From 4720e476f8ecfaae2b6c6577b534a037b8bbbb76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Mon, 15 Jul 2024 12:17:00 +0200
Subject: [PATCH 1/9] Migration, new setting: `:admin_bot_protection_level`

---
 app/models/settings.rb                                 |  9 +++++++--
 ...40715075900_add_admin_bot_protection_to_settings.rb | 10 ++++++++++
 db/oracle_schema.rb                                    |  1 +
 db/postgres_schema.rb                                  |  1 +
 db/schema.rb                                           |  1 +
 5 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 db/migrate/20240715075900_add_admin_bot_protection_to_settings.rb

diff --git a/app/models/settings.rb b/app/models/settings.rb
index aa4dc06165..e5a3bbd014 100644
--- a/app/models/settings.rb
+++ b/app/models/settings.rb
@@ -12,9 +12,9 @@ class Settings < ApplicationRecord
             :content_bg_colour, :tracker_code, :favicon, :plans_tab_bg_colour, :plans_bg_colour, :content_border_colour,
             :cc_privacy_path, :cc_terms_path, :cc_refunds_path, :change_service_plan_permission, :spam_protection_level,
             :authentication_strategy, :janrain_api_key, :janrain_relying_party, :cms_token, :cas_server_url, :sso_key,
-            :sso_login_url, length: { maximum: 255 }
+            :admin_bot_protection_level, :sso_login_url, length: { maximum: 255 }
 
-  symbolize :spam_protection_level
+  symbolize :spam_protection_level, :admin_bot_protection_level
 
   include Switches
 
@@ -101,6 +101,11 @@ def spam_protection_level
     level == :auto ? :captcha : level
   end
 
+  # To avoid a dangerous DB migration, we allow empty values in the column and assume empty means `:none`
+  def admin_bot_protection_level
+    super&.to_sym || :none
+  end
+
   delegate :provider_id_for_audits, :to => :account, :allow_nil => true
 
   private
diff --git a/db/migrate/20240715075900_add_admin_bot_protection_to_settings.rb b/db/migrate/20240715075900_add_admin_bot_protection_to_settings.rb
new file mode 100644
index 0000000000..ac833645ed
--- /dev/null
+++ b/db/migrate/20240715075900_add_admin_bot_protection_to_settings.rb
@@ -0,0 +1,10 @@
+class AddAdminBotProtectionToSettings < ActiveRecord::Migration[6.1]
+  def up
+    add_column :settings, :admin_bot_protection_level, :string
+    change_column_default :settings, :admin_bot_protection_level, "none"
+  end
+
+  def down
+    remove_column :settings, :admin_bot_protection_level
+  end
+end
diff --git a/db/oracle_schema.rb b/db/oracle_schema.rb
index 5339807aed..22e698f471 100644
--- a/db/oracle_schema.rb
+++ b/db/oracle_schema.rb
@@ -1264,6 +1264,7 @@
     t.string "iam_tools_switch", default: "denied", null: false
     t.string "require_cc_on_signup_switch", default: "denied", null: false
     t.boolean "enforce_sso", default: false, null: false
+    t.string "admin_bot_protection_level", default: "none"
     t.index ["account_id"], name: "index_settings_on_account_id", unique: true
   end
 
diff --git a/db/postgres_schema.rb b/db/postgres_schema.rb
index 32677d0efb..395d5aacc2 100644
--- a/db/postgres_schema.rb
+++ b/db/postgres_schema.rb
@@ -1268,6 +1268,7 @@
     t.string "iam_tools_switch", limit: 255, default: "denied", null: false
     t.string "require_cc_on_signup_switch", limit: 255, default: "denied", null: false
     t.boolean "enforce_sso", default: false, null: false
+    t.string "admin_bot_protection_level", default: "none"
     t.index ["account_id"], name: "index_settings_on_account_id", unique: true
   end
 
diff --git a/db/schema.rb b/db/schema.rb
index 9802165ddc..adcd8c4e5c 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1268,6 +1268,7 @@
     t.string "iam_tools_switch", default: "denied", null: false
     t.string "require_cc_on_signup_switch", default: "denied", null: false
     t.boolean "enforce_sso", default: false, null: false
+    t.string "admin_bot_protection_level", default: "none"
     t.index ["account_id"], name: "index_settings_on_account_id", unique: true
   end
 

From a3d94706d5c41acb74e1899459f04ccf5ee646ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Mon, 1 Jul 2024 10:57:09 +0200
Subject: [PATCH 2/9] New React component to load external scripts

---
 app/javascript/src/utilities/useScript.ts | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 app/javascript/src/utilities/useScript.ts

diff --git a/app/javascript/src/utilities/useScript.ts b/app/javascript/src/utilities/useScript.ts
new file mode 100644
index 0000000000..63016ca217
--- /dev/null
+++ b/app/javascript/src/utilities/useScript.ts
@@ -0,0 +1,19 @@
+import { useEffect } from 'react'
+
+const useScript = (url: string, cb: (ev: Event) => void): void => {
+  useEffect(() => {
+    const script = document.createElement('script')
+
+    script.src = url
+    script.async = true
+    script.addEventListener('load', cb)
+
+    document.body.appendChild(script)
+
+    return () => {
+      document.body.removeChild(script)
+    }
+  }, [])
+}
+
+export { useScript }

From b1f0669753c69455b2d2ad370c69d887a0c1870a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Mon, 1 Jul 2024 10:58:49 +0200
Subject: [PATCH 3/9] New React component for Google Recaptcha V3

