fix auth pending adoption and turnstile flow

frontend/src/components/auth/PendingOAuthCreateAccountForm.vue

@@ -16,6 +16,15 @@
       placeholder="Password"
       :disabled="isSubmitting"
     />
+    <div v-if="turnstileEnabled && turnstileSiteKey" class="space-y-2">
+      <TurnstileWidget
+        ref="turnstileRef"
+        :site-key="turnstileSiteKey"
+        @verify="onTurnstileVerify"
+        @expire="onTurnstileExpire"
+        @error="onTurnstileError"
+      />
+    </div>
     <div class="flex gap-3">
       <input
         v-model="verifyCode"
@@ -31,7 +40,7 @@
         :data-testid="`${testIdPrefix}-create-account-send-code`"
         type="button"
         class="btn btn-secondary shrink-0"
-        :disabled="isSubmitting || isSendingCode || countdown > 0 || !email.trim()"
+        :disabled="isSubmitting || isSendingCode || countdown > 0 || !email.trim() || (turnstileEnabled && !turnstileToken)"
         @click="handleSendCode"
       >
         {{
@@ -80,9 +89,10 @@
 </template>
 
 <script setup lang="ts">
-import { onUnmounted, ref, watch } from 'vue'
+import { onMounted, onUnmounted, ref, watch } from 'vue'
 import { useI18n } from 'vue-i18n'
-import { sendVerifyCode } from '@/api/auth'
+import TurnstileWidget from '@/components/TurnstileWidget.vue'
+import { getPublicSettings, sendVerifyCode } from '@/api/auth'
 
 export type PendingOAuthCreateAccountPayload = {
   email: string
@@ -111,6 +121,10 @@ const isSendingCode = ref(false)
 const sendCodeError = ref('')
 const sendCodeSuccess = ref(false)
 const countdown = ref(0)
+const turnstileEnabled = ref(false)
+const turnstileSiteKey = ref('')
+const turnstileToken = ref('')
+const turnstileRef = ref<InstanceType<typeof TurnstileWidget> | null>(null)
 
 let countdownTimer: ReturnType<typeof setInterval> | null = null
 
@@ -153,22 +167,51 @@ function getRequestErrorMessage(error: unknown, fallback: string): string {
   return err.response?.data?.detail || err.response?.data?.message || err.message || fallback
 }
 
+function resetTurnstile() {
+  turnstileToken.value = ''
+  turnstileRef.value?.reset()
+}
+
+function onTurnstileVerify(token: string) {
+  turnstileToken.value = token
+  sendCodeError.value = ''
+}
+
+function onTurnstileExpire() {
+  turnstileToken.value = ''
+  sendCodeError.value = t('auth.turnstileExpired')
+}
+
+function onTurnstileError() {
+  turnstileToken.value = ''
+  sendCodeError.value = t('auth.turnstileFailed')
+}
+
 async function handleSendCode() {
   const trimmedEmail = email.value.trim()
   if (!trimmedEmail) {
     return
   }
 
+  if (turnstileEnabled.value && !turnstileToken.value) {
+    sendCodeError.value = t('auth.completeVerification')
+    return
+  }
+
   isSendingCode.value = true
   sendCodeError.value = ''
   sendCodeSuccess.value = false
 
   try {
     const response = await sendVerifyCode({
-      email: trimmedEmail
+      email: trimmedEmail,
+      turnstile_token: turnstileEnabled.value ? turnstileToken.value : undefined
     })
     sendCodeSuccess.value = true
     startCountdown(response.countdown)
+    if (turnstileEnabled.value) {
+      resetTurnstile()
+    }
   } catch (error: unknown) {
     sendCodeError.value = getRequestErrorMessage(error, t('auth.sendCodeFailed'))
   } finally {
@@ -193,6 +236,17 @@ function emitSwitchToBind() {
   emit('switchToBind', email.value.trim())
 }
 
+onMounted(async () => {
+  try {
+    const settings = await getPublicSettings()
+    turnstileEnabled.value = settings.turnstile_enabled === true
+    turnstileSiteKey.value = settings.turnstile_site_key || ''
+  } catch {
+    turnstileEnabled.value = false
+    turnstileSiteKey.value = ''
+  }
+})
+
 onUnmounted(() => {
   clearCountdown()
 })

frontend/src/components/auth/__tests__/PendingOAuthCreateAccountForm.spec.ts

@@ -4,6 +4,7 @@ import { flushPromises, mount } from '@vue/test-utils'
 import PendingOAuthCreateAccountForm from '../PendingOAuthCreateAccountForm.vue'
 
 const sendVerifyCode = vi.fn()
+const getPublicSettings = vi.fn()
 
 vi.mock('vue-i18n', async () => {
   const actual = await vi.importActual<typeof import('vue-i18n')>('vue-i18n')
@@ -19,13 +20,19 @@ vi.mock('@/api/auth', async () => {
   const actual = await vi.importActual<typeof import('@/api/auth')>('@/api/auth')
   return {
     ...actual,
-    sendVerifyCode: (...args: any[]) => sendVerifyCode(...args)
+    sendVerifyCode: (...args: any[]) => sendVerifyCode(...args),
+    getPublicSettings: (...args: any[]) => getPublicSettings(...args)
   }
 })
 
 describe('PendingOAuthCreateAccountForm', () => {
   beforeEach(() => {
     sendVerifyCode.mockReset()
+    getPublicSettings.mockReset()
+    getPublicSettings.mockResolvedValue({
+      turnstile_enabled: false,
+      turnstile_site_key: ''
+    })
   })
 
   it('emits trimmed email, password, and verify code on submit', async () => {
@@ -77,4 +84,45 @@ describe('PendingOAuthCreateAccountForm', () => {
       email: 'user@example.com'
     })
   })
+
+  it('requires a turnstile token before sending a verify code when turnstile is enabled', async () => {
+    getPublicSettings.mockResolvedValue({
+      turnstile_enabled: true,
+      turnstile_site_key: 'site-key'
+    })
+    sendVerifyCode.mockResolvedValue({
+      message: 'sent',
+      countdown: 60
+    })
+
+    const wrapper = mount(PendingOAuthCreateAccountForm, {
+      props: {
+        providerName: 'LinuxDo',
+        testIdPrefix: 'linuxdo',
+        initialEmail: '',
+        isSubmitting: false
+      },
+      global: {
+        stubs: {
+          TurnstileWidget: {
+            template: '<button data-testid="turnstile-verify" @click="$emit(\'verify\', \'turnstile-token\')">verify</button>'
+          }
+        }
+      }
+    })
+
+    await flushPromises()
+    await wrapper.get('[data-testid="linuxdo-create-account-email"]').setValue('  user@example.com  ')
+
+    expect(wrapper.get('[data-testid="linuxdo-create-account-send-code"]').attributes('disabled')).toBeDefined()
+
+    await wrapper.get('[data-testid="turnstile-verify"]').trigger('click')
+    await wrapper.get('[data-testid="linuxdo-create-account-send-code"]').trigger('click')
+    await flushPromises()
+
+    expect(sendVerifyCode).toHaveBeenCalledWith({
+      email: 'user@example.com',
+      turnstile_token: 'turnstile-token'
+    })
+  })
 })