feat: Integrate reCAPTCHA into Login Form

Integrates Google reCAPTCHA v3 into the login form located at
`apps/web/app/(with-contexts)/(with-layout)/login/login-form.tsx`.

This change utilizes the existing reCAPTCHA framework:
- The `useRecaptcha` hook is used to generate a token for the 'login_code_request' action.
- The token is verified by the `/api/recaptcha` endpoint.
- If reCAPTCHA verification is successful and the score is adequate,
  the request to generate a login code proceeds.
- If verification fails or the score is too low, an error message is
  displayed to you via a toast notification, and the login code
  request is blocked.
- Loading states and error handling have been updated to incorporate
  the reCAPTCHA verification step.

Author: google-labs-jules[bot]

apps/web/RECAPTCHA_INTEGRATION_NOTES.md

@@ -0,0 +1,107 @@
+# Google reCAPTCHA v3 Integration Notes
+
+## 1. Overview
+
+This document outlines the integration of Google reCAPTCHA v3 into the web application. reCAPTCHA v3 works by returning a score for each request without user friction. This score can be used to take appropriate action, such as requiring additional verification steps or blocking suspected bot traffic. It helps protect user actions like form submissions from abuse.
+
+## 2. Environment Variables
+
+The following environment variables are required for the reCAPTCHA integration to function correctly:
+
+-   `NEXT_PUBLIC_RECAPTCHA_SITE_KEY`: This is the client-side site key obtained from the Google reCAPTCHA Admin Console. It's prefixed with `NEXT_PUBLIC_` because it needs to be accessible in the browser.
+-   `RECAPTCHA_SECRET_KEY`: This is the server-side secret key obtained from the Google reCAPTCHA Admin Console. **This key must be kept confidential and should only be used on the server.**
+
+Ensure these variables are set in your local development environment (e.g., in an `.env.local` file at the root of the `apps/web` project) and in your deployment environments.
+
+## 3. How it Works
+
+The integration consists of three main parts:
+
+### a. Client-side Script Loading (`app/layout.tsx`)
+
+-   The root layout file (`apps/web/app/layout.tsx`) includes a Next.js `Script` component to load the Google reCAPTCHA API script.
+-   The script source URL includes the `NEXT_PUBLIC_RECAPTCHA_SITE_KEY`.
+-   The script is loaded only if `NEXT_PUBLIC_RECAPTCHA_SITE_KEY` is present, preventing errors if the key is not configured.
+-   The `strategy="afterInteractive"` attribute is used to load the script after the page becomes interactive, minimizing impact on initial page load performance.
+
+### b. `useRecaptcha` Hook (`hooks/use-recaptcha.ts`)
+
+-   The custom React hook `useRecaptcha` (located in `apps/web/hooks/use-recaptcha.ts`) provides a convenient way to trigger reCAPTCHA verification.
+-   It exports an `executeRecaptcha` function that takes an `action` string as an argument. This `action` helps you identify which part of your site is being protected when viewing results in the Google reCAPTCHA Admin Console.
+-   When called, `executeRecaptcha`:
+    1.  Checks if `NEXT_PUBLIC_RECAPTCHA_SITE_KEY` is available. If not, it logs an error and returns `null`.
+    2.  Checks if `window.grecaptcha` and `window.grecaptcha.ready` are available (i.e., if the Google script has loaded).
+    3.  Calls `window.grecaptcha.ready()` to ensure the API is ready.
+    4.  Calls `window.grecaptcha.execute()` with the site key and the provided `action` to get a reCAPTCHA token.
+    5.  Returns a Promise that resolves with the token, or `null` if an error occurs.
+-   The `executeRecaptcha` function is wrapped in `useCallback` for performance optimization.
+
+### c. `/api/recaptcha` Server-side Endpoint (`app/api/recaptcha/route.ts`)
+
+-   This API route (located at `apps/web/app/api/recaptcha/route.ts`) handles the server-side verification of the reCAPTCHA token.
+-   It expects a `POST` request with a JSON body containing the `token` received from the client-side.
+-   **Verification Steps**:
+    1.  Retrieves the `RECAPTCHA_SECRET_KEY` from server environment variables. Returns a 500 error if not set.
+    2.  Checks if the `token` is present in the request body. Returns a 400 error if not.