Based on:
- https://w11i.me/recaptcha-v3-react
- https://stackoverflow.com/questions/53832882/react-and-recaptcha-v3
- https://developers.google.com/recaptcha/docs/v3#programmatically_invoke_the_challenge
---
 app/javascript/src/Types/ReCaptcha.ts        | 10 +++++
 app/javascript/src/utilities/ReCaptchaV3.tsx | 39 ++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 app/javascript/src/Types/ReCaptcha.ts
 create mode 100644 app/javascript/src/utilities/ReCaptchaV3.tsx

diff --git a/app/javascript/src/Types/ReCaptcha.ts b/app/javascript/src/Types/ReCaptcha.ts
new file mode 100644
index 0000000000..238b7c9abc
--- /dev/null
+++ b/app/javascript/src/Types/ReCaptcha.ts
@@ -0,0 +1,10 @@
+declare global {
+  interface Window {
+    grecaptcha: ReCaptchaInstance;
+  }
+}
+
+export interface ReCaptchaInstance {
+  ready: (cb: () => void) => void;
+  execute: (sitekey: string, options: { action: string }) => Promise<string>;
+}
diff --git a/app/javascript/src/utilities/ReCaptchaV3.tsx b/app/javascript/src/utilities/ReCaptchaV3.tsx
new file mode 100644
index 0000000000..32f494443f
--- /dev/null
+++ b/app/javascript/src/utilities/ReCaptchaV3.tsx
@@ -0,0 +1,39 @@
+import { useState } from 'react'
+
+import { useScript } from 'utilities/useScript'
+
+import type { FunctionComponent } from 'react'
+
+interface Props {
+  siteKey: string;
+  action: string;
+}
+
+const ReCaptchaV3: FunctionComponent<Props> = ({ siteKey, action }) => {
+  const inputId = `g-recaptcha-response-data-${action}`.replace(/\//g, '-')
+  const inputName = `g-recaptcha-response-data[${action}]`
+  const [token, setToken] = useState('')
+
+  useScript(`https://www.google.com/recaptcha/api.js?render=${siteKey}`, () => {
+    const { grecaptcha } = window
+    grecaptcha.ready(() => {
+      grecaptcha.execute(siteKey, { action: action })
+        .then((t: string) => {
+          setToken(t)
+        })
+        .catch((error: string) => { console.error(error) })
+    })
+  })
+
+  return (
+    <div>
+      <small>
+        This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy">Privacy Policy</a> and <a href="https://policies.google.com/terms">Terms of Service</a> apply.
+      </small>
+      <input className="g-recaptcha g-recaptcha-response" data-sitekey={siteKey} id={inputId} name={inputName} type="hidden" value={token} />
+    </div>
+  )
+}
+
+export type { Props }
+export { ReCaptchaV3 }

From 76507a6e53f4006d3decdc6f47b67abcb1d45053 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Fri, 12 Jul 2024 08:59:24 +0200
Subject: [PATCH 4/9] New screen to set `:admin_bot_protection_level`

---
 .../admin/bot_protections_controller.rb       | 27 +++++++++++++++++++
 app/helpers/vertical_nav_helper.rb            |  1 +
 .../admin/bot_protections/edit.html.slim      | 14 ++++++++++
 config/routes.rb                              |  1 +
 4 files changed, 43 insertions(+)
 create mode 100644 app/controllers/provider/admin/bot_protections_controller.rb
 create mode 100644 app/views/provider/admin/bot_protections/edit.html.slim

diff --git a/app/controllers/provider/admin/bot_protections_controller.rb b/app/controllers/provider/admin/bot_protections_controller.rb
new file mode 100644
index 0000000000..58f5f906d5
--- /dev/null
+++ b/app/controllers/provider/admin/bot_protections_controller.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class Provider::Admin::BotProtectionsController < Provider::Admin::BaseController
+
+  activate_menu! :account, :integrate, :bot_protection
+
+  before_action :find_settings
+
+  def edit; end
+
+  def update
+    if @settings.update(params[:settings])
+      flash[:notice] = 'Bot protection settings updated.'
+      redirect_to edit_provider_admin_bot_protection_url
+    else
+      flash[:error] = 'There were problems saving the settings.'
+      render :action => 'edit'
+    end
+  end
+
+  private
+
+  def find_settings
+    @settings = current_account.settings
+  end
+
+end
diff --git a/app/helpers/vertical_nav_helper.rb b/app/helpers/vertical_nav_helper.rb
index 0b48d0e37d..4e2dfea30d 100644
--- a/app/helpers/vertical_nav_helper.rb
+++ b/app/helpers/vertical_nav_helper.rb
@@ -77,6 +77,7 @@ def account_itegrate_items
     items = []
     items << {id: :webhooks,  title: 'Webhooks',        path: edit_provider_admin_webhooks_path} if can? :manage, :web_hooks
     items << {id: :apidocs,   title: '3scale API Docs', path: provider_admin_api_docs_path}
+    items << {id: :bot_protection,  title: 'Bot Protection',  path: edit_provider_admin_bot_protection_path}
   end
 
   # Audience
diff --git a/app/views/provider/admin/bot_protections/edit.html.slim b/app/views/provider/admin/bot_protections/edit.html.slim
new file mode 100644
index 0000000000..3ab687deb2
--- /dev/null
+++ b/app/views/provider/admin/bot_protections/edit.html.slim
@@ -0,0 +1,14 @@
+- content_for :title, 'Bot Protection'
+- content_for :page_header_title, 'Bot Protection'
+
+= semantic_form_for @settings, url: provider_admin_bot_protection_path, html: {:id => 'bot-protection-settings' } do |form|
+  = form.inputs 'Protection against bots' do
+    = form.input  :admin_bot_protection_level,
+      label: false,
+      hint: t("sites.spam_protections.edit.captcha_hint_#{Recaptcha.captcha_configured?.to_s}"),
+        as: :radio,
+        collection: ThreeScale::BotProtection::LEVELS,
+        input_html: { disabled: !Recaptcha.captcha_configured? }
+
+    = form.actions do
+      = form.commit_button 'Update Settings'
diff --git a/config/routes.rb b/config/routes.rb
index 8fc06eb566..05316b41c2 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -236,6 +236,7 @@
       resource :api_docs, :only => [:show]
       resource :liquid_docs, :only => [:show]
       resource :webhooks, :only => [ :new, :edit, :create, :update, :show ]
+      resource :bot_protection, :only => [ :edit, :update ]
 
       namespace :registry do
         constraints(id: /((?!\.json\Z)[^\/])+/) do

From 08a775265195d5bbaee3f948fd2238ec44b6dce6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Mon, 1 Jul 2024 10:59:33 +0200
Subject: [PATCH 5/9] Add a Recaptcha to the Admin portal login screen

