feat: add captcha-backed forum security hardening

app/Http/Middleware/ForumBotProtectionMiddleware.php

@@ -0,0 +1,96 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Services\Security\CaptchaVerifier;
+use cPad\Plugins\Forum\Services\Security\BotProtectionService;
+use Closure;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Validation\ValidationException;
+use Symfony\Component\HttpFoundation\Response;
+
+class ForumBotProtectionMiddleware
+{
+    public function __construct(
+        private readonly BotProtectionService $botProtectionService,
+        private readonly CaptchaVerifier $captchaVerifier,
+    ) {
+    }
+
+    public function handle(Request $request, Closure $next, string $action = 'generic'): Response|RedirectResponse|JsonResponse
+    {
+        $assessment = $this->botProtectionService->assess($request, $action);
+        $request->attributes->set('forum_bot_assessment', $assessment);
+
+        if ($this->requiresCaptcha($assessment, $action)) {
+            $captcha = $this->captchaVerifier->frontendConfig();
+            $tokenInput = (string) ($captcha['inputName'] ?? $this->captchaVerifier->inputName());
+            $token = (string) (
+                $request->input($tokenInput)
+                ?: $request->header('X-Captcha-Token', '')
+                ?: $request->header('X-Turnstile-Token', '')
+            );
+
+            if (! $this->captchaVerifier->verify($token, $request->ip())) {
+                $message = (string) config('forum_bot_protection.captcha.message', 'Complete the captcha challenge to continue.');
+
+                if ($request->expectsJson()) {
+                    return response()->json([
+                        'message' => $message,
+                        'errors' => [
+                            'captcha' => [$message],
+                        ],
+                        'requires_captcha' => true,
+                        'captcha' => $captcha,
+                        'captcha_provider' => (string) ($captcha['provider'] ?? $this->captchaVerifier->provider()),
+                        'captcha_site_key' => (string) ($captcha['siteKey'] ?? ''),
+                        'captcha_input' => (string) ($captcha['inputName'] ?? $tokenInput),
+                        'captcha_script_url' => (string) ($captcha['scriptUrl'] ?? ''),
+                    ], 422);
+                }
+
+                return redirect()->back()
+                    ->withInput($request->except(['password', 'current_password', 'new_password', 'new_password_confirmation', $tokenInput]))
+                    ->withErrors(['captcha' => $message])
+                    ->with('bot_captcha_required', true)
+                    ->with('bot_turnstile_required', true);
+            }
+
+            $request->attributes->set('forum_bot_captcha_verified', true);
+        }
+
+        if ((bool) ($assessment['blocked'] ?? false)) {
+            $message = 'Suspicious activity detected.';
+
+            if ($request->expectsJson()) {
+                return response()->json([
+                    'message' => $message,
+                    'errors' => [
+                        'bot' => [$message],
+                    ],
+                ], 429);
+            }
+
+            throw ValidationException::withMessages([
+                'bot' => [$message],
+            ]);
+        }
+
+        return $next($request);
+    }
+
+    private function requiresCaptcha(array $assessment, string $action): bool
+    {
+        if (! $this->captchaVerifier->isEnabled()) {
+            return false;
+        }
+
+        if ((int) ($assessment['risk_score'] ?? 0) < (int) config('forum_bot_protection.thresholds.captcha', 60)) {
+            return false;
+        }
+
+        return in_array($action, (array) config('forum_bot_protection.captcha.actions', []), true);
+    }
+}