Show bot protection modal when switching to OOB OTP branch

ref DEV-1798

authui/src/authflowv2/botprotection/botProtection.ts

@@ -1,5 +1,8 @@
 import { Controller } from "@hotwired/stimulus";
-import { dispatchBotProtectionDialogOpen } from "./botProtectionDialog";
+import {
+  dispatchBotProtectionDialogClose,
+  dispatchBotProtectionDialogOpen,
+} from "./botProtectionDialog";
 
 /**
  * Dispatch a custom event to set captcha verified with success token
@@ -77,7 +80,10 @@ export class BotProtectionController extends Controller {
     this.isVerified = true;
     // Wait for bot-protection-token-input to process "bot-protection:verify-success" event
     // so that the form submission will have bot protection token injected.
-    setTimeout(() => this.formSubmitTarget?.click(), 0);
+    setTimeout(() => {
+      this.formSubmitTarget?.click();
+      dispatchBotProtectionDialogClose();
+    }, 0);
   };
 
   onVerifyFailed = () => {

pkg/auth/handler/webapp/authflow_controller.go

@@ -747,7 +747,10 @@ func (c *AuthflowController) takeBranchRecursively(s *webapp.Session, screen *we
 		// Take the first branch, and first channel by default.
 		var zeroIndex int
 		var zeroChannel model.AuthenticatorOOBChannel
-		takeBranchResult := screen.TakeBranch(zeroIndex, zeroChannel, &webapp.TakeBranchOptions{})
+		takeBranchResult := screen.TakeBranch(&webapp.TakeBranchInput{
+			Index:   zeroIndex,
+			Channel: zeroChannel,
+		}, &webapp.TakeBranchOptions{})
 
 		switch takeBranchResult := takeBranchResult.(type) {
 		// This taken branch does not require an input to select.
@@ -935,8 +938,15 @@ func (c *AuthflowController) takeBranch(w http.ResponseWriter, r *http.Request,
 		return err
 	}
 	channel := r.Form.Get("x_channel")
-
-	takeBranchResult := screen.TakeBranch(index, model.AuthenticatorOOBChannel(channel), &webapp.TakeBranchOptions{
+	input := &webapp.TakeBranchInput{
+		Index:   index,
+		Channel: model.AuthenticatorOOBChannel(channel),
+	}
+	if hasBPInput := IsBotProtectionInputValid(r.Form); hasBPInput {
+		input.BotProtectionProviderType = r.Form.Get("x_bot_protection_provider_type")
+		input.BotProtectionProviderResponse = r.Form.Get("x_bot_protection_provider_response")
+	}
+	takeBranchResult := screen.TakeBranch(input, &webapp.TakeBranchOptions{
 		DisableFallbackToSMS: true,
 	})
 

pkg/auth/handler/webapp/bot_protection.go

@@ -24,6 +24,11 @@ func ValidateBotProtectionInput(formData url.Values) error {
 	return AuthflowBotProtectionSchema.Validator().ValidateValue(FormToJSON(formData))
 }
 
+func IsBotProtectionInputValid(formData url.Values) bool {
+	err := ValidateBotProtectionInput(formData)
+	return err == nil
+}
+
 func InsertBotProtection(formData url.Values, input map[string]interface{}) {
 	bpType := formData.Get("x_bot_protection_provider_type")
 	bpResp := formData.Get("x_bot_protection_provider_response")

pkg/auth/handler/webapp/viewmodels/authflow_branch.go

@@ -18,6 +18,7 @@ type AuthflowBranch struct {
 	MaskedClaimValue      string
 	OTPForm               otp.Form
 	VerificationSkippable bool
+	BotProtectionRequired bool
 }
 
 func isAuthflowBranchSame(a AuthflowBranch, b AuthflowBranch) bool {
@@ -114,6 +115,8 @@ func newAuthflowBranchViewModelStepAuthenticate(screen *webapp.AuthflowScreenWit
 				Channel:          channel,
 				MaskedClaimValue: o.MaskedDisplayName,
 				OTPForm:          o.OTPForm,
+				// only add bot protection for channel branch
+				BotProtectionRequired: o.BotProtection.IsRequired(),
 			}
 			if !isAuthflowBranchSame(branch, takenBranch) {
 				branches = append(branches, branch)