SDKS-2810: Add Invisible reCAPTCHA, hCaptcha, and Enterprise

.changeset/add-captcha-enterprise-invisible.md

@@ -0,0 +1,11 @@
+---
+'@forgerock/login-widget': minor
+---
+
+Add invisible reCAPTCHA v2, invisible hCaptcha, and reCAPTCHA Enterprise support.
+
+- Support invisible mode for both Google reCAPTCHA v2 and hCaptcha via `configuration({ captcha: { mode: 'invisible' } })`.
+- Add `ReCaptchaEnterpriseCallback` handler for AM journeys using the Enterprise CAPTCHA node — renders visible checkbox or score-based invisible flow automatically from callback data.
+- Add `resolveGrecaptcha()` helper that prefers `window.grecaptcha.enterprise` and falls back to classic `window.grecaptcha`, keeping existing consumers with migrated keys working without changes.
+- Show inline `<Alert type="error">` on CAPTCHA failure or expiry for invisible modes.
+- Fix `renderCaptcha` to accept an optional `elementId` param to avoid DOM id collisions between classic and Enterprise components.

apps/login-app/src/routes/(app)/+layout.svelte

@@ -1,6 +1,6 @@
 <!--
 
- Copyright © 2025 Ping Identity Corporation. All right reserved.
+ Copyright © 2025 - 2026 Ping Identity Corporation. All right reserved.
 
  This software may be modified and distributed under the terms
  of the MIT license. See the LICENSE file for details.
@@ -23,11 +23,6 @@
   <title>Login Application</title>
   <link rel="icon" href="/favicon.ico" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <script
-    src="https://www.google.com/recaptcha/api.js?render=6LdIqXMoAAAAAP4APBlw7_5WDeMTlAAQJf42rPWz"
-    async
-  ></script>
-
   <style>
     /**
      * Self-hosting Open Sans for better privacy, potential performance and control

apps/login-app/src/routes/(app)/+page.svelte

@@ -1,10 +1,10 @@
 <!--
- 
+
  Copyright © 2025-2026 Ping Identity Corporation. All right reserved.
- 
+
  This software may be modified and distributed under the terms
  of the MIT license. See the LICENSE file for details.
- 
+
  -->
 
 <script lang="ts">
@@ -28,12 +28,15 @@
   const formPostEntryParam = $page.url.searchParams.get('form_post_entry');
   const journeyParam = $page.url.searchParams.get('journey');
   const suspendedIdParam = $page.url.searchParams.get('suspendedId');
+  const captchaModeParam = $page.url.searchParams.get('captchaMode') as
+    | 'visible'
+    | 'invisible'
+    | null;
 
-  const journeyStore: JourneyStore = initializeJourney({
-    serverConfig: {
-      wellknown: data.wellknown,
-    },
-  });
+  const journeyStore: JourneyStore = initializeJourney(
+    { serverConfig: { wellknown: data.wellknown } },
+    captchaModeParam ? { captcha: { mode: captchaModeParam } } : null,
+  );
 
   let hasSubmitted = false;
   let redirectForm: HTMLFormElement | null = null;
@@ -67,7 +70,6 @@
       journeyStore.start({
         journey: journeyParam || authIndexValue || 'Login',
         query,
-        // recaptchaAction: 'MyTestAction',
       });
     }
   });

apps/login-app/src/routes/e2e/widget/inline/+page.svelte

@@ -24,6 +24,10 @@
   let authIndexValueParam = $page.url.searchParams.get('authIndexValue');
   let journeyParam = $page.url.searchParams.get('journey');
   let recaptchaParam = $page.url.searchParams.get('recaptchaAction');
+  let captchaModeParam = $page.url.searchParams.get('captchaMode') as
+    | 'visible'
+    | 'invisible'
+    | null;
   let suspendedIdParam = $page.url.searchParams.get('suspendedId');
   let formEl: HTMLDivElement;
   let userEvent: UserStoreValue | null;
@@ -52,6 +56,7 @@
             'https://openam-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration',
         },
       },
+      captcha: captchaModeParam ? { mode: captchaModeParam } : undefined,
       forgerock: {
         clientId: 'WebOAuthClient',
         redirectUri: `${window.location.origin}/callback`,