---
 app/controllers/provider/sessions_controller.rb   | 15 ++++++++++-----
 app/javascript/packs/login.scss                   |  6 ++++++
 app/javascript/src/Login/components/LoginForm.tsx |  8 ++++++++
 app/javascript/src/Login/components/LoginPage.tsx |  7 +++++++
 app/views/provider/sessions/new.html.slim         |  7 ++++++-
 5 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/app/controllers/provider/sessions_controller.rb b/app/controllers/provider/sessions_controller.rb
index de4bfd990e..f2690fc6f6 100644
--- a/app/controllers/provider/sessions_controller.rb
+++ b/app/controllers/provider/sessions_controller.rb
@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 class Provider::SessionsController < FrontendController
+  include ThreeScale::BotProtection::Controller
 
   layout 'provider/login'
   skip_before_action :login_required
@@ -12,27 +13,27 @@ class Provider::SessionsController < FrontendController
   def new
     @session = Session.new
     @authentication_providers = published_authentication_providers
+    @bot_protection_enabled = bot_protection_enabled?
   end
 
   def create
     session_return_to
     logout_keeping_session!
 
-    @user, strategy = authenticate_user
+    @user, strategy = authenticate_user if bot_check
 
     if @user
       self.current_user = @user
       flash[:first_login] = true if current_user.user_sessions.empty?
-      create_user_session!(strategy.authentication_provider_id)
+      create_user_session!(strategy&.authentication_provider_id)
       flash[:notice] = 'Signed in successfully'
 
       AuditLogService.call("Signed in: #{current_user.id}/#{current_user.username} #{current_user.first_name} #{current_user.last_name}")
 
       redirect_back_or_default provider_admin_path
     else
-      @session = Session.new
-      flash.now[:error] = strategy.error_message
-      @authentication_providers = published_authentication_providers
+      new
+      flash.now[:error] ||= strategy&.error_message
       render :action => :new
     end
   end
@@ -107,4 +108,8 @@ def session_return_to
   def instantiate_sessions_presenter
     @presenter = Provider::SessionsPresenter.new(domain_account)
   end
+
+  def bot_protection_level
+    domain_account.settings.admin_bot_protection_level
+  end
 end
diff --git a/app/javascript/packs/login.scss b/app/javascript/packs/login.scss
index e5338dce9f..e96d8563be 100644
--- a/app/javascript/packs/login.scss
+++ b/app/javascript/packs/login.scss
@@ -7,3 +7,9 @@
 .pf-c-alert.invisible {
   visibility: hidden;
 }
+
+.login-layout {
+  .grecaptcha-badge {
+    visibility: hidden;
+  }
+}
diff --git a/app/javascript/src/Login/components/LoginForm.tsx b/app/javascript/src/Login/components/LoginForm.tsx
index 11a27fdf30..5f63daff6c 100644
--- a/app/javascript/src/Login/components/LoginForm.tsx
+++ b/app/javascript/src/Login/components/LoginForm.tsx
@@ -9,6 +9,7 @@ import {
 
 import { validateLogin } from 'Login/utils/validations'
 import { CSRFToken } from 'utilities/CSRFToken'
+import { ReCaptchaV3 } from 'utilities/ReCaptchaV3'
 import { LoginAlert } from 'Login/components/LoginAlert'
 
 import type { FlashMessage } from 'Types/FlashMessages'
@@ -17,6 +18,11 @@ import type { FunctionComponent } from 'react'
 interface Props {
   flashMessages: FlashMessage[];
   providerSessionsPath: string;
+  recaptcha: {
+    enabled: boolean;
+    siteKey: string;
+    action: string;
+  };
   session: {
     username: string | null;
   };
@@ -25,6 +31,7 @@ interface Props {
 const LoginForm: FunctionComponent<Props> = ({
   flashMessages,
   providerSessionsPath,
+  recaptcha,
   session
 }) => {
   const [state, setState] = useState({
@@ -114,6 +121,7 @@ const LoginForm: FunctionComponent<Props> = ({
           onChange={handleOnChange('password')}
         />
       </FormGroup>
+      {recaptcha.enabled && <ReCaptchaV3 action={recaptcha.action} siteKey={recaptcha.siteKey} /> }
 
       <ActionGroup>
         <Button
diff --git a/app/javascript/src/Login/components/LoginPage.tsx b/app/javascript/src/Login/components/LoginPage.tsx
index e47955b404..45b03bf478 100644
--- a/app/javascript/src/Login/components/LoginPage.tsx
+++ b/app/javascript/src/Login/components/LoginPage.tsx
@@ -17,6 +17,11 @@ interface Props {
   providerRequestPasswordResetPath: string;
   show3scaleLoginForm: boolean;
   disablePasswordReset: boolean;
+  recaptcha: {
+    enabled: boolean;
+    siteKey: string;
+    action: string;
+  };
   session: {
     username: string | null;
   };
@@ -28,6 +33,7 @@ const LoginPage: FunctionComponent<Props> = ({
   flashMessages,
   providerRequestPasswordResetPath,
   providerSessionsPath,
+  recaptcha,
   session,
   show3scaleLoginForm
 }) => (
@@ -53,6 +59,7 @@ const LoginPage: FunctionComponent<Props> = ({
       <LoginForm
         flashMessages={flashMessages}
         providerSessionsPath={providerSessionsPath}
+        recaptcha={recaptcha}
         session={session}
       />
     )}
diff --git a/app/views/provider/sessions/new.html.slim b/app/views/provider/sessions/new.html.slim
index cb4c1a10b9..2898b00122 100644
--- a/app/views/provider/sessions/new.html.slim
+++ b/app/views/provider/sessions/new.html.slim
@@ -2,6 +2,9 @@
 - authentication_providers = (@authentication_providers || []).map { |ap| {authorizeURL: ap.authorize_url, humanKind: ap.human_kind} }
 - flash_messages = (flash || []).map { |f| {type: f[0], message: f[1]}}
 - is_master_account = domain_account.master?
+- recaptcha_enabled = !!@bot_protection_enabled
+- recaptcha_site_key = Rails.configuration.three_scale.recaptcha_public_key
+- recaptcha_action = controller_path
 div#pf-login-page-container data-login-props={redirectUrl: (session[:return_to].nil? ? "null" : (request.protocol + request.host_with_port + session[:return_to])),
   authenticationProviders: authentication_providers,
   flashMessages: flash_messages,
@@ -11,4 +14,6 @@ div#pf-login-page-container data-login-props={redirectUrl: (session[:return_to].
   providerLoginPath: provider_login_path,
   providerAdminDashboardPath: provider_admin_dashboard_path,
   disablePasswordReset: is_master_account,
-  session: {username: params[:username]} }.to_json
+  recaptcha: { enabled: recaptcha_enabled, siteKey: recaptcha_site_key, action: recaptcha_action },
+  session: {username: params[:username]},
+}.to_json

