feat(captcha): add invisible reCAPTCHA v2, hCaptcha and reCaptcha Enterprise support

Author: SteinGabriel

.changeset/add-captcha-enterprise-invisible.md

@@ -0,0 +1,11 @@
+---
+'@forgerock/login-widget': minor
+---
+
+Add invisible reCAPTCHA v2, invisible hCaptcha, and reCAPTCHA Enterprise support.
+
+- Support invisible mode for both Google reCAPTCHA v2 and hCaptcha via `configuration({ captcha: { mode: 'invisible' } })`.
+- Add `ReCaptchaEnterpriseCallback` handler for AM journeys using the Enterprise CAPTCHA node — renders visible checkbox or score-based invisible flow automatically from callback data.
+- Add `resolveGrecaptcha()` helper that prefers `window.grecaptcha.enterprise` and falls back to classic `window.grecaptcha`, keeping existing consumers with migrated keys working without changes.
+- Show inline `<Alert type="error">` on CAPTCHA failure or expiry for invisible modes.
+- Fix `renderCaptcha` to accept an optional `elementId` param to avoid DOM id collisions between classic and Enterprise components.

apps/login-app/src/app.html

@@ -19,6 +19,11 @@
         document.body.classList.add('tw_dark');
       }
     </script>
+    <!--
+      For CAPTCHA-enabled journeys, load the reCAPTCHA Enterprise script:
+      <script src="https://www.google.com/recaptcha/enterprise.js" async></script>
+      (Use enterprise.js, not api.js — new Google keys require the Enterprise namespace.)
+    -->
     <div id="svelte" class="root">%sveltekit.body%</div>
   </body>
 </html>

apps/login-app/src/routes/(app)/+layout.svelte

@@ -24,8 +24,9 @@
   <link rel="icon" href="/favicon.ico" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <script
-    src="https://www.google.com/recaptcha/api.js?render=6LdIqXMoAAAAAP4APBlw7_5WDeMTlAAQJf42rPWz"
+    src="https://www.google.com/recaptcha/enterprise.js"
     async
+    defer
   ></script>
 
   <style>

apps/login-app/src/routes/(app)/+page.svelte

@@ -1,10 +1,10 @@
 <!--
- 
+
  Copyright © 2025-2026 Ping Identity Corporation. All right reserved.
- 
+
  This software may be modified and distributed under the terms
  of the MIT license. See the LICENSE file for details.
- 
+
  -->
 
 <script lang="ts">
@@ -16,6 +16,7 @@
   import Journey from '$journey/journey.svelte';
   import { initialize as initializeJourney } from '$journey/journey.store';
   import { initialize as initializeContent } from '$core/locale.store';
+  import { initialize as initializeCaptcha } from '$core/captcha.store';
 
   import type { JourneyStore } from '$journey/journey.interfaces';
 
@@ -40,6 +41,7 @@
    * Sets up locale store with appropriate content
    */
   initializeContent(data.content);
+  initializeCaptcha({ mode: 'invisible' });
 
   // Use if not initializing journey in a "context module"
   onMount(async () => {

apps/login-app/src/routes/e2e/widget/modal/+page.svelte

@@ -20,6 +20,7 @@
   let authIndexValueParam = $page.url.searchParams.get('authIndexValue');
   let journeyParam = $page.url.searchParams.get('journey');
   let recaptchaParam = $page.url.searchParams.get('recaptchaAction');
+  let captchaModeParam = $page.url.searchParams.get('captchaMode') as 'normal' | 'invisible' | null;
   let suspendedIdParam = $page.url.searchParams.get('suspendedId');
   let showPasswordParam = $page.url.searchParams.get('showPassword') as
     | 'none'
@@ -139,6 +140,7 @@
           header: false,
         },
       },
+      captcha: captchaModeParam ? { mode: captchaModeParam } : undefined,
     });
     new Widget({ target: widgetEl });
     if (initializePingProtectEarly) {

