Any idea why does signInWithPassword bypass the captcha token challenge

[razonyang]

Hi, I turned on the captcha feature but it's not checking the captcha token. Is there a step I missed?

    const { data, error } = await client.auth.signInWithPassword({
      email,
      password,
      options: {
        captchaToken: 'faketoken', 
      },
    })

    console.log(data, error) // the error is null.

[GaryAustin1]

You don't say if you followed all the steps.
https://supabase.com/docs/guides/auth/auth-captcha

[razonyang]

Thank you for your response. I followed the 1-2 steps on that guide:

1. Sign up for Captcha (Cloudflare Turnstile)
2. Enable Captcha protection for your Supabase project, as the image shown above.

But I didn't follow the step 3 Add the Captcha frontend component, since I don't use React.

I'm handling it on the server side.

    const { data, error } = await client.auth.signInWithPassword({
      email,
      password,
      options: {
        captchaToken: 'faketoken', // for testing
      },
    })

Would signInWithPassword return an error if an invalid token was provided?

[razonyang]

For others ran into this, the captcha challenge will be bypassed when using a Supabase client instance with the service_role secret.