fix: address latest captcha review feedback

- Add bounded hCaptcha widget-ready wait (15s) to avoid indefinite pending
  chat requests when the third-party script is blocked or never loads
- Pass the request cancellation token into stream endpoint captcha error
  writes to stop writing to aborted responses on client disconnect
- Emit chat hCaptcha site key to the client only when both SecretKey and
  SiteKey are configured, keeping client/server captcha enablement aligned

Author: BenjaminMichaelis

EssentialCSharp.Web/Controllers/ChatController.cs

@@ -134,13 +134,13 @@ public async Task StreamMessage([FromBody] ChatMessageRequest request, Cancellat
         if (captchaValid is null)
         {
             Response.StatusCode = 503;
-            await Response.WriteAsJsonAsync(new { error = "Human verification is temporarily unavailable. Please try again later.", errorCode = "captcha_unavailable" }, CancellationToken.None);
+            await Response.WriteAsJsonAsync(new { error = "Human verification is temporarily unavailable. Please try again later.", errorCode = "captcha_unavailable" }, cancellationToken);
             return;
         }
         if (!captchaValid.Value)
         {
             Response.StatusCode = 403;
-            await Response.WriteAsJsonAsync(new { error = "Human verification required.", errorCode = "captcha_failed" }, CancellationToken.None);
+            await Response.WriteAsJsonAsync(new { error = "Human verification required.", errorCode = "captcha_failed" }, cancellationToken);
             return;
         }
 

EssentialCSharp.Web/Views/Shared/_Layout.cshtml

@@ -184,6 +184,10 @@
             var buildLabel = ReleaseDateAttribute.GetReleaseDate() is DateTime date
                 ? TimeZoneInfo.ConvertTimeFromUtc(date, TimeZoneInfo.FindSystemTimeZoneById("Pacific Standard Time")).ToString("d MMM, yyyy h:mm:ss tt", CultureInfo.InvariantCulture)
                 : null;
+            var chatCaptchaSiteKey = !string.IsNullOrWhiteSpace(_CaptchaOptions.Value.SecretKey)
+                && !string.IsNullOrWhiteSpace(_CaptchaOptions.Value.SiteKey)
+                ? _CaptchaOptions.Value.SiteKey
+                : null;
         }
         window.PERCENT_COMPLETE = @Json.Serialize(percentComplete);
         window.PREVIOUS_PAGE = @Json.Serialize(ViewBag.PreviousPage);
@@ -194,7 +198,7 @@
         window.TRYDOTNET_ORIGIN = @Json.Serialize(Configuration["TryDotNet:Origin"]);
         window.BUILD_LABEL = @Json.Serialize(buildLabel);
         window.ENABLE_CHAT_WIDGET = @Json.Serialize(!Context.Request.Path.StartsWithSegments("/Identity"));
-        window.HCAPTCHA_SITE_KEY = @Json.Serialize(_CaptchaOptions.Value.SiteKey);
+        window.HCAPTCHA_SITE_KEY = @Json.Serialize(chatCaptchaSiteKey);
     </script>
     <script src="~/dist/assets/site-shell.js" type="module" asp-append-version="true"></script>
 </body>

EssentialCSharp.Web/wwwroot/js/chat-module.js

@@ -20,14 +20,25 @@ let captchaTokenResolve = null;
 let captchaTokenReject = null;
 let captchaPending = false; // prevents concurrent token requests overwriting promise callbacks
 let captchaRequestGeneration = 0;
+const CAPTCHA_WIDGET_READY_TIMEOUT_MS = 15_000;
 
-// Resolves once the widget has rendered. getCaptchaToken() awaits this so a user who
-// submits before hCaptcha finishes loading waits (up to 15 s) rather than getting a 403.
+// Resolves once the widget has rendered.
 let captchaWidgetReadyResolve = null;
 const captchaWidgetReady = captchaSiteKey
     ? new Promise((resolve) => { captchaWidgetReadyResolve = resolve; })
     : Promise.resolve();
 
+function awaitCaptchaWidgetReady() {
+    if (!captchaSiteKey) return Promise.resolve();
+    if (captchaWidgetId !== null) return Promise.resolve();
+
+    const timeoutPromise = new Promise((_, reject) => {
+        setTimeout(() => reject(new Error('captcha-unavailable')), CAPTCHA_WIDGET_READY_TIMEOUT_MS);
+    });
+
+    return Promise.race([captchaWidgetReady, timeoutPromise]);
+}
+
 function initCaptchaWidget() {
     if (!captchaSiteKey) return;
     // Guard: only render once (widget lives outside the v-if dialog overlay)
@@ -67,6 +78,7 @@ function initCaptchaWidget() {
  * Returns a fresh hCaptcha token, or null if captcha is not configured.
  * Waits for the widget to finish rendering if it has not yet (handles slow script loads).
  * Rejects with 'captcha-concurrent' if a token request is already in-flight.
+ * Rejects with 'captcha-unavailable' if the widget never becomes ready.
  * Rejects with 'captcha-expired' or 'captcha-error' via hCaptcha's own callbacks.
  */
 function getCaptchaToken() {
@@ -77,7 +89,7 @@ function getCaptchaToken() {
 
     // Chain onto captchaWidgetReady so calls made before the widget finishes loading
     // wait rather than immediately returning null and causing a 403.
-    return captchaWidgetReady.then(() => {
+    return awaitCaptchaWidgetReady().then(() => {
         if (requestGeneration !== captchaRequestGeneration) {
             captchaPending = false;
             return Promise.reject(new Error('captcha-stale'));
@@ -94,6 +106,9 @@ function getCaptchaToken() {
             };
             window.hcaptcha.execute(captchaWidgetId);
         });
+    }).catch((error) => {
+        captchaPending = false;
+        throw error;
     });
 }