core/captcha.store.test.ts

@@ -0,0 +1,45 @@
+/**
+ *
+ * Copyright © 2026 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+import { get } from 'svelte/store';
+import { describe, expect, it } from 'vitest';
+
+import { captchaStore, initialize } from './captcha.store';
+
+describe('captcha.store', () => {
+  describe('initialize()', () => {
+    it('should set mode to "normal" when no config is provided', () => {
+      initialize();
+      expect(get(captchaStore).mode).toBe('normal');
+    });
+
+    it('should set mode to "invisible" when configured', () => {
+      initialize({ mode: 'invisible' });
+      expect(get(captchaStore).mode).toBe('invisible');
+    });
+
+    it('should default to "normal" when mode is undefined', () => {
+      initialize({ mode: undefined });
+      expect(get(captchaStore).mode).toBe('normal');
+    });
+
+    it('should return the captcha store', () => {
+      const store = initialize({ mode: 'invisible' });
+      expect(store).toBe(captchaStore);
+    });
+
+    it('should update the store when called again with different config', () => {
+      initialize({ mode: 'invisible' });
+      expect(get(captchaStore).mode).toBe('invisible');
+
+      initialize({ mode: 'normal' });
+      expect(get(captchaStore).mode).toBe('normal');
+    });
+  });
+});

core/captcha.store.ts

@@ -0,0 +1,39 @@
+/**
+ *
+ * Copyright © 2025 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+import { writable, type Writable } from 'svelte/store';
+import { z } from 'zod';
+
+export const captchaSchema = z
+  .object({
+    mode: z.union([z.literal('normal'), z.literal('invisible')]).optional(),
+  })
+  .strict();
+
+export const partialCaptchaSchema = captchaSchema.partial();
+
+/** Convenience type alias for the resolved captcha config object. */
+export type CaptchaConfig = z.infer<typeof partialCaptchaSchema>;
+
+const fallbackCaptcha: CaptchaConfig = {
+  mode: 'normal',
+};
+
+export const captchaStore: Writable<CaptchaConfig> = writable(fallbackCaptcha);
+
+/**
+ * @function initialize - Initialize the captcha store
+ * @param {object} customCaptcha - Optional captcha configuration to apply
+ * @returns {object} - The captcha store
+ * @example initialize({ mode: 'invisible' });
+ */
+export function initialize(customCaptcha?: CaptchaConfig) {
+  captchaStore.set({ mode: customCaptcha?.mode ?? 'normal' });
+  return captchaStore;
+}

core/journey/_utilities/callback-mapper.svelte

@@ -41,6 +41,7 @@
   import ValidatedCreateUsername from '$journey/callbacks/username/validated-create-username.svelte';
   import DeviceProfile from '$journey/callbacks/device-profile/device-profile.svelte';
   import Recaptcha from '$journey/callbacks/recaptcha/recaptcha.svelte';
+  import RecaptchaEnterprise from '$journey/callbacks/recaptcha-enterprise/recaptcha-enterprise.svelte';
   import Metadata from '$journey/callbacks/metadata/metadata.svelte';
   import PingProtectEvaluation from '$journey/callbacks/ping-protect-evaluation/ping-protect-evaluation.svelte';
   import PingProtectInitialize from '$journey/callbacks/ping-protect-initialize/ping-protect-initialize.svelte';
@@ -66,6 +67,7 @@
     DeviceProfileCallback,
     MetadataCallback,
     ReCaptchaCallback,
+    ReCaptchaEnterpriseCallback,
     PingOneProtectEvaluationCallback,
     PingOneProtectInitializeCallback,
   } from '@forgerock/javascript-sdk';
@@ -112,6 +114,7 @@
   let _MetadataCallback: MetadataCallback;
   let _DeviceProfileCallback: DeviceProfileCallback;
   let _RecaptchaCallback: ReCaptchaCallback;
+  let _RecaptchaEnterpriseCallback: ReCaptchaEnterpriseCallback;
   let _PingProtectEvaluation: PingOneProtectEvaluationCallback;
   let _PingProtectInitialize: PingOneProtectInitializeCallback;
   let _FRCallback: FRCallback;
@@ -141,6 +144,9 @@
       case CallbackType.ReCaptchaCallback:
         _RecaptchaCallback = props.callback as ReCaptchaCallback;
         break;
+      case CallbackType.ReCaptchaEnterpriseCallback:
+        _RecaptchaEnterpriseCallback = props.callback as ReCaptchaEnterpriseCallback;
+        break;
       case CallbackType.PasswordCallback:
         _PasswordCallback = props.callback as PasswordCallback;
         break;
@@ -318,6 +324,12 @@
     callback: _RecaptchaCallback,
   }}
   <Recaptcha {...newProps} />
+{:else if cbType === CallbackType.ReCaptchaEnterpriseCallback}
+  {@const newProps = {
+    ...props,
+    callback: _RecaptchaEnterpriseCallback,
+  }}
+  <RecaptchaEnterprise {...newProps} />
 {:else if cbType === CallbackType.PingOneProtectEvaluationCallback}
   {@const newProps = {
     ...props,

