[PM-15162] Remove captcha enforcement and issuing of bypass token

[trmartin4]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-15162

📔 Objective

Removes captcha from the server codebase.

This work can be broken up into a few conceptual groups:

1. Remove the enforcement of captchas on incoming requests. We will no longer reject a request due to any captcha calculations or headers. The maximum login attempts had been set to an artificially high value in order to avoid triggering a captcha, so this will not affect existing behavior on the clients. (The new login components on the web clients do not support captcha either).
2. Remove the emails that were sent when the maximum login attempts had been achieved and users were presented with a captcha. There is no longer a concept of "maximum login attempts" enforced by the server (or client).
3. Remove the issuing and validation of captcha bypass tokens on requests.

See bitwarden/clients#14352 for corresponding clients PR.

⚠️ Backwards compatibility
The only client code that requires a bypass token is this code in the trial initiation registration flow. Since this is web-only, we just need to make sure that bitwarden/clients#14352 is in the same release. The normal registration flow just doesn't send up the captchaBypassToken if it doesn't exist.

📸 Screenshots

These screen recordings are on clients main, showing that the changes will not break existing client flows.

Registration

Screen.Recording.2025-04-27.at.4.01.10.PM.mov

Login

Screen.Recording.2025-04-27.at.4.00.11.PM.mov

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 59ee31d5-968f-40a5-9566-39021778a5b7

New Issues (7)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CSRF	/src/Billing/Controllers/StripeController.cs: 176	details Method TryParseEventFromRequestBodyAsync at line 176 of /src/Billing/Controllers/StripeController.cs gets a parameter from a user request from Hea... ID: HcudPO6cAysD6859H7LdXczFvcI%3D Attack Vector
	CSRF	/src/Billing/Controllers/RecoveryController.cs: 38	details Method ProcessEventsAsync at line 38 of /src/Billing/Controllers/RecoveryController.cs gets a parameter from a user request from requestBody. Thi... ID: 9pAaHB%2FDbnf2te8jIisSn%2FxOlb4%3D Attack Vector
	CSRF	/src/Billing/Controllers/StripeController.cs: 164	details Method TryParseEventFromRequestBodyAsync at line 164 of /src/Billing/Controllers/StripeController.cs gets a parameter from a user request from Bod... ID: UBxm8FCXAkw%2BflJ%2FSypJLL4Gozs%3D Attack Vector
	CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 164	details Method Put at line 164 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from model. This parameter v... ID: O%2BHxUDVmhn4DDWQtZQFQAhiT9ZY%3D Attack Vector
	CSRF	/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 96	details Method Patch at line 96 of /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs gets a parameter from a user request from model. This ... ID: qOrS%2Bmn6Gg1L4tTtOw7xqc0462I%3D Attack Vector
	CSRF	/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs: 86	details Method Put at line 86 of /bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs gets a parameter from a user request from model. This pa... ID: tdBhFufVwEv2BYlT6X8qz8sKXeo%3D Attack Vector
	CSRF	/src/Api/AdminConsole/Public/Controllers/GroupsController.cs: 133	details Method Put at line 133 of /src/Api/AdminConsole/Public/Controllers/GroupsController.cs gets a parameter from a user request from model. This para... ID: En5BEJJONHFvKUkaerwROu5tjB0%3D Attack Vector

Fixed Issues (6)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/Controllers/DevicesController.cs: 75
	CSRF	/src/Api/AdminConsole/Public/Controllers/MembersController.cs: 95
	CSRF	/src/Api/Controllers/DevicesController.cs: 62
	CSRF	/src/Api/Auth/Controllers/WebAuthnController.cs: 65
	CSRF	/src/Api/Billing/Controllers/OrganizationSponsorshipsController.cs: 202
	CSRF	/src/Api/Controllers/SelfHosted/SelfHostedOrganizationSponsorshipsController.cs: 73

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 47.26%. Comparing base (9a7fddd) to head (7d67f96).
Report is 47 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5675      +/-   ##
==========================================
+ Coverage   47.20%   47.26%   +0.05%     
==========================================
  Files        1633     1628       -5     
  Lines       74165    73938     -227     
  Branches     6676     6646      -30     
==========================================
- Hits        35008    34945      -63     
+ Misses      37706    37549     -157     
+ Partials     1451     1444       -7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Patrick-Pimentel-Bitwarden]

Great work! Two small changes.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Patrick-Pimentel-Bitwarden]

👍 Great work. Thank you Todd