaptcha_token:
+            logger.warning(
+                'recaptcha_token_missing',
+                extra={
+                    'user_id': user_id,
+                    'email': email,
+                },
+            )
+            error_url = f'{request.base_url}login?recaptcha_blocked=true'
+            return RedirectResponse(error_url, status_code=302)
+
        user_ip = request.client.host if request.client else 'unknown'
        user_agent = request.headers.get('User-Agent', '')