From 17bbe01994beb9c5e53355cc692a5d71ddf4cc8c Mon Sep 17 00:00:00 2001
From: Bryce Kalow <bryce@clerk.dev>
Date: Wed, 24 Jul 2024 18:27:16 -0500
Subject: [PATCH] feat(clerk-js): Adjust captcha parameter handling for sign
 ups with Google (#3806)

Co-authored-by: Kevin Wang <26389321+thiskevinwang@users.noreply.github.com>
---
 .changeset/rude-wasps-wonder.md               |  5 +++
 .../clerk-js/src/core/resources/SignUp.ts     | 35 ++++++++++++++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/rude-wasps-wonder.md

diff --git a/.changeset/rude-wasps-wonder.md b/.changeset/rude-wasps-wonder.md
new file mode 100644
index 0000000000..6f6874a522
--- /dev/null
+++ b/.changeset/rude-wasps-wonder.md
@@ -0,0 +1,5 @@
+---
+"@clerk/clerk-js": patch
+---
+
+Adjust how we pass captcha tokens to the Clerk API when signing in with Google, Microsoft, and Apple
diff --git a/packages/clerk-js/src/core/resources/SignUp.ts b/packages/clerk-js/src/core/resources/SignUp.ts
index d4348b4c30..6b610699b2 100644
--- a/packages/clerk-js/src/core/resources/SignUp.ts
+++ b/packages/clerk-js/src/core/resources/SignUp.ts
@@ -71,7 +71,13 @@ export class SignUp extends BaseResource implements SignUpResource {
     const { captchaSiteKey, canUseCaptcha, captchaURL, captchaWidgetType, captchaProvider, captchaPublicKeyInvisible } =
       retrieveCaptchaInfo(SignUp.clerk);
 
-    if (canUseCaptcha && captchaSiteKey && captchaURL && captchaPublicKeyInvisible) {
+    if (
+      !this.shouldBypassCaptchaForAttempt(params) &&
+      canUseCaptcha &&
+      captchaSiteKey &&
+      captchaURL &&
+      captchaPublicKeyInvisible
+    ) {
       try {
         const { captchaToken, captchaWidgetTypeUsed } = await getCaptchaToken({
           siteKey: captchaSiteKey,
@@ -91,6 +97,10 @@ export class SignUp extends BaseResource implements SignUpResource {
       }
     }
 
+    if (params.transfer && this.shouldBypassCaptchaForAttempt(params)) {
+      paramsWithCaptcha.strategy = SignUp.clerk.client?.signIn.firstFactorVerification.strategy;
+    }
+
     return this._basePost({
       path: this.pathRoot,
       body: normalizeUnsafeMetadata(paramsWithCaptcha),
@@ -264,4 +274,27 @@ export class SignUp extends BaseResource implements SignUpResource {
     }
     return this;
   }
+
+  /**
+   * We delegate bot detection to the following providers, instead of relying on turnstile exclusively
+   */
+  protected shouldBypassCaptchaForAttempt(params: SignUpCreateParams) {
+    if (
+      params.strategy === 'oauth_google' ||
+      params.strategy === 'oauth_microsoft' ||
+      params.strategy === 'oauth_apple'
+    ) {
+      return true;
+    }
+    if (
+      params.transfer &&
+      (SignUp.clerk.client?.signIn.firstFactorVerification.strategy === 'oauth_google' ||
+        SignUp.clerk.client?.signIn.firstFactorVerification.strategy === 'oauth_microsoft' ||
+        SignUp.clerk.client?.signIn.firstFactorVerification.strategy === 'oauth_apple')
+    ) {
+      return true;
+    }
+
+    return false;
+  }
 }