test: update class docblock to reflect session-driven captcha approach

matiasperrone-exo · claude · matiasperrone-exo · commit b4787a5a3e12 · 2026-05-18T22:39:19.000Z
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/tests/UserLoginTurnstileTest.php b/tests/UserLoginTurnstileTest.php
@@ -23,12 +23,15 @@
  * Class UserLoginTurnstileTest
  *
  * Covers Cloudflare Turnstile integration in UserController::postLogin():
- *  - cf-turnstile-response required when login_attempts (from request body) >= threshold
+ *  - cf-turnstile-response required when captcha_failed_attempts (session) >= threshold
  *  - threshold gating (before / at boundary / above boundary)
- *  - omitted login_attempts field defaults to zero (no captcha required)
- *  - captcha is gated on the request-body counter
+ *  - absent captcha_failed_attempts in session defaults to 0 (no captcha required)
+ *  - captcha gate is driven by the server-side session counter, not the request body
+ *  - request-body login_attempts is ignored (attacker cannot bypass by posting 0)
+ *  - enumeration safety: captcha fires for non-existent users too
  *  - login screen emits Turnstile JS config after a failed attempt
  *  - expired or unsolved token is rejected
+ *  - successful login clears the session counter
  */
 final class UserLoginTurnstileTest extends BrowserKitTestCase
 {
@@ -285,4 +288,4 @@ public function testSuccessfulLoginClearsSessionCounter(): void
             'captcha_failed_attempts must be removed from session after a successful login'
         );
     }
-}
+}
