Current dependency:

<virtualType name="Magento\NotifierAdminUi\Model\ResourceModel\UI\Channel\Collection"
                 type="Magento\Framework\View\Element\UiComponent\DataProvider\SearchResult">
        <arguments>
            <argument name="mainTable" xsi:type="string">notifier_channel</argument>
            <argument name="resourceModel"
                      xsi:type="string">Magento\Notifier\Model\ResourceModel\Channel\Collection</argument>
        </arguments>
    </virtualType>

Need to replace Magento\Notifier\Model\ResourceModel\Channel\Collection dependency on \Magento\NotifierApi\Api\ChannelRepositoryInterface

Example how to reflect current code:
https://github.com/naydav/Magento2Samples/blob/2.3/app/code/Engine/Location/view/adminhtml/ui_component/engine_location_city_form.xml#L36
https://github.com/naydav/Magento2Samples/blob/2.3/app/code/Engine/Location/Ui/DataProvider/CityDataProvider.php#L22

Introduce new ReCaptchaReview module and move to it corresponding functionality

Need to fix integration tests
https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/security-package/pull/7/a486deb9c506a01426536510363c4a86/Integration/allure-report-ce/index.html#

This package requires very old and outdated version of endroid/qr-code v2.5(from 2017)
The endroid/qr-code v2.5 depends on some old symfony modules (like symfony/options-resolver).
This prevents from using other packages wich also requires symfony components but with higher versions in Magento2 projects.

For example requiring phpro/grumphp will fail on a fresh magento 2 project.
composer require --dev phpro/grumphp
Because of the conflicting symfony bundles version.

Need to verify and transfer (if needed) issues from
https://github.com/magento/magespecialist_TwoFactorAuth/prs
https://github.com/magento/magespecialist_ReCaptcha/pulls
repositories to the new one
https://github.com/magento/security-package/pulls

Update db_schema_whitelist.json for ALL of the modules according to

When creating a new table, remember to generate the db_schema_whitelist.json file.

Details: https://devdocs.magento.com/guides/v2.3/extension-dev-guide/declarative-schema/db-schema.html#create-a-table

When creating a new table, remember to generate the db_schema_whitelist.json file.

Need to check

• proper module locations (should be part of AdminUI modules)
• controllers ACL
• UI components ACL
• proper naming

Additional information

• it seems can be reproduced with all reCaptcha types(v2,v3, ReCaptcha)
• The main conditions are:
  -- there are 2 websites with enabled reCaptcha
  -- 1st website has enabled reCaptcha for specific page e.g. 'Use in login' (can be any page)
  -- 2st website has Disabled reCaptcha for specific page e.g. 'Use in login' (can be any page)

Preconditions

• reCaptcaha module version: 2.1.3, 2.2.2 (tested on these versions only, probably issue was even before)

Steps to reproduce

Configure two websites e.g. using next flow:

1. In Admin Panel go to Stores > All Stores
2. Fill the form with data
   -- Name = United Kingdom
   -- Code = uk_website
3. Click Save Web Site button
4. Click Create Store
5. Fill from with next data:
   -- Web Site = United Kingdom
   -- Name = UK
   -- Code = uk_store
   -- Root Category = Default Category
6. Click Save Store
7. Click Create Store View
8. Fill fields:
   -- Store = UK
   -- Name = UNITED KINGDOM - ENGLISH
   -- Code = uk_en
   -- Status = Enabled
9. Go to Stores > Configuration > GENERAL > Web > Url Options and set
10. Add Store Code to Urls = YES
11. Click Save Config button and flush required caches
    -- Note: use http://{MagentoBaseUrl.com}/uk-en to open created website

Configure reCaptcha v2 or v3 with different settings for websites

1. In Admin Panel go to SYSTEM > Configuration > SECURITY > Google reCaptcha
   -- Select 'Scope' = Main Website (default website)
2. Set next settings only for Main Website scope:
   -- Enable = YES
   -- Use in Create user = No
   -- Use in Contact = No
3. In Admin Panel go to SYSTEM > Configuration > SECURITY > Google reCaptcha
   -- Select 'Scope' = United Kingdom (additional website)
4. Set next settings only for United Kingdom scope:
   -- Enable = YES
   -- Use in Create user = Yes
   -- Use in Contact = Yes

Flow on Storefront

1. Go to Storefront on Main Website (default website)
2. Open 'Create New Customer Account' or 'Contact Us' page
   -- (!) reCptcha badge is not shown - because it disabled for this website on these pages
3. Fill all required fields and click SUBMIT button

Expected result

• reCaptcha badge is not shown and not applied for these pages
• New Customer successfully created/'Contact Us' form successfully submitted

Actual result

• Customer is NOT created/ Form is not submitted
• reCaptcha error message is shown: "Incorrect reCAPTCHA" or "You cannot proceed with such operation, your reCaptcha reputation is too low."

