chg: usr: replace Google ReCaptcha with Cap instance #13

src/Controller/ApiAuthController.php

@@ -0,0 +1,106 @@
+<?php declare(strict_types=1);
+/*
+ * This file is part of the SplendidBear Websites' projects.
+ *
+ * Copyright (c) 2026 @ www.splendidbear.org
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\Controller;
+
+use App\Entity\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Attribute\AsController;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+use Symfony\Component\Routing\Attribute\Route;
+
+/**
+ * Class ApiAuthController
+ *
+ * Provides a JSON login endpoint for native desktop clients.
+ * This endpoint is intentionally exempt from the CAPTCHA listener
+ * because desktop clients cannot display or solve the Cap widget.
+ *
+ * After a successful password login, if the user has TOTP enabled the response
+ * returns { requiresTwoFactor: true }. The client must then POST the 6-digit
+ * code to the standard /2fa_check endpoint (which is already exempt from
+ * the CAPTCHA listener via LoginCaptchaListener).
+ *
+ * @package  App\Controller
+ * @author   Lang <https://www.splendidbear.org>
+ * @category Class
+ * @license  https://www.gnu.org/licenses/lgpl-3.0.en.html GNU Lesser General Public License
+ * @link     www.splendidbear.org
+ * @since    2026. 04. 26.
+ */
+#[AsController]
+class ApiAuthController extends AbstractController
+{
+    public function __construct(
+        private readonly EntityManagerInterface      $em,
+        private readonly UserPasswordHasherInterface $passwordHasher,
+        private readonly Security                    $security,
+    ) {
+    }
+
+    /**
+     * POST /api/auth/login
+     *
+     * Request body (JSON): { "username": "...", "password": "..." }
+     *
+     * Responses:
+     *   200 { "success": true, "requiresTwoFactor": false }
+     *   200 { "success": true, "requiresTwoFactor": true }
+     *   400 { "success": false, "error": "..." }
+     *   401 { "success": false, "error": "..." }
+     */
+    #[Route('/api/auth/login', name: 'MineSeekerBundle_api_auth_login', methods: ['POST'])]
+    public function login(Request $request): JsonResponse
+    {
+        $data     = $request->toArray();
+        $username = trim($data['username'] ?? '');
+        $password = $data['password'] ?? '';
+
+        if ($username === '' || $password === '') {
+            return $this->json(
+                ['success' => false, 'error' => 'Username and password are required.'],
+                Response::HTTP_BAD_REQUEST
+            );
+        }
+
+        /** @var User|null $user */
+        $user = $this->em->getRepository(User::class)->findOneBy(['username' => $username]);
+
+        if ($user === null || !$this->passwordHasher->isPasswordValid($user, $password)) {
+            return $this->json(
+                ['success' => false, 'error' => 'Invalid username or password.'],
+                Response::HTTP_UNAUTHORIZED
+            );
+        }
+
+        if (!$user->isVerified) {
+            return $this->json(
+                ['success' => false, 'error' => 'Account not yet activated. Check your email.'],
+                Response::HTTP_UNAUTHORIZED
+            );
+        }
+
+        // Log the user in via the Symfony security system.
+        // If TOTP is enabled, scheb/2fa will place the session into
+        // IS_AUTHENTICATED_2FA_IN_PROGRESS state, and the client must
+        // complete 2FA by POSTing the code to /2fa_check.
+        $this->security->login($user, 'form_login');
+
+        return $this->json([
+            'success'           => true,
+            'requiresTwoFactor' => $user->isTotpAuthenticationEnabled(),
+        ]);
+    }
+}