chore: Add PR's requested changes

Author: matiasperrone-exo

resources/js/email_verification/email_verification.js

@@ -127,6 +127,7 @@ const EmailVerificationPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
                   />
                   {captchaConfirmation && (
                     <div className={styles.error_label}>

resources/js/forgot_password/forgot_password.js

@@ -143,6 +143,7 @@ const ForgotPasswordPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
                   />
                   {captchaConfirmation && (
                     <div className={styles.error_label}>

resources/js/login/login.js

@@ -85,6 +85,7 @@ const PasswordInputForm = ({
                                shouldShowCaptcha,
                                captchaPublicKey,
                                onChangeCaptchaProvider,
+                               onExpireCaptchaProvider,
                                handleEmitOtpAction,
                                forgotPasswordAction,
                                loginAttempts,
@@ -183,12 +184,14 @@ const PasswordInputForm = ({
             <input type="hidden" value={userNameValue} id="username" name="username"/>
             <input type="hidden" value={csrfToken} id="_token" name="_token"/>
             <input type="hidden" value="password" id="flow" name="flow"/>
+            <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
             {shouldShowCaptcha() && captchaPublicKey &&
                 <Turnstile
                     className={styles.turnstile}
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={onExpireCaptchaProvider}
                 />
             }
             <ExistingAccountActions
@@ -214,6 +217,7 @@ const OTPInputForm = ({
                           shouldShowCaptcha,
                           captchaPublicKey,
                           onChangeCaptchaProvider,
+                          onExpireCaptchaProvider,
                           onReset,
                           loginAttempts
                       }) => {
@@ -264,12 +268,14 @@ const OTPInputForm = ({
                 <input type="hidden" value="otp" id="flow" name="flow"/>
                 <input type="hidden" value={otpCode} id="password" name="password"/>
                 <input type="hidden" value="email" id="connection" name="connection"/>
+                <input type="hidden" value={loginAttempts} id="login_attempts" name="login_attempts"/>
                 {shouldShowCaptcha() && captchaPublicKey &&
                     <Turnstile
                         className={styles.turnstile}
                         siteKey={captchaPublicKey}
                         options={{ responseFieldName: "cf-turnstile-response" }}
                         onSuccess={onChangeCaptchaProvider}
+                        onExpire={onExpireCaptchaProvider}
                     />
                 }
             </form>
@@ -474,6 +480,7 @@ class LoginPage extends React.Component {
         this.handleDelete = this.handleDelete.bind(this);
         this.onAuthenticate = this.onAuthenticate.bind(this);
         this.onChangeCaptchaProvider = this.onChangeCaptchaProvider.bind(this);
+        this.onExpireCaptchaProvider = this.onExpireCaptchaProvider.bind(this);
         this.onUserPasswordChange = this.onUserPasswordChange.bind(this);
         this.onOTPCodeChange = this.onOTPCodeChange.bind(this);
         this.shouldShowCaptcha = this.shouldShowCaptcha.bind(this);
@@ -562,6 +569,10 @@ class LoginPage extends React.Component {
         this.setState({ ...this.state, captcha_value: value });
     }
 
+    onExpireCaptchaProvider() {
+        this.setState({ ...this.state, captcha_value: '' });
+    }
+
     onHandleUserNameChange(ev) {
         let { value, id } = ev.target;
         this.setState({ ...this.state, user_name: value });
@@ -833,6 +844,7 @@ class LoginPage extends React.Component {
                                     shouldShowCaptcha={this.shouldShowCaptcha}
                                     captchaPublicKey={this.props.captchaPublicKey}
                                     onChangeCaptchaProvider={this.onChangeCaptchaProvider}
+                                    onExpireCaptchaProvider={this.onExpireCaptchaProvider}
                                     handleEmitOtpAction={this.handleEmitOtpAction}
                                     forgotPasswordAction={this.props.forgotPasswordAction}
                                     loginAttempts={this.props?.loginAttempts}
@@ -870,6 +882,7 @@ class LoginPage extends React.Component {
                                     shouldShowCaptcha={this.shouldShowCaptcha}
                                     captchaPublicKey={this.props.captchaPublicKey}
                                     onChangeCaptchaProvider={this.onChangeCaptchaProvider}
+                                    onExpireCaptchaProvider={this.onExpireCaptchaProvider}
                                     onReset={this.handleDelete}
                                     loginAttempts={this.props?.loginAttempts}
                                 />

resources/js/reset_password/reset_password.js

@@ -178,6 +178,7 @@ const ResetPasswordPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
                   />
                   {captchaConfirmation && (
                       <div className={styles.error_label}>

resources/js/set_password/set_password.js

@@ -287,6 +287,7 @@ const SetPasswordPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
                   />
                   {captchaConfirmation && (
                     <div className={styles.error_label}>