apps/login-app/src/routes/e2e/widget/modal/+page.svelte

@@ -19,6 +19,10 @@
   let authIndexValueParam = $page.url.searchParams.get('authIndexValue');
   let journeyParam = $page.url.searchParams.get('journey');
   let recaptchaParam = $page.url.searchParams.get('recaptchaAction');
+  let captchaModeParam = $page.url.searchParams.get('captchaMode') as
+    | 'visible'
+    | 'invisible'
+    | null;
   let suspendedIdParam = $page.url.searchParams.get('suspendedId');
   let showPasswordParam = $page.url.searchParams.get('showPassword') as
     | 'none'
@@ -127,6 +131,7 @@
           header: false,
         },
       },
+      captcha: captchaModeParam ? { mode: captchaModeParam } : undefined,
     });
 
     componentEvents = component();

core/journey/_utilities/callback-mapper.svelte

@@ -32,6 +32,7 @@
   import PingProtectInitialize from '$journey/callbacks/ping-protect-initialize/ping-protect-initialize.svelte';
   import PollingWait from '$journey/callbacks/polling-wait/polling-wait.svelte';
   import Recaptcha from '$journey/callbacks/recaptcha/recaptcha.svelte';
+  import RecaptchaEnterprise from '$journey/callbacks/recaptcha-enterprise/recaptcha-enterprise.svelte';
   import Redirect from '$journey/callbacks/redirect/redirect.svelte';
   import SelectIdp from '$journey/callbacks/select-idp/select-idp.svelte';
   import StringAttributeInput from '$journey/callbacks/string-attribute/string-attribute-input.svelte';
@@ -58,6 +59,7 @@
     PingOneProtectInitializeCallback,
     PollingWaitCallback,
     ReCaptchaCallback,
+    ReCaptchaEnterpriseCallback,
     RedirectCallback,
     SelectIdPCallback,
     SuspendedTextOutputCallback,
@@ -113,6 +115,7 @@
   let _MetadataCallback: MetadataCallback;
   let _DeviceProfileCallback: DeviceProfileCallback;
   let _RecaptchaCallback: ReCaptchaCallback;
+  let _RecaptchaEnterpriseCallback: ReCaptchaEnterpriseCallback;
   let _PingProtectEvaluation: PingOneProtectEvaluationCallback;
   let _PingProtectInitialize: PingOneProtectInitializeCallback;
   let _BaseCallback: BaseCallback;
@@ -142,6 +145,9 @@
       case callbackType.ReCaptchaCallback:
         _RecaptchaCallback = props.callback as ReCaptchaCallback;
         break;
+      case callbackType.ReCaptchaEnterpriseCallback:
+        _RecaptchaEnterpriseCallback = props.callback as ReCaptchaEnterpriseCallback;
+        break;
       case callbackType.PasswordCallback:
         _PasswordCallback = props.callback as PasswordCallback;
         break;
@@ -319,6 +325,12 @@
     callback: _RecaptchaCallback,
   }}
   <Recaptcha {...newProps} />
+{:else if cbType === callbackType.ReCaptchaEnterpriseCallback}
+  {@const newProps = {
+    ...props,
+    callback: _RecaptchaEnterpriseCallback,
+  }}
+  <RecaptchaEnterprise {...newProps} />
 {:else if cbType === callbackType.PingOneProtectEvaluationCallback}
   {@const newProps = {
     ...props,