From 77d54f9b3d140a835e412dd6855c3cc3bfa764fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Mon, 22 Jul 2024 13:34:14 +0200
Subject: [PATCH 6/9] Move form to its own partial

---
 app/lib/three_scale/bot_protection.rb         |  2 +-
 .../admin/bot_protections/_form.html.slim     | 11 ++++++++++
 .../admin/bot_protections/edit.html.slim      | 13 ++----------
 .../sites/spam_protections/edit.html.erb      | 21 +++----------------
 config/locales/en.yml                         |  6 ++++++
 5 files changed, 23 insertions(+), 30 deletions(-)
 create mode 100644 app/views/provider/admin/bot_protections/_form.html.slim

diff --git a/app/lib/three_scale/bot_protection.rb b/app/lib/three_scale/bot_protection.rb
index 58b4ca4062..4596734b56 100644
--- a/app/lib/three_scale/bot_protection.rb
+++ b/app/lib/three_scale/bot_protection.rb
@@ -2,7 +2,7 @@
 
 module ThreeScale
   module BotProtection
-    LEVELS = [['None', :none], ['reCAPTCHA', :captcha]].freeze
+    LEVELS = [['None', :none], ['reCAPTCHA v3', :captcha]].freeze
   end
 end
 
diff --git a/app/views/provider/admin/bot_protections/_form.html.slim b/app/views/provider/admin/bot_protections/_form.html.slim
new file mode 100644
index 0000000000..99397e89a2
--- /dev/null
+++ b/app/views/provider/admin/bot_protections/_form.html.slim
@@ -0,0 +1,11 @@
+= semantic_form_for settings, url: url, html: {:id => 'bot-protection-settings' } do |form|
+  = form.inputs selector_label do
+    = form.input field,
+            label: false,
+            hint: t("sites.spam_protections.edit.captcha_hint_#{Recaptcha.captcha_configured?.to_s}"),
+            as: :radio,
+            collection: ThreeScale::BotProtection::LEVELS,
+            input_html: { disabled: !Recaptcha.captcha_configured? }
+
+    = form.actions do
+      = form.commit_button 'Update Settings'
diff --git a/app/views/provider/admin/bot_protections/edit.html.slim b/app/views/provider/admin/bot_protections/edit.html.slim
index 3ab687deb2..eb32212926 100644
--- a/app/views/provider/admin/bot_protections/edit.html.slim
+++ b/app/views/provider/admin/bot_protections/edit.html.slim
@@ -1,14 +1,5 @@
 - content_for :title, 'Bot Protection'
 - content_for :page_header_title, 'Bot Protection'
+- content_for :page_header_body, t('.description')
 
-= semantic_form_for @settings, url: provider_admin_bot_protection_path, html: {:id => 'bot-protection-settings' } do |form|
-  = form.inputs 'Protection against bots' do
-    = form.input  :admin_bot_protection_level,
-      label: false,
-      hint: t("sites.spam_protections.edit.captcha_hint_#{Recaptcha.captcha_configured?.to_s}"),
-        as: :radio,
-        collection: ThreeScale::BotProtection::LEVELS,
-        input_html: { disabled: !Recaptcha.captcha_configured? }
-
-    = form.actions do
-      = form.commit_button 'Update Settings'
+= render partial: 'form', locals: { url: provider_admin_bot_protection_path, settings: @settings, field: :admin_bot_protection_level, selector_label: t('.selector_label') }
diff --git a/app/views/sites/spam_protections/edit.html.erb b/app/views/sites/spam_protections/edit.html.erb
index dd29586015..7982ad61a6 100644
--- a/app/views/sites/spam_protections/edit.html.erb
+++ b/app/views/sites/spam_protections/edit.html.erb
@@ -1,20 +1,5 @@
-<% content_for(:title) do %>
-  Bot Protection
-<% end %>
-
+<% content_for :title, 'Bot Protection' %>
 <% content_for :page_header_title, 'Bot Protection' %>
+<% content_for :page_header_body, t('.description') %>
 
-<%= semantic_form_for @settings, :url => admin_site_spam_protection_path, :html => {:id => 'spam-protection-settings' } do |form| %>
-  <%= form.inputs 'Protection against bots' do %>
-    <%= form.input  :spam_protection_level,
-                :label => false,
-                hint: t(".captcha_hint_#{Recaptcha.captcha_configured?.to_s}"),
-                :as => :radio,
-                :collection => ThreeScale::BotProtection::LEVELS,
-                input_html: { disabled: !Recaptcha.captcha_configured? } %>
-    <% end %>
-
-  <%= form.actions do %>
-    <%= form.commit_button 'Update Settings' %>
-  <% end %>
-<% end %>
+<%= render partial: 'provider/admin/bot_protections/form', locals: { url: admin_site_spam_protection_path, settings: @settings, field: :spam_protection_level, selector_label: t('.selector_label')   } %>
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 57fa7e5606..f3aae5f1fe 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -450,6 +450,10 @@ en:
         edit:
           delete_link: I understand the consequences, proceed to delete '%{name}' backend
           delete_confirmation: Are you sure you want to delete the backend '%{name}'?
+      bot_protections:
+        edit:
+          selector_label: Protection against bots on the admin portal
+          description: Bot protection uses Google reCAPTCHA to detect bots and prevent malicious attacks on the admin portal.
       keys:
         create:
           success: A new key has been added.
@@ -609,6 +613,8 @@ en:
   sites:
     spam_protections:
       edit:
+        selector_label: Protection against bots on the developer portal
+        description: Bot protection uses Google reCAPTCHA to detect bots and prevent malicious attacks on the developer portal.
         captcha_hint_false: 'reCAPTCHA has not been configured correctly, bot protection cannot be enabled.'
         captcha_hint_true: "reCAPTCHA v3 will invisibly verify interactions to detect bots."
     usage_rules:

From f350d2fff339c734d4546c4fd3d2400cb7fcba3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Mon, 1 Jul 2024 11:00:21 +0200
Subject: [PATCH 7/9] Fix recaptcha flash errors

It showed errors twice in the admin login screen.
---
 app/lib/three_scale/bot_protection/controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/lib/three_scale/bot_protection/controller.rb b/app/lib/three_scale/bot_protection/controller.rb
index d14d8c82b1..e9b0c7b153 100644
--- a/app/lib/three_scale/bot_protection/controller.rb
+++ b/app/lib/three_scale/bot_protection/controller.rb
@@ -19,7 +19,7 @@ def bot_check(options = { flash: true })
       def verify_captcha(options)
         success = verify_recaptcha(action: controller_path, minimum_score: Rails.configuration.three_scale.recaptcha_min_bot_score)
 
-        flash[:error] = flash[:recaptcha_error] if options[:flash] && flash.key?(:recaptcha_error)
+        flash.now[:error] = flash[:recaptcha_error] if options[:flash] && flash.key?(:recaptcha_error)
         flash.delete(:recaptcha_error)
 
         success

From 2c2a50be463aa0a0c27bed000fd5e6c1be8d41ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Mon, 1 Jul 2024 13:18:36 +0200
Subject: [PATCH 8/9] Add/Update/Fix tests

---
 .../Login/components/LoginForm.spec.tsx       |  5 ++
 .../Login/components/LoginPage.spec.tsx       |  5 ++
 .../__snapshots__/LoginPage.spec.tsx.snap     | 56 +++++++++++++++++++
 .../utilities/ReCaptchaV3.spec.tsx            | 21 +++++++
 .../sites/admin_bot_protection_test.rb        | 26 +++++++++
 ...tection_test.rb => bot_protection_test.rb} |  2 +-
 6 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 spec/javascripts/utilities/ReCaptchaV3.spec.tsx
 create mode 100644 test/integration/sites/admin_bot_protection_test.rb
 rename test/integration/sites/{spam_protection_test.rb => bot_protection_test.rb} (91%)

diff --git a/spec/javascripts/Login/components/LoginForm.spec.tsx b/spec/javascripts/Login/components/LoginForm.spec.tsx
index dc4f1df7b3..40d9f21b11 100644
--- a/spec/javascripts/Login/components/LoginForm.spec.tsx
+++ b/spec/javascripts/Login/components/LoginForm.spec.tsx
@@ -10,6 +10,11 @@ import type { Props } from 'Login/components/LoginForm'
 const defaultProps: Props = {
   flashMessages: [],
   providerSessionsPath: 'sessions-path',
+  recaptcha: {
+    enabled: false,
+    siteKey: '',
+    action: ''
+  },
   session: { username: null }
 }
 
diff --git a/spec/javascripts/Login/components/LoginPage.spec.tsx b/spec/javascripts/Login/components/LoginPage.spec.tsx
index 873106141e..04cd514794 100644
--- a/spec/javascripts/Login/components/LoginPage.spec.tsx
+++ b/spec/javascripts/Login/components/LoginPage.spec.tsx
@@ -11,6 +11,11 @@ const defaultProps: Props = {
   providerSessionsPath: 'sessions-path',
   show3scaleLoginForm: true,
   disablePasswordReset: false,
+  recaptcha: {
+    enabled: false,
+    siteKey: '',
+    action: ''
+  },
   session: { username: '' }
 }
 
