magento2: Unable to checkout via Braintree with ReCaptcha V2 or V3 Invisible

Preconditions and environment

Upon upgrading our production site from M2.4.5-p2 to M2.4.6 we discovered customers were unable to checkout via Credit Card using the Braintree Payments extension V4.5.0 bundled in to M2.4.6 The cause was found to be the ReCaptcha V3 security enabled on the Credit Card checkout.

See detailed steps below to reproduce the issue using a fresh unaltered M2.4.6 install with Luma Store sample data and Braintree sandbox credentials with ReCAPTCHA V3 Invisible security. If you wish you may repeat test using ReCAPTCHA V2 Invisible security, hung result is the same as with V3.

Only workaround to protecting checkout using Braintree Credit Card Payment method is reCAPTCHA V2 (I’m not a robot) challenge. According to Google this is the least secure of the three ReCAPTCHA options.

Building Magento 2.4.6
+ cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
+ /usr/local/apache/bin/httpd -v
Server version: Apache/2.4.46 (Unix)
Server built:   Jun 16 2021 21:29:21
+ mysql -V
mysql  Ver 8.0.28 for Linux on x86_64 (MySQL Community Server - GPL)
+ php -v
PHP 8.1.17 (cli) (built: Mar 17 2023 09:39:39) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.17, Copyright (c) Zend Technologies
    with Zend OPcache v8.1.17, Copyright (c), by Zend Technologies
+ php /usr/local/bin/composer -V
Composer version 2.3.5 2022-04-13 16:43:00

Steps to reproduce

Fresh Install of M2.4.6 in environment as above Login to backend

Nav to Admin>Stores>Configure>General>Web>Default Cookie Settings If necessary, set the Cookie Domain to the appropriate domain value (so you will be able to login on front end) Save Config Nav to Admin>Stores>Configure>Security>Google reCAPTCHA Storefront Enter known valid credentials for Google Recaptcha V2 (robot), V2 (invisible), and V3. On Storefront Enable Customer Login and Braintree payment form for reCAPTCHA V2 (I am not a robot) Save Config Nav to Admin>Stores>Configure>Sales>Payment Methods Select Merchant Country as United States and Save Config Configure Braintree Payments (by GENE Commerce v4.5.0) Enter known valid sandbox credentials for Merchant ID, Public Key, Private Key and Validate Credentials Enable Card Payments = Yes and Save Config Flush Magento Cache

On Frontend, successfully Sign In using Demo Customer Access credentials Answer ReCaptcha “I’m not a robot.” challenge Add Affirm Water Bottle to cart Proceed to Checkout Shipping Method select Fixed Flat Rate Payment Method select Credit Card Enter Card # 4111 1111 1111 1111 Expiration: 12/2023 Security Code: 123 Answer ReCaptcha “I’m not a robot.” challenge Click blue “Place Order” button Observe “spinner” appears for a moment and then automatically redirects to “Thank you for your purchase!” success page with order number Logout of Customer Account

Return to backend Nav to Admin>Stores>Configure>Security>Google reCAPTCHA Storefront> Storefront Change Enable Customer Login and Braintree payment form to reCAPTCHA V3 Invisible and Save Config Flush Magento Cache

On Frontend, successfully Sign In using Demo Customer Access credentials Verify “Protected by reCAPTCHA” badge appears next to “Sign In” button Add Affirm Water Bottle to cart Proceed to Checkout Shipping Method select Fixed Flat Rate Payment Method select Credit Card Enter Card # 4111 1111 1111 1111 Expiration: 12/2023 Security Code: 123 Verify “Protected by reCAPTCHA” badge appears to the left of “Place Order” button Click dark blue “Place Order” button Place Order button turns light blue and … Order Page is HUNG, UNABLE TO PLACE ORDER using ReCAPTCHA V3 Invisible security

Expected result

Upon clicking Place Order button, the order is placed successfully with ReCAPTCHA V3 Invisible security enabled on Braintree Credit Card payment method, customer is redirected to the success page.

Actual result

Upon clicking dark blue Place Order button, the button turns light blue and order page is HUNG, unable to place order with ReCAPTCHA V3 Invisible security enabled on Braintree Credit Card payment method, and Customer is NOT redirected to the success page

Additional information

The issue appears to only affect protecting Braintree Credit Card payment method with reCAPTCHA, in the limited testing of an frontend Customer Sign In using any version of reCAPTCHA does not appear to affect the login.

Checkout via Credit Card protected with ReCAPTCHA V3 Invisible security was working correctly for M2.4.5-p2 in both production and sandbox environments. I also tested M2.4.6 using our Braintree production credentials instead of sandbox, but there was no difference using either set of credentials - the Place Order hangs and attempting to place an order protected with either version of V2 or V3 Invisible ReCAPTCHA fails.

Release note

No response

Triage and priority

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.