chg: usr: replace Google ReCaptcha with Cap instance #13

src/Controller/ApiAuthController.php

@@ -0,0 +1,106 @@
+<?php declare(strict_types=1);
+/*
+ * This file is part of the SplendidBear Websites' projects.
+ *
+ * Copyright (c) 2026 @ www.splendidbear.org
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\Controller;
+
+use App\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Attribute\AsController;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+use Symfony\Component\Routing\Attribute\Route;
+
+/**
+ * Class ApiAuthController
+ *
+ * Provides a JSON login endpoint for native desktop clients.
+ * This endpoint is intentionally exempt from the CAPTCHA listener
+ * because desktop clients cannot display or solve the Cap widget.
+ *
+ * After a successful password login, if the user has TOTP enabled the response
+ * returns { requiresTwoFactor: true }. The client must then POST the 6-digit
+ * code to the standard /2fa_check endpoint (which is already exempt from
+ * the CAPTCHA listener via LoginCaptchaListener).
+ *
+ * @package  App\Controller
+ * @author   Lang <https://www.splendidbear.org>
+ * @category Class
+ * @license  https://www.gnu.org/licenses/lgpl-3.0.en.html GNU Lesser General Public License
+ * @link     www.splendidbear.org
+ * @since    2026. 04. 26.
+ */
+#[AsController]
+class ApiAuthController extends AbstractController
+{
+    public function __construct(
+        private readonly EntityManagerInterface      $em,
+        private readonly UserPasswordHasherInterface $passwordHasher,
+        private readonly Security                    $security,
+    ) {
+    }
+
+    /**
+     * POST /api/auth/login
+     *
+     * Request body (JSON): { "username": "...", "password": "..." }
+     *
+     * Responses:
+     *   200 { "success": true, "requiresTwoFactor": false }
+     *   200 { "success": true, "requiresTwoFactor": true }
+     *   400 { "success": false, "error": "..." }
+     *   401 { "success": false, "error": "..." }
+     */
+    #[Route('/api/auth/login', name: 'MineSeekerBundle_api_auth_login', methods: ['POST'])]
+    public function login(Request $request): JsonResponse
+    {
+        $data     = $request->toArray();
+        $username = trim($data['username'] ?? '');
+        $password = $data['password'] ?? '';
+
+        if ($username === '' || $password === '') {
+            return $this->json(
+                ['success' => false, 'error' => 'Username and password are required.'],
+                Response::HTTP_BAD_REQUEST
+            );
+        }
+
+        /** @var User|null $user */
+        $user = $this->em->getRepository(User::class)->findOneBy(['username' => $username]);
+
+        if ($user === null || !$this->passwordHasher->isPasswordValid($user, $password)) {
+            return $this->json(
+                ['success' => false, 'error' => 'Invalid username or password.'],
+                Response::HTTP_UNAUTHORIZED
+            );
+        }
+
+        if (!$user->isVerified) {
+            return $this->json(
+                ['success' => false, 'error' => 'Account not yet activated. Check your email.'],
+                Response::HTTP_UNAUTHORIZED
+            );
+        }
+
+        // Log the user in via the Symfony security system.
+        // If TOTP is enabled, scheb/2fa will place the session into
+        // IS_AUTHENTICATED_2FA_IN_PROGRESS state, and the client must
+        // complete 2FA by POSTing the code to /2fa_check.
+        $this->security->login($user, 'form_login');
+
+        return $this->json([
+            'success'           => true,
+            'requiresTwoFactor' => $user->isTotpAuthenticationEnabled(),
+        ]);
+    }
+}

src/EventListener/LoginCaptchaListener.php

@@ -19,7 +19,7 @@ use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 /**
  * Class LoginCaptchaListener
  *
- * Validates the Google reCAPTCHA v3 token during form-login authentication.
+ * Validates the Cap CAPTCHA token during form-login authentication.
  * Fires on CheckPassportEvent, which is dispatched after credentials are
  * collected but before the user is authenticated.
  *
@@ -53,12 +53,12 @@ readonly class LoginCaptchaListener
             return;
         }
 
-        $token = $request->request->getString('g-recaptcha-response');
+        $token = $request->request->getString('cap-token');
 
-        if ($this->recaptcha->verify($token, $request->getClientIp())) {
+        if ($this->recaptcha->verify($token)) {
             return;
         }
 