diff --git a/spec/javascripts/Login/components/__snapshots__/LoginPage.spec.tsx.snap b/spec/javascripts/Login/components/__snapshots__/LoginPage.spec.tsx.snap
index b721055deb..33a4388c3f 100644
--- a/spec/javascripts/Login/components/__snapshots__/LoginPage.spec.tsx.snap
+++ b/spec/javascripts/Login/components/__snapshots__/LoginPage.spec.tsx.snap
@@ -7,6 +7,13 @@ exports[`should not render reset password button when disablePasswordReset is tr
   flashMessages={[]}
   providerRequestPasswordResetPath="password-path"
   providerSessionsPath="sessions-path"
+  recaptcha={
+    {
+      "action": "",
+      "enabled": false,
+      "siteKey": "",
+    }
+  }
   session={
     {
       "username": "",
@@ -107,6 +114,13 @@ exports[`should not render reset password button when disablePasswordReset is tr
                 <LoginForm
                   flashMessages={[]}
                   providerSessionsPath="sessions-path"
+                  recaptcha={
+                    {
+                      "action": "",
+                      "enabled": false,
+                      "siteKey": "",
+                    }
+                  }
                   session={
                     {
                       "username": "",
@@ -485,6 +499,13 @@ exports[`should render Login form and Authentication providers when available 1`
   flashMessages={[]}
   providerRequestPasswordResetPath="password-path"
   providerSessionsPath="sessions-path"
+  recaptcha={
+    {
+      "action": "",
+      "enabled": false,
+      "siteKey": "",
+    }
+  }
   session={
     {
       "username": "",
@@ -594,6 +615,13 @@ exports[`should render Login form and Authentication providers when available 1`
                 <LoginForm
                   flashMessages={[]}
                   providerSessionsPath="sessions-path"
+                  recaptcha={
+                    {
+                      "action": "",
+                      "enabled": false,
+                      "siteKey": "",
+                    }
+                  }
                   session={
                     {
                       "username": "",
@@ -1197,6 +1225,13 @@ exports[`should render itself 1`] = `
   flashMessages={[]}
   providerRequestPasswordResetPath="password-path"
   providerSessionsPath="sessions-path"
+  recaptcha={
+    {
+      "action": "",
+      "enabled": false,
+      "siteKey": "",
+    }
+  }
   session={
     {
       "username": "",
@@ -1306,6 +1341,13 @@ exports[`should render itself 1`] = `
                 <LoginForm
                   flashMessages={[]}
                   providerSessionsPath="sessions-path"
+                  recaptcha={
+                    {
+                      "action": "",
+                      "enabled": false,
+                      "siteKey": "",
+                    }
+                  }
                   session={
                     {
                       "username": "",
@@ -1708,6 +1750,13 @@ exports[`should render reset password button when disablePasswordReset is false
   flashMessages={[]}
   providerRequestPasswordResetPath="password-path"
   providerSessionsPath="sessions-path"
+  recaptcha={
+    {
+      "action": "",
+      "enabled": false,
+      "siteKey": "",
+    }
+  }
   session={
     {
       "username": "",
@@ -1817,6 +1866,13 @@ exports[`should render reset password button when disablePasswordReset is false
                 <LoginForm
                   flashMessages={[]}
                   providerSessionsPath="sessions-path"
+                  recaptcha={
+                    {
+                      "action": "",
+                      "enabled": false,
+                      "siteKey": "",
+                    }
+                  }
                   session={
                     {
                       "username": "",
diff --git a/spec/javascripts/utilities/ReCaptchaV3.spec.tsx b/spec/javascripts/utilities/ReCaptchaV3.spec.tsx
new file mode 100644
index 0000000000..e9158a888b
--- /dev/null
+++ b/spec/javascripts/utilities/ReCaptchaV3.spec.tsx
@@ -0,0 +1,21 @@
+import { mount } from 'enzyme'
+
+import type { Props } from 'utilities/ReCaptchaV3'
+
+import type { FunctionComponent } from 'react'
+
+const ReCaptchaV3 = jest.requireActual('utilities/ReCaptchaV3').ReCaptchaV3 as FunctionComponent<Props>
+
+it('should render the ReCaptcha input', () => {
+  const wrapper = mount(<ReCaptchaV3 action="test/action" siteKey="fakeKey" />)
+
+  expect(wrapper.exists(ReCaptchaV3)).toEqual(true)
+  expect(wrapper.find('input').prop('className')).toMatch('g-recaptcha')
+})
+
+it('should give the proper name to the input', () => {
+  const action = 'test/action'
+  const wrapper = mount(<ReCaptchaV3 action={action} siteKey="fakeKey" />)
+
+  expect(wrapper.find('input').prop('name')).toBe(`g-recaptcha-response-data[${action}]`)
+})
diff --git a/test/integration/sites/admin_bot_protection_test.rb b/test/integration/sites/admin_bot_protection_test.rb
new file mode 100644
index 0000000000..b6b004884d
--- /dev/null
+++ b/test/integration/sites/admin_bot_protection_test.rb
@@ -0,0 +1,26 @@
+require 'test_helper'
+
+class Sites::AdminBotProtectionTest < ActionDispatch::IntegrationTest
+
+  setup do
+    provider = FactoryBot.create(:provider_account)
+
+    login_provider provider
+
+    host! provider.external_admin_domain
+  end
+
+  test 'edit without captcha' do
+    Recaptcha.expects(:captcha_configured?).returns(false).twice
+    get edit_provider_admin_bot_protection_path
+    assert_response :success
+    assert_match 'reCAPTCHA has not been configured correctly', response.body
+  end
+
+  test 'edit with captcha' do
+    Recaptcha.expects(:captcha_configured?).returns(true).twice
+    get edit_provider_admin_bot_protection_path
+    assert_response :success
+    assert_not_match 'reCAPTCHA has not been configured correctly', response.body
+  end
+end
diff --git a/test/integration/sites/spam_protection_test.rb b/test/integration/sites/bot_protection_test.rb
similarity index 91%
rename from test/integration/sites/spam_protection_test.rb
rename to test/integration/sites/bot_protection_test.rb
index 53cccf1374..c3de04429e 100644
--- a/test/integration/sites/spam_protection_test.rb
+++ b/test/integration/sites/bot_protection_test.rb
@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class Sites::SpamProtectionTest < ActionDispatch::IntegrationTest
+class Sites::BotProtectionTest < ActionDispatch::IntegrationTest
 
   setup do
     provider = FactoryBot.create(:provider_account)

From e9d88d9a3202612c6f99235f22225bba4ba898f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joan=20Lled=C3=B3?= <jlledo@redhat.com>
Date: Tue, 2 Jul 2024 10:38:17 +0200
Subject: [PATCH 9/9] Add/Update/Fix cucumbers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🥒
---
 .../buyer_password_reset.feature              | 14 +++----
 features/developer_portal/login.feature       | 25 +++++++++--
 features/developer_portal/signup.feature      |  2 +-
 features/old/login.feature                    | 42 -------------------
 .../provider/sessions/bot_protection.feature  | 31 ++++++++++++++
 features/provider/sessions/new.feature        | 21 ++++++++++
 .../step_definitions/bot_protection_steps.rb  | 16 +++++--
 features/step_definitions/provider_steps.rb   |  8 ----
 features/step_definitions/session_steps.rb    |  6 +--
 9 files changed, 97 insertions(+), 68 deletions(-)
 delete mode 100644 features/old/login.feature
 create mode 100644 features/provider/sessions/bot_protection.feature
 create mode 100644 features/provider/sessions/new.feature

diff --git a/features/developer_portal/buyer_password_reset.feature b/features/developer_portal/buyer_password_reset.feature
index ccb9d8570c..678053c960 100644
--- a/features/developer_portal/buyer_password_reset.feature
+++ b/features/developer_portal/buyer_password_reset.feature
@@ -6,7 +6,7 @@ Feature: Buyer password reset
 