Introduce new ReCaptchaContact module and move to it corresponding functionality

I have concerns about such method like
\Magento\NotifierApi\Api\AdapterInterface::validateMessage
\Magento\NotifierApi\Api\AdapterInterface::sendMessage

Looks like current service has some state, we need to separate "DTO" and "Service/Operation" logic into different concepts

Unskip and fix integration test \Magento\NotifierEvent\Test\Integration\Rule\Validator\ValidateTemplateIdTest

The use of recaptcha as a reCaptcha Type results in an error This site key is not enabled for the invisible captcha. if Yes is selected to use recaptcha for the newsletter. This is because the newsletter use the invisible by default in https://github.com/magento/magespecialist_ReCaptcha/blob/2.3-develop/view/frontend/layout/default.xml#L60. It is not documented in the admin panel that by using the recaptcha for the newsletter, the invisible type should be selected.

Preconditions

1. Magento 2.3.2

Steps to reproduce

1. Select recaptcha for the reCaptcha Type
2. Select Yes to use recaptcha for newsletter as default

Expected result

1. Should work as normal as earlier version without errors

Actual result

1. An error message appears on the frontend This site key is not enabled for the invisible captcha.

Need to remove setter methods from:

• \Magento\NotifierApi\Api\Data\ChannelInterface
• \Magento\NotifierEventApi\Api\Data\RuleInterface
• \Magento\NotifierTemplateApi\Api\Data\DatabaseTemplateInterface

Examples can be found in
https://github.com/magento/async-import/blob/2.3-asynchronous-import-module/app/code/Magento/AsynchronousImportCsvApi/Api/Data/CsvFormatInterface.php

Implementation should receive init parameters via constructor

Need to fix static tests:
https://public-results-storage-prod.magento-testing-service.engineering/reports/magento/security-package/pull/23/08c9108718f5bed0600df2e47e993b8a/Statics/allure-report-ce/index.html#suites/e9ab589dea8725a075ecfb3ca68c4416/5862142c4a6331e7/

Preconditions

1. 1 or more 2FA methods enabled
2. 2FA is globally enabled
3. No methods that are forced

Steps to reproduce

1. Navigate to 2FA tab of some User in Stores->Settings->All Users

Expected result

1. Checkboxes and labels are properly aligned

Actual result

1. Checkboxes and labels aren't properly aligned
   

The link to recaptchs js is added several times to head, which slightly delays the loading time of the captcha on required pages.

Preconditions

1. Magento 2.3.2 vanilla install with sample data
2. Google reCaptcha v2 keys created on google

Steps to reproduce

Expected result

1. Recaptcha should only be loaded once.

Actual result

Preconditions

1. Google Authenticator, Authy and U2F Devices are enabled as 2FA methods
2. 2FA is globally enabled
3. No methods are forced

Steps to reproduce

1. Switch Enable "trust this device" option to No
2. Save configuration
3. Perform setup
4. Try to log in with "trust this device" checked using Google Authenticator

Expected result

1. People are not confused that the device will be saved

Actual result

1. The device is not saved as expected for Merchant who performed setup but is not expected for other Merchants

Need to check all of SuppressWarnings (mechanism of static tests skipping) and remove redundant.
Need to check ALL of the modules

the recaptcha code is not used with the contact form widget in custom cms pages.

Preconditions

1. 2.3.1
2. all composer modules up-to-date

Steps to reproduce

1. create cms page
2. include the contact-form widget:

{{block class="Magento\Contact\Block\ContactForm" name="contactForm" template="Magento_Contact::form.phtml"}}

3. in the frontend, visit the page and submit the form

Expected result

1. recaptcha should be injected and the form properly submitted

Actual result

1. recaptcha code is missing
2. form is submitted to /contact/index/index
3. error "Incorrect reCAPTCHA" is shown
4. all data entered is lost

Introduce new ReCaptchaSendFriend module and move to it corresponding functionality

Reafact ReCaptcha according to Magento Technical Guidelines

1. Need to remove \Magento\NotifierApi\Model\SerializerInterface and \Magento\Notifier\Model\Serializer
2. Replace all occurrences with an \Magento\Framework\Serialize\SerializerInterface

Unskip and fix integration test \Magento\TwoFactorAuth\Test\Integration\UserConfigManagerTest

Preconditions

1. Magento Version 2.3.2
2. Module Version 3.0.0

Steps to reproduce

1. Activate two 2FA methods
2. Set both methods as forced

Expected result

1. A user can choose which method he wants to use for authenticating

Actual result

1. Both methods must be configured

For a customer want to enforce usage of 2FA but let the users decide which method to use (in our case either Google or U2F Key). Since the module does not currently support this scenario we must manually make sure that each user has at least one 2FA method configured.