core/journey/_utilities/captcha.utilities.test.ts

@@ -0,0 +1,106 @@
+/**
+ *
+ * Copyright © 2026 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+import { loadCaptchaScript, resolveGrecaptcha } from './captcha.utilities';
+
+vi.stubGlobal('window', globalThis);
+
+describe('resolveGrecaptcha', () => {
+  beforeEach(() => {
+    vi.stubGlobal('grecaptcha', undefined);
+  });
+
+  it('returns grecaptcha.enterprise when enterprise namespace is present', () => {
+    const enterprise = { ready: vi.fn(), render: vi.fn(), execute: vi.fn() };
+    vi.stubGlobal('grecaptcha', { enterprise });
+    expect(resolveGrecaptcha()).toBe(enterprise);
+  });
+
+  it('falls back to window.grecaptcha when enterprise namespace is absent', () => {
+    const classic = { ready: vi.fn(), render: vi.fn(), execute: vi.fn() };
+    vi.stubGlobal('grecaptcha', classic);
+    expect(resolveGrecaptcha()).toBe(classic);
+  });
+});
+
+describe('loadCaptchaScript', () => {
+  let appendedScript: {
+    src: string;
+    async: boolean;
+    onload: (() => void) | null;
+    onerror: (() => void) | null;
+  };
+  let mockQuerySelector: ReturnType<typeof vi.fn>;
+  let mockAppendChild: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    vi.stubGlobal('grecaptcha', undefined);
+    appendedScript = { src: '', async: false, onload: null, onerror: null };
+    mockAppendChild = vi.fn();
+    mockQuerySelector = vi.fn().mockReturnValue(null);
+    vi.stubGlobal('document', {
+      querySelector: mockQuerySelector,
+      createElement: () => appendedScript,
+      head: { appendChild: mockAppendChild },
+    });
+  });
+
+  it('injects a new script tag and resolves on load for hcaptcha', async () => {
+    const promise = loadCaptchaScript({
+      src: 'https://js.hcaptcha.com/1/api.js',
+      provider: 'hcaptcha',
+    });
+    expect(appendedScript.src).toBe('https://js.hcaptcha.com/1/api.js');
+    expect(mockAppendChild).toHaveBeenCalledOnce();
+    appendedScript.onload?.();
+    await promise;
+  });
+
+  it('injects a new script tag and waits for grecaptcha.ready on load', async () => {
+    const mockReady = vi.fn((fn: () => void) => fn());
+    const promise = loadCaptchaScript({
+      src: 'https://www.google.com/recaptcha/api.js',
+      provider: 'grecaptcha',
+    });
+    expect(appendedScript.src).toBe('https://www.google.com/recaptcha/api.js');
+    vi.stubGlobal('grecaptcha', { ready: mockReady });
+    appendedScript.onload?.();
+    await promise;
+    expect(mockReady).toHaveBeenCalledOnce();
+  });
+
+  it('reuses existing script and resolves immediately for hcaptcha', async () => {
+    mockQuerySelector.mockReturnValue({ addEventListener: vi.fn() });
+    await loadCaptchaScript({ src: 'https://js.hcaptcha.com/1/api.js', provider: 'hcaptcha' });
+    expect(mockAppendChild).not.toHaveBeenCalled();
+  });
+
+  it('reuses existing script and calls grecaptcha.ready when already present', async () => {
+    const mockReady = vi.fn((fn: () => void) => fn());
+    vi.stubGlobal('grecaptcha', { ready: mockReady });
+    mockQuerySelector.mockReturnValue({ addEventListener: vi.fn() });
+    await loadCaptchaScript({
+      src: 'https://www.google.com/recaptcha/api.js',
+      provider: 'grecaptcha',
+    });
+    expect(mockAppendChild).not.toHaveBeenCalled();
+    expect(mockReady).toHaveBeenCalledOnce();
+  });
+
+  it('rejects when the script fails to load', async () => {
+    const promise = loadCaptchaScript({
+      src: 'https://bad.example.com/api.js',
+      provider: 'hcaptcha',
+    });
+    appendedScript.onerror?.();
+    await expect(promise).rejects.toThrow('Failed to load CAPTCHA script');
+  });
+});