   Rule: ReCAPTCHA protects from bots
     Background:
-      Given the provider has bot protection enabled
+      Given the provider has bot protection enabled for its buyers
 
     @recaptcha
     Scenario: Bot protection doesn't detect the client as a bot
@@ -39,13 +39,13 @@ Feature: Buyer password reset
       And they fill in "Password confirmation" with "monkey"
       And they press "Change Password"
       Then they should see "The password has been changed"
-  
+
       When they go to the login page
       And they fill in "Username" with "zed@3scale.localhost"
       And they fill in "Password" with "monkey"
       And they press "Sign in"
       Then they should be logged in as "zed"
-  
+
     Scenario: Invalid email
       Given no user exists with an email of "bob@3scale.localhost"
       And they follow "Forgot password?"
@@ -53,7 +53,7 @@ Feature: Buyer password reset
       And they press "Send instructions"
       Then they should see "A password reset link will be sent to bob@3scale.localhost if a user exists with this email."
       And "bob@3scale.localhost" should receive no emails
-  
+
     Scenario: Wrong confirmation
       Given they follow "Forgot password?"
       And they fill in "Email" with "zed@3scale.localhost"
@@ -64,7 +64,7 @@ Feature: Buyer password reset
       And they press "Change Password"
       Then they should see the password confirmation error
       And the password of user "zed" should not be "monkey"
-  
+
     Scenario: Blank passwords
       When they follow "Forgot password?"
       And they fill in "Email" with "zed@3scale.localhost"
@@ -72,11 +72,11 @@ Feature: Buyer password reset
       And they follow the link found in the password reset email send to "zed@3scale.localhost"
       And they press "Change Password"
       Then they should see "The password is invalid"
-  
+
     Scenario: Invalid token
       When they go to the password page with invalid password reset token
       Then they should see "The password reset token is invalid"
-  
+
     Scenario: Attempt to login with invalid credentials, then reset password
       Given they fill in "Username" with "zed@3scale.localhost"
       And they fill in "Password" with "ihavenoclue"
diff --git a/features/developer_portal/login.feature b/features/developer_portal/login.feature
index 7a22f49efb..d3a222232d 100644
--- a/features/developer_portal/login.feature
+++ b/features/developer_portal/login.feature
@@ -7,6 +7,23 @@ Feature: Login feature
       And provider "foo.3scale.localhost" has multiple applications enabled
       And a buyer "bob" signed up to provider "foo.3scale.localhost"
 
+  Scenario: Buyer lands on the homepage when in enterprise mode
+    When I log in as "bob" on foo.3scale.localhost
+    Then I should be on the homepage
+
+  Scenario: Buyer lands in dashboard when he requests login page
+    Given the current domain is foo.3scale.localhost
+    And I log in as "bob" on foo.3scale.localhost
+    And I go to the login page
+    Then I should be on the dashboard
+
+  @security
+  Scenario: Provider cannot login in buyer domain
+    Given the current domain is foo.3scale.localhost
+    When I try to log in as "foo.3scale.localhost" with password "supersecret"
+    Then I should not be logged in
+    And I should see "Incorrect email or password. Please try again."
+
   @security
   Scenario: Buyer can log in with csrf protection enabled
     Given the current domain is foo.3scale.localhost
@@ -16,26 +33,26 @@ Feature: Login feature
 
   @recaptcha
   Scenario: Captcha is disabled
-    Given the provider has bot protection disabled
+    Given the provider has bot protection disabled for its buyers
      When the buyer wants to log in
      Then the captcha is not present
 
   @recaptcha
   Scenario: Captcha is enabled
-    Given the provider has bot protection enabled
+    Given the provider has bot protection enabled for its buyers
      When the buyer wants to log in
      Then the captcha is present
 
   @recaptcha
   Scenario: Developer can log in with Captcha enabled
-    Given the provider has bot protection enabled
+    Given the provider has bot protection enabled for its buyers
     And the client will not be marked as a bot
     When the developer tries to log in
     Then the page should contain "Signed in successfully"
 
   @recaptcha
   Scenario: Captcha rejects a bot attempt also when it sends the correct credentials
-    Given the provider has bot protection enabled
+    Given the provider has bot protection enabled for its buyers
     And the client will be marked as a bot
     When the developer tries to log in
     Then the developer login attempt fails
diff --git a/features/developer_portal/signup.feature b/features/developer_portal/signup.feature
index 61022d2af8..b596e5dcae 100644
--- a/features/developer_portal/signup.feature
+++ b/features/developer_portal/signup.feature
@@ -85,6 +85,6 @@ Feature: Buyer signup
 