Our 2fa broke after 2.3.1 upgrade and we have spent countless hours trying to fix it.

When you enable 2fa the login page is blank.

2fa module also does not write to the table msp_tfa_user_config and it remains empty after enabling 2fa.

Also no error logs anywhere. yay.

Please advice.

Preconditions

1. Magento 2.3.3

Steps to reproduce

1. Upgrade from 2.3.1 to 2.3.3
2. Enable 2fa
3. Everything breaks

Expected result

Actual result

Empty msp_tfa_user_config table.

Preconditions

• Magento 2.3.x(CE,EE)
• reCaptcaha module version: 2.1.3, 2.2.2

Steps to reproduce

1. Create Google keys for reCAPTCHA v2(Invisible badge) and add your domain. SCREEN
2. In Admin enable reCaptcha "Invisible reCaptcha"(in module v.2.2.2 "Invisible reCaptcha v2") for Storefront with default settings. SCREEN
3. Save Config and flush caches
4. Go to Storefront and click 'Sign In' link to open "Customer Login" page
5. REFRESH PAGE (F5)
6. Do not fill Email/Password fields and click "Sign In" button

Expected result

1. There should be validation on the fields. ReCaptcha should not initiate at this stage.
   

Actual result

1. ReCaptcha popup appears instead of empty fields validation
   

Additional Information

• was created based on magento/magento2#25732

• Namespaces should be changed
• Copyrights should be updated
• Tech debt should be resolved

AC: ReCaptcha moved from MageSpecialist to Magento namespace and refactor for 2.4

When not configured/enabled.
JS Error - TypeError: this.settings is undefined in FF && Uncaught TypeError: Cannot read property 'lang' of undefined in Chrome in every product page.

Preconditions

1. Magento 2.3.2

Steps to reproduce

1. Any Product Page

Expected result

1. No JS errors

Actual result

1. FireFox
   TypeError: this.settings is undefined

2. Chrome
   VM2267:72 Uncaught TypeError: Cannot read property 'lang' of undefined

The input to enter the 2FA code, (at least with the Google Authenticator provider for sure) obscures the input. This is generally considered security theatre at the cost of usability. At minimum a "show code" checkbox to toggle visibility would be nice, although I think there's no reason to obscure the input at all.

Preconditions

1. Configure 2FA with Google Authenticator provider

Steps to reproduce

1. Authenticate successfully with a password

Expected result

1. I can see the 2FA input while I type it

Actual result

1. The 2FA input is obscured

Update README.md of security package

Provide a clear explanation of package responsibility

Example: https://github.com/magento/adobe-stock-integration

Event bridge integration should be removed

Introduce new ReCaptchaAdminUi module and move to it corresponding functionality

1. Split \Magento\NotifierApi\Api\AdapterInterface into AdapterDTO and sendMessage service (\Magento\NotifierApi\Api\AdapterInterface::sendMessage)
2. Extcact Message DTO (with extension /attributes)
3. Apply changes to code
4. Cover new service with integration tests

Examples can be found in
https://github.com/magento/async-import/blob/2.3-asynchronous-import-module/app/code/Magento/AsynchronousImportCsvApi/Api/Data/CsvFormatInterface.php

Introduce new ReCaptchaNewsletter module and move to it corresponding functionality

Preconditions

1. Magento version 2.3.2

Steps to reproduce

1. Enable 2FA.
2. Obtain an admin access token.
3. Use any of the admin rest API calls with the access token.

Expected result

1. I would expect you to have to fill in a 2FA access token somewhere before being allowed to use any admin API calls, since a large potion of critical admin only functionality can be accessed through the API. For instance an optional two-factor code field could be added to the admin token API. Then when 2FA is enabled the code would have to be validated and refuse to grant an access token unless a valid authentication code is provided.

