feat(captcha): add invisible reCAPTCHA v2, hCaptcha and reCaptcha Enterprise support

Author: SteinGabriel

.changeset/add-captcha-enterprise-invisible.md

@@ -0,0 +1,11 @@
+---
+'@forgerock/login-widget': minor
+---
+
+Add invisible reCAPTCHA v2, invisible hCaptcha, and reCAPTCHA Enterprise support.
+
+- Support invisible mode for both Google reCAPTCHA v2 and hCaptcha via `configuration({ captcha: { mode: 'invisible' } })`.
+- Add `ReCaptchaEnterpriseCallback` handler for AM journeys using the Enterprise CAPTCHA node — renders visible checkbox or score-based invisible flow automatically from callback data.
+- Add `resolveGrecaptcha()` helper that prefers `window.grecaptcha.enterprise` and falls back to classic `window.grecaptcha`, keeping existing consumers with migrated keys working without changes.
+- Show inline `<Alert type="error">` on CAPTCHA failure or expiry for invisible modes.
+- Fix `renderCaptcha` to accept an optional `elementId` param to avoid DOM id collisions between classic and Enterprise components.

.changeset/add-login-framework-cli.md

@@ -0,0 +1,13 @@
+---
+'@forgerock/login-framework-cli': minor
+---
+
+Add `ping-lf` CLI tool (`tools/cli/`) for bootstrapping and maintaining Login Framework projects.
+
+Three commands:
+
+- `init <directory>` — fetches a GitHub release and scaffolds a new project directory with all necessary configuration, dependencies, and an empty `experimental/custom/` structure ready for `pnpm install`.
+- `generate callback|stage <Name>` — scaffolds a new custom callback or stage component from templates, naming files correctly (PascalCase → kebab-case) and regenerating the component registry.
+- `update [--version <ver>]` — fetches the target framework release and overwrites core files while preserving `experimental/custom/`, then regenerates the registry and updates `.generator-version`.
+
+Installable via `npm install -g @forgerock/login-framework-cli`.

.github/workflows/ci.yml

@@ -40,7 +40,7 @@ jobs:
           node-version: 22.x
           cache: 'pnpm'
       - run: pnpm install --frozen-lockfile
-      - run: node scripts/generateCustomRegistry.mjs
+      - run: pnpm run generate:registry
         shell: bash
 
       # Cache Playwright browser binaries between runs (~200MB for Chromium)
@@ -130,10 +130,11 @@ jobs:
           node-version: 22.x
           cache: 'pnpm'
       - run: pnpm install --frozen-lockfile
-      - run: node scripts/generateCustomRegistry.mjs
+      - run: pnpm run generate:registry
         shell: bash
       - run: pnpm run check:lint
       - run: pnpm run test
+      - run: pnpm --filter @forgerock/login-framework-cli run test
       - name: Install Playwright for Storybook tests
         run: pnpm --filter @forgerock/login-widget exec playwright install --with-deps chromium
       - name: Build Storybook
@@ -156,7 +157,7 @@ jobs:
           node-version: 22.x
           cache: 'pnpm'
       - run: pnpm install --frozen-lockfile
-      - run: node scripts/generateCustomRegistry.mjs
+      - run: pnpm run generate:registry
         shell: bash
       - uses: chromaui/action@latest
         with:

.github/workflows/release.yml

@@ -50,21 +50,12 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 22.x
+          node-version: 24.x
           cache: 'pnpm'
           # No registry-url — OIDC trusted publishing handles auth without NODE_AUTH_TOKEN.
           # Setting registry-url creates an .npmrc with _authToken=${NODE_AUTH_TOKEN},
           # which prevents OIDC fallback even when the env var is unset.
 
-      # Node 22.x ships npm 10.x; OIDC trusted publishing requires npm >= 11.6.
-      # Use corepack to install the required npm version instead of self-upgrading
-      # npm, which can fail on runners with corrupted pre-installed npm.
-      - name: Install npm for OIDC trusted publishing
-        run: |
-          corepack enable npm
-          corepack install -g npm@latest
-          npm --version
-
       - run: pnpm install --frozen-lockfile
 
       - name: Build release artifacts
@@ -161,15 +152,9 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 22.x
+          node-version: 24.x
           cache: 'pnpm'
 
-      - name: Install npm for OIDC trusted publishing
-        run: |
-          corepack enable npm
-          corepack install -g npm@latest
-          npm --version
-
       - run: pnpm install --frozen-lockfile
 