+    3.  Makes a `POST` request to Google's `https://www.google.com/recaptcha/api/siteverify` endpoint.
+    4.  The request to Google includes the `secret` (your `RECAPTCHA_SECRET_KEY`) and `response` (the client's `token`).
+    5.  Parses the JSON response from Google.
+    6.  Returns relevant information from Google's response to the client, including `success`, `score`, `action`, `challenge_ts`, `hostname`, and `error-codes`.
+-   Includes error handling for the fetch request to Google and other potential issues.
+
+## 4. Using the `recaptcha-example-form.tsx`
+
+-   An example component `RecaptchaExampleForm` (located in `apps/web/components/recaptcha-example-form.tsx`) demonstrates the end-to-end reCAPTCHA flow.
+-   It renders a simple form. On submission:
+    1.  It calls `executeRecaptcha` from the `useRecaptcha` hook.
+    2.  If a token is received, it sends this token to the `/api/recaptcha` endpoint.
+    3.  It then logs the verification response from the API and displays a status message to the user, indicating whether the action would be allowed based on the `success` status and `score` (e.g., score > 0.5).
+-   **To test the integration**: Temporarily import and render this component on any page within the `apps/web` application.
+
+## 5. Testing Steps
+
+1.  **Set Environment Variables**:
+    *   Ensure `NEXT_PUBLIC_RECAPTCHA_SITE_KEY` and `RECAPTCHA_SECRET_KEY` are correctly set in your local environment (e.g., in an `.env.local` file at the root of `apps/web`). Use valid keys from your Google reCAPTCHA admin console for a specific domain (localhost can be registered for testing).
+
+2.  **Render the Example Form**:
+    *   Modify an existing page (e.g., the homepage) in `apps/web` to import and render the `RecaptchaExampleForm` component.
+    ```tsx
+    // Example: in apps/web/app/page.tsx
+    import { RecaptchaExampleForm } from "@/components/recaptcha-example-form";
+
+    export default function HomePage() {
+        return (
+            <div>
+                {/* ... other page content ... */}
+                <RecaptchaExampleForm />
+            </div>
+        );
+    }
+    ```
+
+3.  **Open Browser Developer Tools**:
+    *   Access the page where `RecaptchaExampleForm` is rendered.
+    *   Open your browser's developer tools (usually by pressing F12).
+
+4.  **Monitor Console**:
+    *   Check the **Console** tab for logs:
+        *   From `useRecaptcha` if the site key is missing or reCAPTCHA isn't ready.
+        *   From `RecaptchaExampleForm` showing the token received (if any), the call to `/api/recaptcha`, the verification response, and status messages.
+
+5.  **Check Network Tab**:
+    *   Switch to the **Network** tab in developer tools.
+    *   Submit the example form.
+    *   Look for the `POST` request to `/api/recaptcha`. Inspect its payload (the token) and response (Google's verification result).
+    *   Note: The call to Google's `siteverify` endpoint happens server-to-server, so you won't see it directly in the browser's network tab, but its outcome is returned by your `/api/recaptcha` endpoint.
+
+6.  **Google reCAPTCHA Admin Console (Post-Deployment)**:
+    *   After deploying the application to a staging or test environment with valid production/test reCAPTCHA keys:
+        *   Visit your Google reCAPTCHA Admin Console.
+        *   Select the site key you configured.
+        *   You should see traffic data, including the number of requests, scores, and the distribution of actions (e.g., 'example_form_submit'). This helps verify that reCAPTCHA is actively processing requests for your site.
+
+7.  **Test Missing Keys**:
+    *   Temporarily unset or comment out `NEXT_PUBLIC_RECAPTCHA_SITE_KEY` in your `.env.local` and restart the development server. The reCAPTCHA script should not load, and `executeRecaptcha` should return `null` or handle it gracefully.
+    *   Temporarily unset `RECAPTCHA_SECRET_KEY`. The `/api/recaptcha` endpoint should return a 500 error, which the example form should handle.
+
+By following these steps, you can thoroughly test the reCAPTCHA v3 integration. Remember to remove the `RecaptchaExampleForm` from any public pages after testing.