Actual result

1. The rest API calls can be used without requiring 2FA.

Preconditions

1. "msp/recaptcha" version 2.2.2

Steps to reproduce

1. Go to System > Configuration > SECURITY > Google reCaptcha
2. Select Scope = "Default Config" (Selected by default)
3. set "reCaptcha" type = "Invisible reCaptcha v3"
4. Click to open 'Frontend' section
5. Select Scope = "Main Website"

Expected result

1. it seems "Theme" and "Size" are not applicable for Invisible v3 and should not be shown

Actual result

Introduce new ReCaptchaCustomer module and move to it corresponding functionality

Need to verify and transfer (if needed) issues from
https://github.com/magento/magespecialist_TwoFactorAuth/issues
https://github.com/magento/magespecialist_ReCaptcha/issues
repositories to the new one
https://github.com/magento/security-package/issues

Preconditions

1. "msp/recaptcha" version 2.2.2

Steps to reproduce

1. Go to System > Configuration > SECURITY > Google reCaptcha
2. Open General tab

Expected result

1. "Google API website key" and "Google API secret key" and "reCaptcha type" should be on the same scope level

Actual result

1. "Google API website key" = [website]
2. "Google API secret key" = [website]
3. ""reCaptcha type"" = [global]
   

Note: Not 100% sure is it expected or not. Possibly the idea is to have a different statistic/log/data in google/recaptcha/admin for different websites.
But I sure that different types of erCaptcha could require different API keys to work correctly on Storefront

Preconditions

1. Magento 2.3.2
2. Bundled 2 factor auth module
3. Emulate that admin user has outdated password
4. Enable for admin user 2 factor auth

Steps to reproduce

1. Login to the admin panel

Expected result

1. Message "It's time to change your password." should NOT appear on 2FA - Google Auth page
2. The same message should not be showing while redirecting to magento
3. This message should be shown on "edit password" page, when customer already passed 2 factor auth check

Actual result

1. Message "It's time to change your password." appears on 2FA - Google Auth page
   
2. The same message showing while redirecting to magento

A setting to automatically send an email when 2FA is disabled makes a lot of sense.

• Namespaces should be changed
• Copyrights should be updated
• Tech debt should be resolved

AC: 2FA moved from MageSpecialist to Magento namespace and refactor for 2.4

Unskip and fix integration test \Magento\NotifierTemplate\Test\Integration\TemplateGetterTest

Data not saved on failed attempts

Preconditions

1. Magento 2.2.5
2. msp/recaptcha 2.0.2

Steps to reproduce

1. Enable module with key on contact page
2. Fill form without click on google captcha
3. Send it

Expected result

1. I got an error
2. I got my data pre-filled

Actual result

1. I got and error
2. I loose my data

On Magento captcha code, it's here: https://github.com/magento/magento2/blob/2.3-develop/app/code/Magento/Captcha/Observer/CheckContactUsFormObserver.php#L80

We should have the same behavior on that class: https://github.com/magento/magespecialist_ReCaptcha/blob/2.3-develop/Observer/ReCaptchaObserver.php#L94

I don't understand where MSP\ReCaptcha\Observer\Frontend\ContactFormObserver is generated so I can't make the pull request by myself :(

Introduce new ReCaptchafrontendUi module and move to it corresponding functionality

Current dependencises:
Magento\Cms\Block\Adminhtml\Page\Edit\GenericButton
Magento\Catalog\Block\Adminhtml\Product\Edit\Button\Generic

Declaration:

<buttons>
            <button name="back" class="Magento\NotifierAdminUi\Ui\Component\Form\Channel\BackButton"/>
            <button name="save" class="Magento\NotifierAdminUi\Ui\Component\Form\Channel\SaveButton"/>
        </buttons>

Could be resolved in two way:

1. Example https://github.com/naydav/Magento2Samples/blob/2.3/app/code/Engine/Location/etc/adminhtml/di.xml#L35
2. Create own buttons which will be located in the same module

I'm working on Magento 2.3.1 version. And enabled Google ReCaptcha v2

The error you can see in the attachment file happens when a "not logged in" user with only virtual products in his cart goes to checkout.

In this situation the checkout appears a little bit different, because the virtual product doesn't need the first checkout step (shipping step) info.

If user fills email field with an already registered customer email, Magento "knows" the user is a registered customer email and adds the password field for login.
But ReCaptcha field doesn't appear. So when the customer clicks on Login button Magento shows the error message: Incorrect reCaptcha.

This is a serious problem for merchant that have only virtual products.

Can you fix it?
Thanks

Introduce new ReCaptchaCheckout module and move to it corresponding functionality

Create/Update README.md of all of the modules

Provide a clear explanation of module responsibility

For details see https://github.com/magento/devdocs/wiki/Magento-module-README.md