       - name: Build release artifacts

.gitignore

@@ -11,6 +11,9 @@ apps/login-app/build/
 packages/login-widget/dist/
 packages/login-widget/svelte-package/
 
+# CLI build output
+tools/cli/dist/
+
 # Environment
 .env
 .env.*
@@ -44,3 +47,5 @@ experimental/custom/callbacks/*/
 # Misc
 .syncthing*
 .eslintcache
+tools/cli/tmp/
+packages/login-widget/tmp/

apps/login-app/package.json

@@ -6,7 +6,8 @@
     "dev": "vite dev",
     "build": "vite build",
     "preview": "vite preview",
-    "check:svelte": "svelte-check --tsconfig ./tsconfig.json --threshold=warning"
+    "check:svelte": "svelte-check --tsconfig ./tsconfig.json --threshold=warning",
+    "test": "vitest run"
   },
   "dependencies": {
     "@forgerock/login-widget": "workspace:*"
@@ -22,14 +23,15 @@
     "autoprefixer": "^10.4.17",
     "dotenv": "^16.4.1",
     "mdsvex": "0.12.6",
-    "postcss": "^8.5.8",
+    "postcss": "^8.5.10",
     "remark-autolink-headings": "^7.0.1",
     "remark-slug": "^7.0.1",
     "svelte": "^5.53.7",
     "svelte-check": "^4.4.5",
     "svelte-preprocess": "^6.0.3",
     "tailwindcss": "^3.3.3",
     "uuid": "9.0.1",
-    "vite": "^5.4.21"
+    "vite": "^5.4.21",
+    "vitest": "^3.2.4"
   }
 }

apps/login-app/src/app.html

@@ -19,6 +19,11 @@
         document.body.classList.add('tw_dark');
       }
     </script>
+    <!--
+      For CAPTCHA-enabled journeys, load the reCAPTCHA Enterprise script:
+      <script src="https://www.google.com/recaptcha/enterprise.js" async></script>
+      (Use enterprise.js, not api.js — new Google keys require the Enterprise namespace.)
+    -->
     <div id="svelte" class="root">%sveltekit.body%</div>
   </body>
 </html>

apps/login-app/src/lib/server/_utilities.ts

@@ -1,12 +1,24 @@
 /**
  *
- * Copyright © 2025 Ping Identity Corporation. All right reserved.
+ * Copyright © 2025-2026 Ping Identity Corporation. All right reserved.
  *
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
  *
  **/
 
+interface RewriteCookieParams {
+  cookie: string;
+  amDomain: string;
+  appDomain: string;
+}
+
+/**
+ * @function extractDomainFromUrl - extracts the domain from a given URL string
+ * @param {unknown} url - The URL to extract the domain from
+ * @returns {string} The extracted domain
+ * @throws {Error} If the input is not a string or not a valid URL
+ */
 export function extractDomainFromUrl(url: unknown) {
   if (typeof url !== 'string') {
     throw new Error('AM_DOMAIN_PATH is not a string');
@@ -25,16 +37,26 @@ export function extractDomainFromUrl(url: unknown) {
   return arr[1];
 }
 
-interface RewriteCookieParams {
-  cookie: string;
-  amDomain: string;
-  appDomain: string;
-}
-
+/**
+ * @function rewriteCookieForClient - rewrites a cookie's domain from AM domain to app domain
+ * @param {object} params - The parameters object
+ * @param {string} params.cookie - The cookie string
+ * @param {string} params.amDomain - The AM domain to replace
+ * @param {string} params.appDomain - The app domain to use
+ * @returns {string} The rewritten cookie string
+ */
 export function rewriteCookieForClient({ cookie, amDomain, appDomain }: RewriteCookieParams) {
   return cookie.replace(amDomain, appDomain);
 }
 
+/**
+ * @function rewriteCookieForServer - rewrites a cookie's domain from app domain to AM domain
+ * @param {object} params - The parameters object
+ * @param {string} params.cookie - The cookie string
+ * @param {string} params.amDomain - The AM domain to use
+ * @param {string} params.appDomain - The app domain to replace
+ * @returns {string} The rewritten cookie string
+ */
 export function rewriteCookieForServer({ cookie, amDomain, appDomain }: RewriteCookieParams) {
   return cookie.replace(appDomain, amDomain);
 }

