From fc5363f07e16bfbbbb60ca9cca5734b647dd387e Mon Sep 17 00:00:00 2001
From: Sam Lord <sam@ghost.org>
Date: Tue, 11 Feb 2025 14:46:24 +0000
Subject: [PATCH] Fixed Captcha when on non-enterprise plans

ref BAE-396
---
 ghost/captcha-service/lib/CaptchaService.js   |  6 ++-
 .../test/CaptchaService.test.js               | 46 +++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/ghost/captcha-service/lib/CaptchaService.js b/ghost/captcha-service/lib/CaptchaService.js
index 4b33d012e2..3829d6d6ec 100644
--- a/ghost/captcha-service/lib/CaptchaService.js
+++ b/ghost/captcha-service/lib/CaptchaService.js
@@ -45,7 +45,11 @@ class CaptchaService {
 
                 captchaResponse = await hcaptcha.verify(secretKey, req.body.token, req.ip);
 
-                if (captchaResponse.score < scoreThreshold) {
+                if ('score' in captchaResponse && captchaResponse.score < scoreThreshold) {
+                    // Using hCaptcha enterprise, so score is present
+                    next();
+                } else if (!('score' in captchaResponse) && captchaResponse.success) {
+                    // Using regular hCaptcha, so challenge-based
                     next();
                 } else {
                     logging.error(`Blocking request due to high score (${captchaResponse.score})`);
diff --git a/ghost/captcha-service/test/CaptchaService.test.js b/ghost/captcha-service/test/CaptchaService.test.js
index 145fafa684..585bf018bd 100644
--- a/ghost/captcha-service/test/CaptchaService.test.js
+++ b/ghost/captcha-service/test/CaptchaService.test.js
@@ -91,6 +91,52 @@ describe('CaptchaService', function () {
         });
     });
 
+    it('Succeeds if no score present, but challenge was successful', function (done) {
+        hcaptcha.verify.resolves({success: true});
+
+        const captchaService = new CaptchaService({
+            enabled: true,
+            scoreThreshold: 0.8,
+            secretKey: 'test-secret'
+        });
+
+        const captchaMiddleware = captchaService.getMiddleware();
+
+        const req = {
+            body: {
+                token: 'test-token'
+            }
+        };
+
+        captchaMiddleware(req, null, (err) => {
+            assert.equal(err, undefined);
+            done();
+        });
+    });
+
+    it('Fails if no score is present and challenge unsuccessful', function (done) {
+        hcaptcha.verify.resolves({success: false});
+
+        const captchaService = new CaptchaService({
+            enabled: true,
+            scoreThreshold: 0.8,
+            secretKey: 'test-secret'
+        });
+
+        const captchaMiddleware = captchaService.getMiddleware();
+
+        const req = {
+            body: {
+                token: 'test-token'
+            }
+        };
+
+        captchaMiddleware(req, null, (err) => {
+            assert.equal(err.message, 'The server has encountered an error.');
+            done();
+        });
+    });
+
     it('Returns a 400 if no token provided', function (done) {
         const captchaService = new CaptchaService({
             enabled: true,