   @recaptcha
   Scenario: Captcha is enabled
-    Given the provider has bot protection enabled
+    Given the provider has bot protection enabled for its buyers
     When the buyer wants to sign up
     Then the captcha is present
diff --git a/features/old/login.feature b/features/old/login.feature
deleted file mode 100644
index fdf0b8cdb5..0000000000
--- a/features/old/login.feature
+++ /dev/null
@@ -1,42 +0,0 @@
-Feature: Login feature
-  In order to have a better site experience
-  I want to have a cool login behaviour
-
-  Background:
-    Given a provider
-    And the provider has multiple applications enabled
-    And a buyer "bob" signed up to provider "foo.3scale.localhost"
-
-  Scenario: Buyer lands on the homepage when in enterprise mode
-    When I log in as "bob" on foo.3scale.localhost
-    Then I should be on the homepage
-
-  @javascript
-  Scenario: Provider lands in dashboard when login in master domain
-    When I log in as "foo.3scale.localhost" on the admin domain of provider "foo.3scale.localhost"
-    Then I should be on the provider dashboard
-
-  @javascript
-  Scenario: Provider lands in admin dashboard when he requests public login page
-    And I am logged in as provider "foo.3scale.localhost"
-    When I go to the provider login page
-    Then I should be on the provider dashboard
-
-  Scenario: Buyer lands in dashboard when he requests login page
-    Given the current domain is foo.3scale.localhost
-    And I log in as "bob" on foo.3scale.localhost
-    And I go to the login page
-    Then I should be on the dashboard
-
-  @security @javascript
-  Scenario: Buyer cannot login in admin domain
-    When I try to log in as provider "bob" with password "supersecret"
-    Then I should not be logged in
-    And I should see "Incorrect email or password. Please try again."
-
-  @security
-  Scenario: Provider cannot login in buyer domain
-    Given the current domain is foo.3scale.localhost
-    When I try to log in as "foo.3scale.localhost" with password "supersecret"
-    Then I should not be logged in
-    And I should see "Incorrect email or password. Please try again."
diff --git a/features/provider/sessions/bot_protection.feature b/features/provider/sessions/bot_protection.feature
new file mode 100644
index 0000000000..c9e1af03c6
--- /dev/null
+++ b/features/provider/sessions/bot_protection.feature
@@ -0,0 +1,31 @@
+@javascript
+@recaptcha
+Feature: Login page
+
+  In order to protect the admin login screen from brute force attacks
+  I want to detect bots with ReCaptcha V3
+
+  Background:
+    Given a provider
+
+  Scenario: Captcha is disabled
+    Given the provider has bot protection disabled
+    When they go to the provider login page
+    Then the captcha is not present
+
+  Scenario: Captcha is enabled
+    Given the provider has bot protection enabled
+    When they go to the provider login page
+    Then the captcha is present
+
+  Scenario: Provider can log in with Captcha enabled
+    Given the provider has bot protection enabled
+    And the client will not be marked as a bot
+    When the provider logs in
+    Then the current page is the provider dashboard
+
+  Scenario: Captcha rejects a bot attempt also when it sends the correct credentials
+    Given the provider has bot protection enabled
+    And the client will be marked as a bot
+    When the provider logs in
+    Then they should not be logged in
diff --git a/features/provider/sessions/new.feature b/features/provider/sessions/new.feature
new file mode 100644
index 0000000000..f2ef6f628b
--- /dev/null
+++ b/features/provider/sessions/new.feature
@@ -0,0 +1,21 @@
+@javascript
+Feature: Provider login page
+
+  Background:
+    Given a provider
+
+  Scenario: Provider lands in dashboard when login in master domain
+    When the provider logs in
+    Then the current page is the provider dashboard
+
+  Scenario: Provider lands in admin dashboard when he requests public login page
+    Given the provider logs in
+    When they go to the provider login page
+    Then the current page is the provider dashboard
+
+  @security
+  Scenario: Buyer cannot login in admin domain
+    Given a buyer "buyer"
+    When they try to log in as provider "buyer"
+    Then they should see "Incorrect email or password. Please try again."
+    And should not be logged in
diff --git a/features/step_definitions/bot_protection_steps.rb b/features/step_definitions/bot_protection_steps.rb
index 2900f857c1..6b0bdd9153 100644
--- a/features/step_definitions/bot_protection_steps.rb
+++ b/features/step_definitions/bot_protection_steps.rb
@@ -1,12 +1,22 @@
 # frozen_string_literal: true
 
-RECAPTCHA_SCRIPT = 'script[src^="https://www.recaptcha.net/recaptcha/api.js"]'
+RECAPTCHA_INPUT = 'input[name^="g-recaptcha-response-data"]'
 
 Given "the client {will} be marked as a bot" do |bot|
   ApplicationController.any_instance.stubs(:verify_recaptcha).returns(!bot)
 end
 
 Then "the captcha {is} present" do |present|
-  page.should have_selector(RECAPTCHA_SCRIPT, visible: false) if present
-  page.should_not have_selector(RECAPTCHA_SCRIPT, visible: false) unless present
+  assert_equal present, has_selector?(RECAPTCHA_INPUT, visible: false)
 end
+
+Given "{provider} has bot protection {enabled}" do |provider, enabled|
+  level = enabled ? :captcha : :none
+  provider.settings.update_attribute(:admin_bot_protection_level, level)
+end
+
+Given "{provider} has bot protection {enabled} for its buyers" do |provider, enabled|
+  level = enabled ? :captcha : :none
+  provider.settings.update_attribute(:spam_protection_level, level)
+end
+
diff --git a/features/step_definitions/provider_steps.rb b/features/step_definitions/provider_steps.rb
index a548188d52..212b29fae3 100644
--- a/features/step_definitions/provider_steps.rb
+++ b/features/step_definitions/provider_steps.rb
@@ -262,14 +262,6 @@ def create_provider_with_plan(name, plan) # TODO: RENAME THIS NOWWW
   try_provider_login(admin.username, 'supersecret') if login
 end
 
-Given "the provider has bot protection enabled" do
-  @provider.settings.update_attribute(:spam_protection_level, :captcha)
-end
-
-Given "the provider has bot protection disabled" do
-  @provider.settings.update_attribute(:spam_protection_level, :none)
-end
-
 When(/^I have opened edit page for the active member$/) do
   visit provider_admin_account_users_path
   user = User.find_by!(username: 'alex')
diff --git a/features/step_definitions/session_steps.rb b/features/step_definitions/session_steps.rb
index e2932e53fc..5c0e5026ba 100644
--- a/features/step_definitions/session_steps.rb
+++ b/features/step_definitions/session_steps.rb
@@ -92,7 +92,7 @@
   try_provider_login(username, 'supersecret')
 end
 
-When "I try to log in as {string}" do |username|
+When "(I )(they )try to log in as (buyer ){string}" do |username|
   try_buyer_login_internal(username, 'supersecret')
 end
 
@@ -100,7 +100,7 @@
   try_buyer_login_internal(username, password)
 end
 
-When "I try to log in as provider {string}" do |username|
+When "(I )(they )try to log in as provider {string}" do |username|
   try_provider_login(username, 'supersecret')
 end
 
@@ -145,7 +145,7 @@
   assert has_no_css?('#user_widget .username', :text => username)
 end
 
-Then /^I should not be logged in$/ do
+Then "(I )(they )should not be logged in" do
   assert_includes [provider_sessions_path, session_path], current_path
 end