chore: Add PR's requested changes and Unit tests

- Validation failure when cf-turnstile-response is missing
- Login flow behaviour before/after CAPTCHA threshold
- Server-side login-attempt lookup behaviour when user exists vs does not exist
- Rendering of Turnstile on the thresholded login screen
- Auth form submission when Turnstile is expired or not solved

Author: matiasperrone-exo

phpunit.xml

@@ -25,5 +25,7 @@
   </testsuites>
   <php>
     <env name="APP_ENV" value="testing"/>
+    <env name="TEST_USER_EMAIL" value="sebastian@tipit.net"/>
+    <env name="TEST_USER_PASSWORD" value="1Qaz2wsx!"/>
   </php>
 </phpunit>

resources/js/login/login.js

@@ -183,7 +183,6 @@ const PasswordInputForm = ({
             <input type="hidden" value={userNameValue} id="username" name="username"/>
             <input type="hidden" value={csrfToken} id="_token" name="_token"/>
             <input type="hidden" value="password" id="flow" name="flow"/>
-            <input type="hidden" value={loginAttempts ?? 0} name="login_attempts"/>
             {shouldShowCaptcha() && captchaPublicKey &&
                 <Turnstile
                     className={styles.turnstile}
@@ -265,7 +264,6 @@ const OTPInputForm = ({
                 <input type="hidden" value="otp" id="flow" name="flow"/>
                 <input type="hidden" value={otpCode} id="password" name="password"/>
                 <input type="hidden" value="email" id="connection" name="connection"/>
-                <input type="hidden" value={loginAttempts ?? 0} name="login_attempts"/>
                 {shouldShowCaptcha() && captchaPublicKey &&
                     <Turnstile
                         className={styles.turnstile}

