From 068711e7a9aea5671cd48c3f5ac3ba8980580372 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20Gonz=C3=A1lez?=
 <7822554+AlexTMjugador@users.noreply.github.com>
Date: Mon, 21 Apr 2025 17:42:17 +0200
Subject: [PATCH] enh(labrinth): disable hCaptcha verification when secret is
 unset (#3544)

---
 apps/labrinth/src/util/captcha.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/apps/labrinth/src/util/captcha.rs b/apps/labrinth/src/util/captcha.rs
index 8527e94b..e59d5ae5 100644
--- a/apps/labrinth/src/util/captcha.rs
+++ b/apps/labrinth/src/util/captcha.rs
@@ -8,6 +8,13 @@ pub async fn check_hcaptcha(
     req: &HttpRequest,
     challenge: &str,
 ) -> Result<bool, ApiError> {
+    let secret = dotenvy::var("HCAPTCHA_SECRET")?;
+
+    if secret.is_empty() || secret == "none" {
+        tracing::info!("hCaptcha secret not set, skipping check");
+        return Ok(true);
+    }
+
     let conn_info = req.connection_info().clone();
     let ip_addr = if parse_var("CLOUDFLARE_INTEGRATION").unwrap_or(false) {
         if let Some(header) = req.headers().get("CF-Connecting-IP") {
@@ -30,7 +37,6 @@ pub async fn check_hcaptcha(
 
     let mut form = HashMap::new();
 
-    let secret = dotenvy::var("HCAPTCHA_SECRET")?;
     form.insert("response", challenge);
     form.insert("secret", &*secret);
     form.insert("remoteip", ip_addr);