Security: Add Bot Protection (Turnstile / reCAPTCHA) to Auth Routes

[jpdevhub]

Description

The Idea
As our app grows, we need to protect our authentication and registration endpoints from automated bot spam.

What needs to be done

• Integrate Cloudflare Turnstile (preferred) or Google reCAPTCHA v3 on the frontend sign-in/sign-up forms.
• Validate the token on the FastAPI backend before creating a user session or inserting a new user into the database.
• Keep the UI extremely clean so it doesn't ruin the brutalist aesthetic.

[pranavshankar1221]

Hi @jpdevhub I like to work on this issue under SSOC'26
/assign

[jpdevhub]

give the approach and this is security issue so handle it correctly !

[pranavshankar1221]

APPROACH 1 (CLOUDFLARE TURNSTILE)
To protect the authentication system from automated bot attacks, we will integrate Cloudflare Turnstile into the sign-in and sign-up flows. When a user submits either form, Turnstile will generate a verification token on the frontend. This token will be sent along with the authentication request to the FastAPI backend. Before creating a new account or establishing a user session, the backend will validate the token using Cloudflare's verification API. Requests with invalid or missing tokens will be rejected, ensuring that only legitimate users can access authentication endpoints.

APPROACH 2 (RATE LIMITING AND EMAIL VERIFICATION)
Implemented authentication protection using rate limiting and email verification. Registration requests are throttled to prevent automated abuse, while newly created accounts remain inactive until the user verifies ownership of their email address. This approach significantly reduces spam registrations and bot-driven account creation without introducing intrusive CAPTCHA challenges, preserving the application's clean and minimal user experience.

Hi @jpdevhub !, I have provided two approaches to implement the BOT protection you can choose any one of the approach to implement it or if there any other approach other than this feel free to say.........
Thank you !!

[jpdevhub]

Hi! Thank you for detailing these two excellent approaches.

Let's go with Approach 1 (Cloudflare Turnstile), but combined with the Rate Limiting aspect of Approach 2.

Why Turnstile? FreshScan AI is designed to be a frictionless, on-the-go tool used in fast-paced environments (like fish markets). Forcing users to leave the app to check their email for a verification link adds too much UX friction. Turnstile gives us robust bot protection while remaining entirely invisible to legitimate users, perfectly preserving our minimal design.

The Implementation Plan
Frontend: Integrate the Cloudflare Turnstile React component into the Auth forms (sign-in/sign-up).
Backend: Have the FastAPI backend verify the Turnstile token with Cloudflare's API before issuing the session.
Bonus (Rate Limiting): While we are skipping email verification, adding basic rate-limiting (e.g., via slowapi in FastAPI) to the auth endpoints would be a fantastic defense-in-depth addition to complement Turnstile.

Please proceed with Approach 1! Let me know if you need any help setting up the Cloudflare site keys or testing the backend verification