core/journey/_utilities/captcha.utilities.ts

@@ -0,0 +1,74 @@
+/**
+ *
+ * Copyright © 2026 Ping Identity Corporation. All right reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ *
+ **/
+
+/**
+ * Resolves the active reCAPTCHA namespace. Prefers `grecaptcha.enterprise`
+ * (loaded by enterprise.js) and falls back to the classic `grecaptcha` global
+ * (loaded by api.js or auto-migrated keys). This makes all call sites
+ * transparent to which script the consumer loaded.
+ */
+export function resolveGrecaptcha(): ReCaptchaV2.ReCaptcha {
+  const grecaptcha = window.grecaptcha as ReCaptchaV2.ReCaptcha & {
+    enterprise?: ReCaptchaV2.ReCaptcha;
+  };
+  return grecaptcha?.enterprise ?? window.grecaptcha;
+}
+
+/**
+ * Injects a CAPTCHA script tag into <head> and resolves when the provider API
+ * is ready to use. No-ops if the provider API is already present on window (e.g.
+ * pre-loaded by consumer or stubbed in tests), or if a script with the same src
+ * is already in the document. For grecaptcha, waits for grecaptcha.ready().
+ */
+export function loadCaptchaScript({
+  src,
+  provider,
+}: {
+  src: string;
+  provider: 'grecaptcha' | 'hcaptcha';
+}): Promise<void> {
+  if (provider === 'hcaptcha') {
+    const hc = (window as Window & { hcaptcha?: unknown }).hcaptcha;
+    if (hc) return Promise.resolve();
+  } else {
+    const grc = resolveGrecaptcha();
+    if (grc) return new Promise((resolve) => grc.ready(() => resolve()));
+  }
+
+  const existing = document.querySelector<HTMLScriptElement>(`script[src="${src}"]`);
+  if (existing) {
+    return new Promise((resolve) => {
+      if (provider === 'hcaptcha') {
+        resolve();
+      } else {
+        const grc = resolveGrecaptcha();
+        if (grc) {
+          grc.ready(() => resolve());
+        } else {
+          existing.addEventListener('load', () => resolve(), { once: true });
+        }
+      }
+    });
+  }
+  return new Promise((resolve, reject) => {
+    const script = document.createElement('script');
+    script.src = src;
+    script.async = true;
+    script.onerror = () => reject(new Error(`Failed to load CAPTCHA script: ${src}`));
+    script.onload = () => {
+      if (provider === 'hcaptcha') {
+        resolve();
+      } else {
+        const grc = resolveGrecaptcha();
+        grc ? grc.ready(() => resolve()) : resolve();
+      }
+    };
+    document.head.appendChild(script);
+  });
+}

core/journey/_utilities/metadata.utilities.ts

@@ -21,25 +21,30 @@ import type { BaseCallback, JourneyStep } from '@forgerock/journey-client/types'
 
 import type { CallbackMetadata } from '$journey/journey.interfaces';
 
+const captchaCallbackTypes = new Set(['ReCaptchaCallback', 'ReCaptchaEnterpriseCallback']);
+
 /**
  * @function buildCallbackMetadata - Constructs an array of callback metadata that matches to original callback array
  * @param {object} step - The modified Widget step object
  * @param {function} checkValidation - function that checks if current callback is the first invalid callback
+ * @param {object} stageJson - Optional stage JSON from AM
+ * @param {object} initializationOptions - Optional widget-level initialization options (e.g. captcha config)
  * @returns {array}
  */
 export function buildCallbackMetadata(
   step: JourneyStep,
   checkValidation: (callback: BaseCallback) => boolean,
   stageJson?: Record<string, unknown> | null,
+  initializationOptions?: Record<string, unknown> | null,
 ) {
   const callbackCount: Record<string, number> = {};
   const isPasskeyAutofillEligible = isMixedLoginWebAuthnStep(step);
 
   return step?.callbacks.map((callback, idx) => {
-    const cb = callback;
-    const callbackType = cb.getType();
+    const callbackType = callback.getType();
 
     let stageCbMetadata;
+    let initOptions;
 
     if (callbackCount[callbackType]) {
       callbackCount[callbackType] = callbackCount[callbackType] + 1;
@@ -52,6 +57,14 @@ export function buildCallbackMetadata(
       stageCbMetadata = stageCbArray[callbackCount[callbackType] - 1];
     }
 
+    if (captchaCallbackTypes.has(callbackType)) {
+      const captchaConfig = initializationOptions?.captcha as Record<string, unknown> | undefined;
+      const recaptchaAction = initializationOptions?.recaptchaAction as string | null | undefined;
+      if (captchaConfig || recaptchaAction) {
+        initOptions = { ...captchaConfig, ...(recaptchaAction && { recaptchaAction }) };
+      }
+    }
+
     return {
       derived: {
         canForceUserInputOptionality: canForceUserInputOptionality(callback),
@@ -68,6 +81,7 @@ export function buildCallbackMetadata(
           ...stageCbMetadata,
         },
       }),
+      ...(initOptions && { initOptions }),
     };
   });
 }