core/journey/callbacks/recaptcha-enterprise/recaptcha-enterprise.mock.ts

@@ -0,0 +1,36 @@
+/**
+ *
+ * Copyright © 2026 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+import { CallbackType } from '@forgerock/javascript-sdk';
+
+export const visibleGrecaptchaEnterprise = {
+  authId: 'test-auth-id',
+  callbacks: [
+    {
+      type: CallbackType.ReCaptchaEnterpriseCallback,
+      output: [
+        { name: 'recaptchaSiteKey', value: 'enterprise-site-key' },
+        { name: 'captchaApiUri', value: 'https://www.google.com/recaptcha/enterprise.js' },
+        { name: 'captchaDivClass', value: 'g-recaptcha' },
+      ],
+      input: [
+        { name: 'IDToken1token', value: '' },
+        { name: 'IDToken1action', value: '' },
+        { name: 'IDToken1clientError', value: '' },
+        { name: 'IDToken1payload', value: '' },
+      ],
+      _id: 0,
+    },
+  ],
+  stage: 'DefaultLogin',
+};
+
+export const invisibleGrecaptchaEnterprise = visibleGrecaptchaEnterprise;
+
+export default visibleGrecaptchaEnterprise;

core/journey/callbacks/recaptcha-enterprise/recaptcha-enterprise.stories.js

@@ -0,0 +1,78 @@
+/**
+ *
+ * Copyright © 2026 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+import { FRStep, CallbackType } from '@forgerock/javascript-sdk';
+import { expect, within } from 'storybook/test';
+
+import {
+  visibleGrecaptchaEnterprise,
+  invisibleGrecaptchaEnterprise,
+} from './recaptcha-enterprise.mock';
+import RecaptchaEnterprise from './recaptcha-enterprise.story.svelte';
+import { captchaStore } from '$core/captcha.store';
+import { journeyStore } from '$journey/journey.store';
+
+function mockGrecaptchaEnterprise() {
+  window.grecaptcha = {
+    enterprise: {
+      ready: (cb) => cb(),
+      render: () => 'widget-id',
+      execute: async () => 'enterprise-token',
+      reset: () => undefined,
+      getResponse: () => 'enterprise-token',
+    },
+  };
+}
+
+export default {
+  argTypes: {
+    callback: { control: false },
+  },
+  component: RecaptchaEnterprise,
+  parameters: {
+    layout: 'fullscreen',
+  },
+  title: 'Callbacks/ReCaptchaEnterprise',
+};
+
+export const VisibleEnterprise = {
+  args: {
+    callback: new FRStep(visibleGrecaptchaEnterprise).getCallbackOfType(
+      CallbackType.ReCaptchaEnterpriseCallback,
+    ),
+  },
+  play: async () => {
+    mockGrecaptchaEnterprise();
+    captchaStore.set({ mode: 'normal' });
+  },
+};
+
+export const InvisibleEnterprise = {
+  args: {
+    callback: new FRStep(invisibleGrecaptchaEnterprise).getCallbackOfType(
+      CallbackType.ReCaptchaEnterpriseCallback,
+    ),
+  },
+  play: async () => {
+    mockGrecaptchaEnterprise();
+    captchaStore.set({ mode: 'invisible' });
+    journeyStore.update((v) => ({ ...v, recaptchaAction: 'LOGIN' }));
+  },
+};
+
+export const InvisibleEnterpriseError = {
+  args: { ...InvisibleEnterprise.args },
+  play: async ({ canvasElement }) => {
+    mockGrecaptchaEnterprise();
+    captchaStore.set({ mode: 'invisible' });
+    window.frHandleCaptchaInvisibleError?.();
+    const canvas = within(canvasElement);
+    await expect(canvas.findByText(/CAPTCHA verification failed/i)).resolves.toBeInTheDocument();
+  },
+};