Fixed captcha on login screen.

[AlexSkrypnyk]

Summary by CodeRabbit

• New Features

  • Added form submission protection for reCAPTCHA v3 to prevent premature submission until token validation completes.

• Bug Fixes

  • Adjusted reCAPTCHA v3 bot detection sensitivity threshold for more lenient verification.

[coderabbitai]

📝 Walkthrough

Walkthrough

Implements a reCAPTCHA v3 guard mechanism that prevents form submission until a token is available. Changes include threshold configuration adjustment, a new JavaScript library for token polling, a form alter hook to attach the guard behavior conditionally, and theme preprocessing updates for hidden inputs.

Changes

Cohort / File(s)	Summary
reCAPTCHA v3 Configuration config/default/recaptcha_v3.recaptcha_v3_action.recaptcha3.yml	Lowered recaptcha3 action threshold from 0.7 to 0.5.
Drupal Library Registration web/modules/custom/do_base/do_base.libraries.yml	Added new recaptcha_v3_guard library with JavaScript asset and dependencies (core/drupal, core/once). Updated highlight_js.gherkin library with highlight_js/highlight_js.js dependency.
JavaScript Guard Behavior web/modules/custom/do_base/js/do_base.recaptcha_v3_guard.js	Introduced Drupal behavior doBaseRecaptchaV3Guard that disables form submit buttons and polls for reCAPTCHA v3 token availability (200ms intervals, 5s timeout) before re-enabling submission.
Form Alter Hook web/modules/custom/do_base/src/Hook/FormAlterHook.php	Created FormAlterHook class implementing form_alter hook to conditionally attach do_base/recaptcha_v3_guard library for forms containing reCAPTCHA v3 captcha elements.
Theme Preprocessing web/themes/custom/drevops/drevops.theme	Added drevops_preprocess_input__hidden() function to set modifier_class to FALSE for hidden input elements while preserving existing classes for JavaScript usage.

Sequence Diagram

sequenceDiagram
    participant Client as Client/Browser
    participant FormHook as Form Alter Hook
    participant JS as JavaScript Behavior
    participant reCAPTCHA as reCAPTCHA v3
    participant Submit as Form Submission

    Client->>FormHook: Form render request
    FormHook->>FormHook: Check for recaptcha_v3 captcha
    FormHook->>Client: Attach recaptcha_v3_guard library
    Client->>JS: Execute guard behavior attach
    JS->>JS: Locate token input & form
    JS->>JS: Disable all submit buttons
    JS->>reCAPTCHA: Poll for token (every 200ms)
    alt Token received within 5s
        reCAPTCHA-->>JS: Token available
    else 5s timeout
        JS->>JS: Timeout reached
    end
    JS->>JS: Enable submit buttons
    Client->>Submit: User submits form

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• drevops/website#32: Modifies the same reCAPTCHA v3 action configuration file with threshold adjustments.
• drevops/website#110: Implements reCAPTCHA v3 functionality and alters the same recaptcha3 configuration settings.

Suggested labels

PR: Needs review

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fixed captcha on login screen' clearly and concisely summarizes the primary change across all modified files, which collectively implement reCAPTCHA v3 form protection on the login screen.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/fix-captcha

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@web/themes/custom/drevops/drevops.theme`:
- Around line 28-36: The drevops_preprocess_input__hidden function currently
unconditionally sets $variables['modifier_class'] = FALSE which wipes any
existing modifier classes; change it so you only set it to FALSE when the key is
missing or empty (e.g., check isset() or empty() on
$variables['modifier_class']) and otherwise preserve the existing value so
contributed modules' classes remain intact.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Preserve existing modifier_class values instead of always overwriting (Line 35).
The comment says to allow existing classes, but Line 35 always forces modifier_class to FALSE, which can wipe module-provided modifier classes. Consider only forcing FALSE when no value is present.

🛠️ Suggested fix

 function drevops_preprocess_input__hidden(array &$variables): void {
   // Hidden inputs should not have classes as classes are used for presentation.
   // But some contributed modules use classes on hidden inputs and target them
   // with JavaScript, so we need to allow classes if they are already set.
-  $variables['modifier_class'] = FALSE;
+  if (empty($variables['modifier_class'])) {
+    $variables['modifier_class'] = FALSE;
+  }
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	/**
	* Implements hook_preprocess_HOOK() for hidden input templates.
	*/
	function drevops_preprocess_input__hidden(array &$variables): void {
	// Hidden inputs should not have classes as classes are used for presentation.
	// But some contributed modules use classes on hidden inputs and target them
	// with JavaScript, so we need to allow classes if they are already set.
	$variables['modifier_class'] = FALSE;
	}
	/**
	* Implements hook_preprocess_HOOK() for hidden input templates.
	*/
	function drevops_preprocess_input__hidden(array &$variables): void {
	// Hidden inputs should not have classes as classes are used for presentation.
	// But some contributed modules use classes on hidden inputs and target them
	// with JavaScript, so we need to allow classes if they are already set.
	if (empty($variables['modifier_class'])) {
	$variables['modifier_class'] = FALSE;
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@web/themes/custom/drevops/drevops.theme` around lines 28 - 36, The
drevops_preprocess_input__hidden function currently unconditionally sets
$variables['modifier_class'] = FALSE which wipes any existing modifier classes;
change it so you only set it to FALSE when the key is missing or empty (e.g.,
check isset() or empty() on $variables['modifier_class']) and otherwise preserve
the existing value so contributed modules' classes remain intact.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 0.00%. Comparing base (67cf8fa) to head (5101afb).

Files with missing lines	Patch %	Lines
.../modules/custom/do_base/src/Hook/FormAlterHook.php	0.00%	5 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           develop    #139   +/-   ##
=======================================
  Coverage     0.00%   0.00%           
=======================================
  Files            2       3    +1     
  Lines           10      15    +5     
=======================================
- Misses          10      15    +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.