resources/js/signup/signup.js

@@ -281,6 +281,7 @@ const SignUpPage = ({
                     siteKey={captchaPublicKey}
                     options={{ responseFieldName: "cf-turnstile-response" }}
                     onSuccess={onChangeCaptchaProvider}
+                    onExpire={() => { captcha.current?.reset(); }}
                   />
                   {captchaConfirmation && (
                     <div className={styles.error_label}>

tests/TurnstileProtectedControllersTest.php

@@ -0,0 +1,140 @@
+<?php namespace Tests;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Illuminate\Support\Facades\Session;
+
+/**
+ * Class TurnstileProtectedControllersTest
+ *
+ * Smoke tests verifying that cf-turnstile-response is always required on the
+ * five auth endpoints that gate every submission behind Turnstile (unlike
+ * UserController::postLogin, which only activates the rule above a threshold).
+ */
+final class TurnstileProtectedControllersTest extends BrowserKitTestCase
+{
+    protected function prepareForTests(): void
+    {
+        parent::prepareForTests();
+        Session::start();
+    }
+
+    private function sessionHasValidationError(string $field): bool
+    {
+        $errors = $this->app['session']->driver()->get('errors');
+        return $errors !== null && $errors->has($field);
+    }
+
+    private function postWithSession(string $url, array $data = []): void
+    {
+        $this->call('GET', $url);
+        $this->call('POST', $url, array_merge(['_token' => Session::token()], $data));
+    }
+
+    // -------------------------------------------------------------------------
+    // RegisterController
+    // -------------------------------------------------------------------------
+
+    public function testRegisterRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/register', [
+            'first_name'      => 'Test',
+            'last_name'       => 'User',
+            'email'           => 'turnstile-test@example.com',
+            'country_iso_code'=> 'US',
+            'password'        => 'Abcd1234!',
+            'password_confirmation' => 'Abcd1234!',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'RegisterController must require cf-turnstile-response'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // ForgotPasswordController
+    // -------------------------------------------------------------------------
+
+    public function testForgotPasswordRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/password/email', [
+            'email' => 'anyone@example.com',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'ForgotPasswordController must require cf-turnstile-response'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // ResetPasswordController
+    // -------------------------------------------------------------------------
+
+    public function testResetPasswordRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/password/reset', [
+            'token'                 => 'any-reset-token',
+            'password'              => 'Abcd1234!',
+            'password_confirmation' => 'Abcd1234!',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'ResetPasswordController must require cf-turnstile-response'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // PasswordSetController
+    // -------------------------------------------------------------------------
+
+    public function testPasswordSetRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/password/set', [
+            'token'                 => 'any-set-token',
+            'first_name'            => 'Test',
+            'last_name'             => 'User',
+            'country_iso_code'      => 'US',
+            'password'              => 'Abcd1234!',
+            'password_confirmation' => 'Abcd1234!',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'PasswordSetController must require cf-turnstile-response'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // EmailVerificationController
+    // -------------------------------------------------------------------------
+
+    public function testEmailVerificationResendRequiresTurnstileToken(): void
+    {
+        $this->postWithSession('/auth/verification', [
+            'email' => 'anyone@example.com',
+            // cf-turnstile-response intentionally omitted
+        ]);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'EmailVerificationController must require cf-turnstile-response'
+        );
+    }
+}

tests/UserLoginTurnstileTest.php

@@ -21,9 +21,9 @@
  * Class UserLoginTurnstileTest
  *
  * Covers Cloudflare Turnstile integration in UserController::postLogin():
- *  - cf-turnstile-response required when login_failed_attempt >= threshold
+ *  - cf-turnstile-response required when login_attempts (from request body) >= threshold
  *  - threshold gating (before / at boundary)
- *  - server-side attempt lookup for existing vs. unknown users
+ *  - unknown username defaults to zero attempts (no captcha required)
  *  - login screen emits Turnstile JS config after a failed attempt
  *  - expired or unsolved token is rejected
  */
@@ -41,6 +41,9 @@ protected function prepareForTests(): void
         parent::prepareForTests();
         $this->testEmail    = env('TEST_USER_EMAIL');
         $this->testPassword = env('TEST_USER_PASSWORD');
+        if (empty($this->testEmail) || empty($this->testPassword)) {
+            $this->markTestSkipped('TEST_USER_EMAIL and TEST_USER_PASSWORD env vars are required.');
+        }
         Session::start();
     }
 

webpack.common.js

@@ -87,7 +87,7 @@ module.exports = {
             {
                 // Fix for webpack 5 + ESM packages (e.g. @marsidev/react-turnstile) that import
                 // react/jsx-runtime without the .js extension, which webpack 5 requires in strict ESM mode.
-                test: /\.m?js/,
+                test: /\.m?js$/,
                 include: /node_modules/,
                 resolve: { fullySpecified: false }
             },