apps/web/app/(with-contexts)/(with-layout)/login/login-form.tsx

@@ -32,6 +32,7 @@ import {
 } from "@/ui-config/strings";
 import Link from "next/link";
 import { TriangleAlert } from "lucide-react";
+import { useRecaptcha } from "@/hooks/use-recaptcha";
 import { useRouter } from "next/navigation";
 
 export default function LoginForm({ redirectTo }: { redirectTo?: string }) {
@@ -42,27 +43,78 @@ export default function LoginForm({ redirectTo }: { redirectTo?: string }) {
     const [error, setError] = useState("");
     const [loading, setLoading] = useState(false);
     const { toast } = useToast();
+    const { executeRecaptcha } = useRecaptcha();
     const router = useRouter();
 
     const requestCode = async function (e: FormEvent) {
         e.preventDefault();
-        const url = `/api/auth/code/generate?email=${encodeURIComponent(
-            email,
-        )}`;
+        setLoading(true);
+        setError("");
+
+        if (!executeRecaptcha) {
+            toast({
+                title: TOAST_TITLE_ERROR,
+                description: "reCAPTCHA service not available. Please try again later.",
+                variant: "destructive",
+            });
+            setLoading(false);
+            return;
+        }
+
+        const recaptchaToken = await executeRecaptcha("login_code_request");
+        if (!recaptchaToken) {
+            toast({
+                title: TOAST_TITLE_ERROR,
+                description: "reCAPTCHA validation failed. Please try again.",
+                variant: "destructive",
+            });
+            setLoading(false);
+            return;
+        }
+
         try {
-            setLoading(true);
+            const recaptchaVerificationResponse = await fetch("/api/recaptcha", {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({ token: recaptchaToken }),
+            });
+
+            const recaptchaData = await recaptchaVerificationResponse.json();
+
+            if (!recaptchaVerificationResponse.ok || !recaptchaData.success || (recaptchaData.score && recaptchaData.score < 0.5)) {
+                toast({
+                    title: TOAST_TITLE_ERROR,
+                    description: `reCAPTCHA verification failed. ${recaptchaData.score ? `Score: ${recaptchaData.score.toFixed(2)}.` : ''} Please try again.`,
+                    variant: "destructive",
+                });
+                setLoading(false);
+                return;
+            }
+
+            // Proceed with code generation if reCAPTCHA is successful
+            const url = `/api/auth/code/generate?email=${encodeURIComponent(
+                email,
+            )}`;
             const response = await fetch(url);
             const resp = await response.json();
             if (response.ok) {
                 setShowCode(true);
             } else {
                 toast({
                     title: TOAST_TITLE_ERROR,
-                    description: resp.error,
+                    description: resp.error || "Failed to request code.",
                     variant: "destructive",
                 });
             }
-        } finally {
+        } catch (err) {
+            console.error("Error during requestCode:", err);
+            toast({
+                title: TOAST_TITLE_ERROR,
+                description: "An unexpected error occurred. Please try again.",
+                variant: "destructive",
+            });
+        }
+        finally {
             setLoading(false);
         }
     };

apps/web/app/api/recaptcha/route.ts

@@ -0,0 +1,77 @@
+import { NextRequest, NextResponse } from "next/server";
+
+/**
+ * API route handler for verifying a Google reCAPTCHA v3 token.
+ * Expects a POST request with a JSON body containing a `token` property.
+ *
+ * @param {NextRequest} request - The incoming Next.js API request object.
+ * @returns {Promise<NextResponse>} A Next.js API response object.
+ */
+export async function POST(request: NextRequest) {
+    const secretKey = process.env.RECAPTCHA_SECRET_KEY;
+    if (!secretKey) {
+        console.error("reCAPTCHA secret key not found.");
+        return NextResponse.json(
+            { error: "Internal server error" },
+            { status: 500 }
+        );
+    }
+
+    let requestBody;
+    try {
+        requestBody = await request.json();
+    } catch (error) {
+        return NextResponse.json(
+            { error: "Invalid request body" },
+            { status: 400 }
+        );
+    }
+
+    const { token } = requestBody;
+
+    if (!token) {
+        return NextResponse.json(
+            { error: "reCAPTCHA token not found" },
+            { status: 400 }
+        );
+    }
+
+    const formData = `secret=${secretKey}&response=${token}`;
+
+    try {
+        const response = await fetch(
+            "https://www.google.com/recaptcha/api/siteverify",
+            {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                },
+                body: formData,
+            }
+        );
+
+        if (!response.ok) {
+            console.error("Failed to verify reCAPTCHA token with Google");
+            return NextResponse.json(
+                { error: "Failed to verify reCAPTCHA token" },
+                { status: 500 }
+            );
+        }
+
+        const googleResponse = await response.json();
+        return NextResponse.json({
+            success: googleResponse.success,
+            score: googleResponse.score,
+            action: googleResponse.action,
+            challenge_ts: googleResponse.challenge_ts,
+            hostname: googleResponse.hostname,
+            "error-codes": googleResponse["error-codes"],
+        });
+    } catch (error) {
+        console.error("Error verifying reCAPTCHA token:", error);
+        return NextResponse.json(
+            { error: "Error verifying reCAPTCHA token" },
+            { status: 500 }
+        );
+    }
+}

apps/web/app/layout.tsx

@@ -3,6 +3,7 @@ import "@courselit/page-blocks/styles.css";
 import "@courselit/components-library/styles.css";
 import "@courselit/page-primitives/styles.css";
 import "../styles/globals.css";
+import Script from "next/script";
 import type { Metadata } from "next";
 import { headers } from "next/headers";
 import {
@@ -69,6 +70,13 @@ export default async function RootLayout({ children }: RootLayoutProps) {
                 className={`${fonts.openSans.variable} ${fonts.montserrat.variable} ${fonts.lato.variable} ${fonts.poppins.variable} ${fonts.sourceSans3.variable} ${fonts.raleway.variable} ${fonts.notoSans.variable} ${fonts.merriweather.variable} ${fonts.inter.variable} ${fonts.alegreya.variable} ${fonts.roboto.variable} ${fonts.mulish.variable} ${fonts.nunito.variable} ${fonts.rubik.variable} ${fonts.playfairDisplay.variable} ${fonts.oswald.variable} ${fonts.ptSans.variable} ${fonts.workSans.variable} ${fonts.robotoSlab.variable} ${fonts.sourceSerif4.variable} ${fonts.bebasNeue.variable} ${fonts.quicksand.variable} font-sans ${inter.className}`}
             >
                 {children}
+                {/* Conditionally load the Google reCAPTCHA v3 script. Only loads if the site key is set in environment variables. */}
+                {process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY && (
+                    <Script
+                        src={`https://www.google.com/recaptcha/api.js?render=${process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY}`}
+                        strategy="afterInteractive" // Load after the page becomes interactive to avoid blocking initial render.
+                    />
+                )}
             </body>
         </html>
     );