feat(platform): Add captcha to login, signup and password reset pages

[Bentlybro]

This PR adds Cloudflare's Turnstile CAPTCHA to the login, signup, and password reset pages. it is setup to only show and work when behave as is set to CLOUD so it will not show for local hosted users.

Changes 🏗️

Backend Changes

• backend/server/v2/turnstile/routes.py: Created API endpoint at /api/turnstile/verify to proxy verification requests to Cloudflare
• backend/server/v2/turnstile/service.py: Implements service to verify CAPTCHA tokens with Cloudflare using server-side secret key

Frontend Changes

• frontend/src/lib/turnstile.ts: Client-side function to call the backend verification endpoint
• frontend/src/components/auth/Turnstile.tsx: Reusable Turnstile component that renders and manages the CAPTCHA widget
• frontend/src/hooks/useTurnstile.ts: Custom hook that manages Turnstile state and conditionally activates based on environment

Auth Flow Integration

• Modified server actions in login, signup, and reset_password to accept and verify Turnstile tokens
• Updated auth page components to integrate the CAPTCHA widget with form submissions

Configuration Changes

• Added two new environment variables:
  • NEXT_PUBLIC_CLOUDFLARE_TURNSTILE_SITE_KEY: Public site key for frontend
  • CLOUDFLARE_TURNSTILE_SECRET_KEY: Secret key for backend verification

Test Plan 📋

• Ask Bently for the keys to test locally!
• Test login, signup and password reset with Turnstile enabled (BEHAVE_AS=CLOUD)
  • Verify CAPTCHA appears and must be completed before form submission
  • Verify error message appears if CAPTCHA is not completed
  • Verify form submission works after completing CAPTCHA
• Test login, signup and password reset with Turnstile disabled (BEHAVE_AS=LOCAL)
  • Verify CAPTCHA does not appear
  • Verify form submission works without CAPTCHA
• Test with invalid site key to ensure proper error handling

[deepsource-io]

Here's the code health analysis summary for commits afb66f7..2da4bd5. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success	❗ 8 occurences introduced	View Check ↗
Python	✅ Success	❗ 7 occurences introduced 🎯 1 occurence resolved	View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[netlify]

✅ Deploy Preview for auto-gpt-docs-dev canceled.

Name	Link
🔨 Latest commit	2da4bd5
🔍 Latest deploy log	https://app.netlify.com/sites/auto-gpt-docs-dev/deploys/68160232c9ca820008d3d883

[netlify]

✅ Deploy Preview for auto-gpt-docs canceled.

Name	Link
🔨 Latest commit	2da4bd5
🔍 Latest deploy log	https://app.netlify.com/sites/auto-gpt-docs/deploys/6816023294428100083e5244

[github-actions]

This pull request has conflicts with the base branch, please resolve those so we can evaluate the pull request.

[github-actions]

Conflicts have been resolved! 🎉 A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts with the base branch, please resolve those so we can evaluate the pull request.

[kcze]

Is Turnstile configured on Cloudflare already?

[github-actions]

Conflicts have been resolved! 🎉 A maintainer will review the pull request shortly.

[Bentlybro]

@kcze

Is Turnstile configured on Cloudflare already?

yes we have turnstile setup on cloudflare, I have been using it to set up this, if you would like the info to test it locally please let me know.

Thank you for the review, I have made the changes you suggested and replied to some comments.

[kcze]

Won't this break login/signup when hosting locally? Maybe bypass verification if there's no key on the backend?
Similarly with my recommendation to require verification on login but I don't think we can skip when there's no token on the frontend because token can be changed by the user?

[Bentlybro]

Won't this break login/signup when hosting locally? Maybe bypass verification if there's no key on the backend? Similarly with my recommendation to require verification on login but I don't think we can skip when there's no token on the frontend because this can be changed by the user?

@kcze im not sure i follow? i have been testing this locally and everything works perfectly fine with no of the turnstile keys set so it should not cause issues locally? if you have time could you test it locally to see if you have issues with signup/login? and if you want the keys to test with cloudflare let me know

[kcze]

I've tested and both signup and login work locally without keys!