Gate Continuwuity ReCAPTCHA config on both keys being configured

Continuwuity has no native enable-captcha toggle; it enables the ReCAPTCHA registration flow based on the presence of a private site key. The playbook previously always rendered empty `recaptcha_site_key`/`recaptcha_private_site_key` values, which made Continuwuity enable a broken captcha flow and break registration in some clients. The keys are now only rendered when both are configured, gated by a derived `matrix_continuwuity_recaptcha_enabled` flag in the role's `vars/main.yml`. A consistency check fails the play when exactly one of the two keys is set. Fixes #5329 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Update actions/checkout action to v7
2026-06-19 06:50:05 +03:00 · 2026-06-19 06:24:06 +03:00 · 2026-06-19 05:51:12 +03:00
6 changed files with 25 additions and 4 deletions
@@ -26,7 +26,7 @@ jobs:
        run: pacman -Sy --noconfirm git

      - name: Check out
-        uses: actions/checkout@v6
+        uses: actions/checkout@v7

      - name: Restore prek cache
        uses: actions/cache@v5
@@ -24,7 +24,7 @@ jobs:
    name: Update translations
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v7

      - uses: actions/setup-python@v6
        with:
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@@ -13,7 +14,7 @@ matrix_continuwuity_enabled: true
 matrix_continuwuity_hostname: ''

 # renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/continuwuity
-matrix_continuwuity_version: v1.1.1
+matrix_continuwuity_version: v0.5.9

 matrix_continuwuity_container_image: "{{ matrix_continuwuity_container_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_container_image_tag }}"
 matrix_continuwuity_container_image_tag: "{{ matrix_continuwuity_version }}"
@@ -190,7 +191,9 @@ matrix_continuwuity_config_turn_password: ''
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_continuwuity_self_check_validate_certificates: true

-# If set, registration will require Google ReCAPTCHA verification.
+# Configuring both of these settings makes registration require Google ReCAPTCHA verification.
+# Both must be set together (or both left empty). Setting only one of them is a configuration error.
+# When both are set, ReCAPTCHA gets enabled automatically (see `matrix_continuwuity_recaptcha_enabled` in `vars/main.yml`).
 matrix_continuwuity_config_recaptcha_site_key: ''
 matrix_continuwuity_config_recaptcha_private_site_key: ''

@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

@@ -36,3 +37,11 @@
    - {'old': 'matrix_continuwuity_docker_image_registry_prefix_upstream', 'new': 'matrix_continuwuity_container_image_registry_prefix_upstream'}
    - {'old': 'matrix_continuwuity_docker_image_registry_prefix_upstream_default', 'new': 'matrix_continuwuity_container_image_registry_prefix_upstream_default'}
    - {'old': 'matrix_continuwuity_container_image_force_pull', 'new': '<removed> (the new community.docker.docker_image_pull module handles this natively)'}
+
+- name: Fail if Continuwuity ReCAPTCHA is only partially configured
+  ansible.builtin.fail:
+    msg: >-
+      You have configured only one of `matrix_continuwuity_config_recaptcha_site_key` and
+      `matrix_continuwuity_config_recaptcha_private_site_key`. Configure both to enable ReCAPTCHA
+      registration, or leave both empty to disable it.
+  when: "(matrix_continuwuity_config_recaptcha_site_key | string | length > 0) != (matrix_continuwuity_config_recaptcha_private_site_key | string | length > 0)"
@@ -2,6 +2,7 @@
 SPDX-FileCopyrightText: 2025 MDAD project contributors
 SPDX-FileCopyrightText: 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2025 Suguru Hirahara
+SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@@ -490,6 +491,7 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 #
 #registration_token_file =

+{% if matrix_continuwuity_recaptcha_enabled %}
 # The public site key for reCaptcha. If this is provided, reCaptcha
 # becomes required during registration. If both captcha *and*
 # registration token are enabled, both will be required during
@@ -509,6 +511,7 @@ recaptcha_site_key = {{ matrix_continuwuity_config_recaptcha_site_key | to_json
 # even if `recaptcha_site_key` is set.
 #
 recaptcha_private_site_key = {{ matrix_continuwuity_config_recaptcha_private_site_key | to_json }}
+{% endif %}

 # Controls whether encrypted rooms and events are allowed.
 #
@@ -1,9 +1,15 @@
 # SPDX-FileCopyrightText: 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2026 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

+# Continuwuity has no dedicated "enable ReCAPTCHA" setting. It enables ReCAPTCHA registration based on the
+# presence of a recaptcha private site key, so we only render the keys when both have been configured.
+# This avoids rendering empty keys, which would otherwise enable a broken ReCAPTCHA flow.
+matrix_continuwuity_recaptcha_enabled: "{{ matrix_continuwuity_config_recaptcha_site_key | string | length > 0 and matrix_continuwuity_config_recaptcha_private_site_key | string | length > 0 }}"
+
 matrix_continuwuity_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}/_matrix/client/versions"
 matrix_continuwuity_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"