-        throw new CustomUserMessageAuthenticationException('reCAPTCHA verification failed. Please try again.');
+        throw new CustomUserMessageAuthenticationException('CAPTCHA verification failed. Please try again.');
     }
 }

src/Form/RecaptchaType.php

@@ -22,8 +22,8 @@ use Symfony\Component\OptionsResolver\OptionsResolver;
 /**
  * Class RecaptchaType
  *
- * Reads the Google reCAPTCHA v3 token from the raw POST field
- * `g-recaptcha-response` (populated by JS before form submit) and injects
+ * Reads the Cap CAPTCHA token from the raw POST field
+ * `cap-token` (auto-injected by the cap-widget web component) and injects
  * it as this field's value before validation runs.
  *
  * @package  App\Form
@@ -41,9 +41,8 @@ class RecaptchaType extends AbstractType
     {
         $builder->addEventListener(FormEvents::PRE_SUBMIT, function (PreSubmitEvent $event): void {
             $request = $this->requestStack->getCurrentRequest();
-            $token   = $request?->request->getString('g-recaptcha-response') ?? '';
-            // For forms that set the token directly on the field (e.g. registration_form[recaptcha])
-            // rather than via a standalone g-recaptcha-response input, fall back to the submitted value.
+            $token   = $request?->request->getString('cap-token') ?? '';
+            // For forms that set the token directly on the field, fall back to the submitted value.
             if ($token === '') {
                 $token = (string) ($event->getData() ?? '');
             }

src/Service/RecaptchaService.php

@@ -26,50 +26,38 @@ use Symfony\Contracts\HttpClient\HttpClientInterface;
  */
 readonly final class RecaptchaService
 {
-    private const string SITEVERIFY_URL = 'https://www.google.com/recaptcha/api/siteverify';
-
-    /**
-     * Minimum score to accept a request (0.0 = bot, 1.0 = human).
-     * 0.5 is Google's recommended default threshold.
-     */
-    private const float SCORE_THRESHOLD = 0.5;
-
     public function __construct(
         private HttpClientInterface $httpClient,
         private LoggerInterface $logger,
-        #[Autowire(env: 'RECAPTCHA_SECRET_KEY')]
+        #[Autowire(env: 'CAP_API_ENDPOINT')]
+        private string $apiEndpoint,
+        #[Autowire(env: 'CAP_SECRET_KEY')]
         private string $secretKey,
     ) {}
 
-    public function verify(string $token, string $remoteIp = ''): bool
+    public function verify(string $token): bool
     {
         if ($token === '') {
             return false;
         }
 
         try {
-            $body = ['secret' => $this->secretKey, 'response' => $token];
-
-            if ($remoteIp !== '') {
-                $body['remoteip'] = $remoteIp;
-            }
+            $siteverifyUrl = rtrim($this->apiEndpoint, '/') . '/siteverify';
 
             $data = $this->httpClient
-                ->request('POST', self::SITEVERIFY_URL, ['body' => $body])
+                ->request('POST', $siteverifyUrl, [
+                    'body' => ['secret' => $this->secretKey, 'response' => $token],
+                ])
                 ->toArray();
 
-            $this->logger->info('reCAPTCHA verify response', [
-                'success'       => $data['success'] ?? null,
-                'score'         => $data['score'] ?? null,
-                'hostname'      => $data['hostname'] ?? null,
-                'error-codes'   => $data['error-codes'] ?? [],
-                'token_length'  => strlen($token),
+            $this->logger->info('Cap verify response', [
+                'success'      => $data['success'] ?? null,
+                'token_length' => strlen($token),
             ]);
 
-            return ($data['success'] ?? false) === true
-                && ($data['score'] ?? 0.0) >= self::SCORE_THRESHOLD;
+            return ($data['success'] ?? false) === true;
         } catch (\Throwable $e) {
-            $this->logger->error('reCAPTCHA verification failed: ' . $e->getMessage());
+            $this->logger->error('Cap verification failed: ' . $e->getMessage());
 
             return false;
         }

src/Validator/RecaptchaValidator.php

@@ -11,7 +11,6 @@
 namespace App\Validator;
 
 use App\Service\RecaptchaService;
-use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\Validator\Constraint;
 use Symfony\Component\Validator\ConstraintValidator;
 use Symfony\Component\Validator\Exception\UnexpectedTypeException;
@@ -30,7 +29,6 @@ final class RecaptchaValidator extends ConstraintValidator
 {
     public function __construct(
         private readonly RecaptchaService $recaptcha,
-        private readonly RequestStack     $requestStack,
     ) {
     }
 
@@ -40,10 +38,7 @@ final class RecaptchaValidator extends ConstraintValidator
             throw new UnexpectedTypeException($constraint, Recaptcha::class);
         }
 
-        $request = $this->requestStack->getCurrentRequest();
-        $remoteIp = $request !== null ? ((string)$request->getClientIp()) : '';
-
-        if ($this->recaptcha->verify((string)$value, $remoteIp)) {
+        if ($this->recaptcha->verify((string)$value)) {
             return;
         }