tests/UserLoginTurnstileTest.php

@@ -0,0 +1,248 @@
+<?php namespace Tests;
+/**
+ * Copyright 2026 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\User;
+use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Session;
+use LaravelDoctrine\ORM\Facades\EntityManager;
+
+/**
+ * Class UserLoginTurnstileTest
+ *
+ * Covers Cloudflare Turnstile integration in UserController::postLogin():
+ *  - cf-turnstile-response required when login_failed_attempt >= threshold
+ *  - threshold gating (before / at boundary)
+ *  - server-side attempt lookup for existing vs. unknown users
+ *  - login screen emits Turnstile JS config after a failed attempt
+ *  - expired or unsolved token is rejected
+ */
+final class UserLoginTurnstileTest extends BrowserKitTestCase
+{
+    private const TURNSTILE_SITEVERIFY_URL = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
+    private const LOGIN_URL                = '/auth/login';
+    // Matches ServerConfigurationService::DefaultMaxFailedLoginAttempts2ShowCaptcha
+    private const CAPTCHA_THRESHOLD        = 3;
+
+    private string $testEmail;
+    private string $testPassword;
+
+    protected function prepareForTests(): void
+    {
+        parent::prepareForTests();
+        $this->testEmail    = env('TEST_USER_EMAIL');
+        $this->testPassword = env('TEST_USER_PASSWORD');
+        Session::start();
+    }
+
+    // -------------------------------------------------------------------------
+    // Helpers
+    // -------------------------------------------------------------------------
+
+    private function getTestUser(): User
+    {
+        return EntityManager::getRepository(User::class)
+            ->findOneBy(['identifier' => 'sebastian.marcet']);
+    }
+
+    private function setLoginAttempts(User $user, int $attempts): void
+    {
+        $user->setLoginFailedAttempt($attempts);
+        EntityManager::persist($user);
+        EntityManager::flush();
+    }
+
+    private function postLogin(array $overrides = [])
+    {
+        // GET the login page first so the session (and its CSRF token) is established,
+        // mirroring how a real browser submits the form.
+        $this->call('GET', self::LOGIN_URL);
+
+        return $this->call('POST', self::LOGIN_URL, array_merge([
+            'username' => $this->testEmail,
+            'password' => $this->testPassword,
+            'flow'     => 'password',
+            '_token'   => Session::token(),
+        ], $overrides));
+    }
+
+    private function fakeTurnstilePass(): void
+    {
+        Http::fake([
+            self::TURNSTILE_SITEVERIFY_URL => Http::response(['success' => true], 200),
+        ]);
+    }
+
+    private function fakeTurnstileFail(): void
+    {
+        Http::fake([
+            self::TURNSTILE_SITEVERIFY_URL => Http::response(
+                ['success' => false, 'error-codes' => ['timeout-or-duplicate']],
+                200
+            ),
+        ]);
+    }
+
+    /**
+     * BrowserKitTesting's assertSessionHasErrors/assertSessionMissing target
+     * $app['session.store'], which is a fresh Store singleton never populated by
+     * the request's StartSession middleware ($app['session']->driver()). Use the
+     * live session driver instead.
+     */
+    private function sessionHasValidationError(string $field): bool
+    {
+        $errors = $this->app['session']->driver()->get('errors');
+        return $errors !== null && $errors->has($field);
+    }
+
+    // -------------------------------------------------------------------------
+    // 1. Validation failure when cf-turnstile-response is missing
+    // -------------------------------------------------------------------------
+
+    public function testMissingTurnstileResponseFailsValidationWhenAtThreshold(): void
+    {
+        $user = $this->getTestUser();
+        $this->setLoginAttempts($user, self::CAPTCHA_THRESHOLD);
+
+        $this->postLogin(); // no cf-turnstile-response
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'Expected a validation error for cf-turnstile-response when user is at threshold'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 2. Login flow behaviour before / after CAPTCHA threshold
+    // -------------------------------------------------------------------------
+
+    public function testLoginBelowThresholdDoesNotRequireTurnstile(): void
+    {
+        $user = $this->getTestUser();
+        $this->setLoginAttempts($user, self::CAPTCHA_THRESHOLD - 1);
+
+        $this->postLogin(); // correct credentials, no captcha token
+
+        $this->assertFalse(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'Turnstile must not be required when login attempts are below threshold'
+        );
+    }
+
+    public function testLoginAtThresholdWithValidTokenPassesValidation(): void
+    {
+        $user = $this->getTestUser();
+        $this->setLoginAttempts($user, self::CAPTCHA_THRESHOLD);
+
+        $this->fakeTurnstilePass();
+
+        $this->postLogin(['cf-turnstile-response' => 'dummy-token-accepted-by-mock']);
+
+        $this->assertFalse(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'A valid Turnstile token must clear the captcha validation rule'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 3. Server-side login-attempt lookup: user exists vs. does not exist
+    // -------------------------------------------------------------------------
+
+    public function testLoginAttemptsLoadedFromExistingUserRecord(): void
+    {
+        $user = $this->getTestUser();
+        $this->setLoginAttempts($user, self::CAPTCHA_THRESHOLD);
+
+        // Omit cf-turnstile-response. If the controller had NOT read the DB value it
+        // would see login_attempts = 0 and skip the captcha rule. The error proves
+        // the persisted attempt count was used.
+        $this->postLogin();
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'Expected captcha required error, which proves login_failed_attempt was read from DB'
+        );
+    }
+
+    public function testLoginAttemptsDefaultToZeroForUnknownUsername(): void
+    {
+        // No user with this email → auth_service->getUserByUsername() returns null
+        // login_attempts stays 0 → captcha rule is never added to the validator
+        $this->postLogin([
+            'username' => 'nobody@doesnotexist.example',
+            'password' => 'irrelevant',
+        ]);
+
+        $this->assertFalse(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'Turnstile must not be required when the username does not exist in the DB'
+        );
+    }
+
+    // -------------------------------------------------------------------------
+    // 4. Rendering of Turnstile on the thresholded login screen
+    // -------------------------------------------------------------------------
+
+    public function testLoginScreenIncludesTurnstileConfigWhenAboveThreshold(): void
+    {
+        $user = $this->getTestUser();
+        // Place user one below threshold; the wrong-password attempt crosses it.
+        $this->setLoginAttempts($user, self::CAPTCHA_THRESHOLD - 1);
+
+        $this->postLogin(['password' => 'wrong-password']);
+
+        // errorLogin() flashes max_login_attempts_2_show_captcha into the session;
+        // following the redirect renders login.blade.php which emits those values.
+        $html = $this->call('GET', self::LOGIN_URL)->getContent();
+
+        // captchaPublicKey is always rendered (login.blade.php, not conditional)
+        $this->assertStringContainsString('captchaPublicKey', $html);
+
+        // maxLoginAttempts2ShowCaptcha is emitted when the session key is set
+        $this->assertStringContainsString('maxLoginAttempts2ShowCaptcha', $html);
+    }
+
+    // -------------------------------------------------------------------------
+    // 5. Auth form submission when Turnstile is expired or not solved
+    // -------------------------------------------------------------------------
+
+    public function testExpiredTurnstileTokenFailsValidation(): void
+    {
+        $user = $this->getTestUser();
+        $this->setLoginAttempts($user, self::CAPTCHA_THRESHOLD);
+
+        // Cloudflare API returns success=false (expired / already-used token)
+        $this->fakeTurnstileFail();
+
+        $this->postLogin(['cf-turnstile-response' => 'expired-or-invalid-token']);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'An expired or invalid Turnstile token must produce a validation error'
+        );
+    }
+
+    public function testUnsolvedCaptchaEmptyTokenFailsValidation(): void
+    {
+        $user = $this->getTestUser();
+        $this->setLoginAttempts($user, self::CAPTCHA_THRESHOLD);
+
+        // Empty string triggers the 'required' rule before any Cloudflare call
+        $this->postLogin(['cf-turnstile-response' => '']);
+
+        $this->assertTrue(
+            $this->sessionHasValidationError('cf-turnstile-response'),
+            'An empty Turnstile response must be rejected by the required rule'
+        );
+    }
+}