From e4d6bbee14ea0bf9c5f68d9c9403370ca98472f1 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Tue, 14 May 2024 12:02:05 +0200
Subject: [PATCH] Disable hCaptcha compatibility with reCAPTCHA

---
 crates/handlers/src/captcha.rs    | 4 +---
 templates/components/captcha.html | 2 +-
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/crates/handlers/src/captcha.rs b/crates/handlers/src/captcha.rs
index 6fe7c116..b4a3a439 100644
--- a/crates/handlers/src/captcha.rs
+++ b/crates/handlers/src/captcha.rs
@@ -212,9 +212,7 @@ impl Form {
             }
 
             // hCaptcha
-            // XXX: this is also allowing g-recaptcha-response, because apparently hCaptcha thought
-            // it was a good idea to send both
-            (CaptchaService::HCaptcha, _, Some(response), None) => {
+            (CaptchaService::HCaptcha, None, Some(response), None) => {
                 Request::post(HCAPTCHA_VERIFY_URL)
                     .body(VerificationRequest {
                         secret,
diff --git a/templates/components/captcha.html b/templates/components/captcha.html
index 14e15a2c..f7cf6716 100644
--- a/templates/components/captcha.html
+++ b/templates/components/captcha.html
@@ -41,7 +41,7 @@ limitations under the License.
     {%- elif captcha.service == "cloudflare_turnstile" -%}
       <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
     {%- elif captcha.service == "hcaptcha" -%}
-      <script src="https://js.hcaptcha.com/1/api.js" async defer></script>
+      <script src="https://js.hcaptcha.com/1/api.js?recaptchacompat=off" async defer></script>
     {%- else -%}
       {{ throw(message="Invalid captcha service setup") }}
     {%- endif %}