apps/login-app/src/lib/server/redirect/README.md

@@ -0,0 +1,89 @@
+# Redirects in Login App
+
+This document explains how post-authentication redirect is determined on success and failure, and explains various redirect flows
+
+## Reference:
+
+- https://docs.pingidentity.com/pingoneaic/am-authentication/redirection-url-precedence.html
+- https://github.com/ping-rocks/platform-ui/blob/master/packages/platform-login/src/views/Login/index.vue
+- https://github.com/ping-rocks/platform-ui/blob/master/packages/platform-shared/src/mixins/LoginMixin/index.vue
+
+## Functionality
+
+- Redirect users to the correct target after login success or failure
+- Prevent open-redirect issues by validating URL against `validateGoto` endpoint
+- Handle common edge cases: default console paths, SAML endpoints, admin vs end user redirects
+
+## Redirect inputs
+
+Redirect URLs can come from multiple places:
+
+- Query parameters:
+  - `goto` (success)
+  - `gotoOnFail` (failure)
+- Journey outcome:
+  - Success URL from the journey step (for example `step.getSuccessUrl()`)
+  - Failure URL from the journey payload (for example `step.payload.detail.failureUrl`)
+- AM defaults (applied by AM when validating):
+  - User profile success/failure URL attributes
+  - Realm default success/failure login URL attributes
+
+## Success and Failure redirection flow (`goto` and `gotoOnFail`)
+
+### 1) Initial request (client)
+
+- When the authentication journey completes on the client, a hidden form is submitted to the server to initiate the redirect flow. This form contains the necessary redirect information (such as success/failure state and URLs).
+
+### 2) Storing redirect params (server)
+
+- Read `goto` / `gotoOnFail` from the incoming URL or from the submitted form.
+- Store values in a short-lived **HTTP-only** cookie.
+
+### 3) Redirect function performs the final redirect (server)
+
+1. Read and parse the HTTP-only cookie (`goto` / `gotoOnFail`). This cookie is cleared after it’s read to avoid stale redirects.
+2. Select a possible `gotoUrl`:
+   - If `isGotoOnFail=true`: prefer cookie `gotoOnFail`.
+   - If `isGotoOnFail=false`: prefer cookie `goto`, otherwise use the client-provided URL (typically from the journey success step).
+3. Call `validateGoto(authorization, gotoUrl)` in AM. AM may return a `successUrl` even when the input is invalid. It will fall back to the default success URL.
+4. If there is no usable `gotoUrl`, compute a default redirect, which redirects to either admin or end user.
+5. Final fallback:
+
+- If all redirect logic fails (no valid URL can be determined), the server will redirect to static fallback files:
+  - `/success-redirect` for success cases
+  - `/failure-redirect` for failure cases
+- These files provide a guaranteed fallback destination for both success and failure scenarios.
+
+## Other flows
+
+### Default path
+
+- detect destinations whose last path segment is `console` (for example `/am/console` or `/auth/console`).
+- If `validateGoto` return a non-console URL, use it.
+- If `validateGoto` return a console URL:
+  - Failure flow: return an empty redirect so the client can redirect to the journey `failureUrl` or the global fallback.
+  - Success flow: if the client provided a non-console URL from the journey, prefer that.
+
+### SAML URLs
+
+If `validateGoto` falls back to a console URL but the original `goto` looks like SAML, return the original `goto`.
+For example, when `validateGoto` endpoint returns '/am/console' as successUrl and the corresponding `goto` query param is 'https://default.iam.example.com/am/Consumer/metaAlias/avsp', SAML condition becomes true and the `goto` URL is returned
+
+### Admin vs end user default
+
+When there is no usable `goto` (or redirect selection must fall back), the server computes a default destination:
+
+- Fetch the user record and determine whether the user is an admin (based on roles/groups).
+- Admin users go to an admin landing page; non-admin users go to an end user landing page.
+
+### suspendedIdParam
+
+Some journeys like email verification / magic links / text and sms temporarily **suspend** the authentication session.
+
+In these flows:
+
+1. Customer app is where the flow begins.
+2. Customer is redirected to authorization server and then to the Login App for authentication.
+3. Login app passes the `goto` and `gotoOnFail` params to AM and AM links this parameter with the active auth session in memory. This happens through the SDK options (`StepOptions.query.goto` and `StepOptions.query.gotoOnFail`).
+4. AM stores all of these relevant state params in the `suspendedId`, so the magic link sent to the user contains the `goto` param within this `suspendedId` in the URL.
+5. AM then restores the goto URL, and AM is able to send the user to this URL upon completion of the journey (turned into the successUrl).