feat(passkeys): add CAPTCHA to options endpoint for authentication

Author: fadymak

internal/api/api.go

@@ -313,7 +313,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 			r.Use(api.requirePasskeyEnabled)
 
 			r.Route("/authentication", func(r *router) {
-				r.Post("/options", api.PasskeyAuthenticationOptions)
+				r.With(api.verifyCaptcha).Post("/options", api.PasskeyAuthenticationOptions)
 				r.Post("/verify", api.PasskeyAuthenticationVerify)
 			})
 

internal/api/passkey_authentication_test.go

@@ -8,6 +8,7 @@ import (
 	"github.com/gofrs/uuid"
 	"github.com/stretchr/testify/require"
 	"github.com/supabase/auth/internal/models"
+	"github.com/supabase/auth/internal/security"
 )
 
 // TestDiscoverableAuthenticationHappyPath tests the full discoverable credential authentication flow.
@@ -201,6 +202,78 @@ func (ts *PasskeyTestSuite) TestAuthenticationPasskeyDisabled() {
 	ts.Equal(http.StatusNotFound, w.Code)
 }
 
+// TestAuthenticationOptionsCaptchaRequired tests that CAPTCHA enabled + no token → 400.
+func (ts *PasskeyTestSuite) TestAuthenticationOptionsCaptchaRequired() {
+	ts.Config.Security.Captcha.Enabled = true
+	ts.Config.Security.Captcha.Provider = "hcaptcha"
+	ts.Config.Security.Captcha.Secret = "test-secret"
+
+	// No captcha_token in request body
+	w := ts.makeRequest(http.MethodPost, "http://localhost/passkeys/authentication/options", map[string]any{})
+	ts.Equal(http.StatusBadRequest, w.Code)
+
+	var errResp map[string]any
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&errResp))
+	ts.Equal("captcha_failed", errResp["error_code"])
+}
+
+// TestAuthenticationOptionsCaptchaValid tests that CAPTCHA enabled + valid token → 200.
+func (ts *PasskeyTestSuite) TestAuthenticationOptionsCaptchaValid() {
+	ts.Config.Security.Captcha.Enabled = true
+	ts.Config.Security.Captcha.Provider = "hcaptcha"
+	ts.Config.Security.Captcha.Secret = "test-secret"
+
+	ts.CaptchaVerifier.Result = &security.VerificationResponse{Success: true}
+	ts.CaptchaVerifier.Err = nil
+
+	w := ts.makeRequest(http.MethodPost, "http://localhost/passkeys/authentication/options", map[string]any{
+		"gotrue_meta_security": map[string]any{
+			"captcha_token": "valid-token",
+		},
+	})
+	ts.Equal(http.StatusOK, w.Code)
+
+	var optionsResp PasskeyAuthenticationOptionsResponse
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&optionsResp))
+	ts.NotEmpty(optionsResp.ChallengeID)
+}
+
+// TestAuthenticationOptionsCaptchaInvalid tests that CAPTCHA enabled + mock failure → 400.
+func (ts *PasskeyTestSuite) TestAuthenticationOptionsCaptchaInvalid() {
+	ts.Config.Security.Captcha.Enabled = true
+	ts.Config.Security.Captcha.Provider = "hcaptcha"
+	ts.Config.Security.Captcha.Secret = "test-secret"
+
+	ts.CaptchaVerifier.Result = &security.VerificationResponse{
+		Success:    false,
+		ErrorCodes: []string{"invalid-input-response"},
+	}
+	ts.CaptchaVerifier.Err = nil
+
+	w := ts.makeRequest(http.MethodPost, "http://localhost/passkeys/authentication/options", map[string]any{
+		"gotrue_meta_security": map[string]any{
+			"captcha_token": "bad-token",
+		},
+	})
+	ts.Equal(http.StatusBadRequest, w.Code)
+
+	var errResp map[string]any
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&errResp))
+	ts.Equal("captcha_failed", errResp["error_code"])
+}
+
+// TestAuthenticationOptionsCaptchaDisabled tests that CAPTCHA disabled → 200 without token.
+func (ts *PasskeyTestSuite) TestAuthenticationOptionsCaptchaDisabled() {
+	ts.Config.Security.Captcha.Enabled = false
+
+	w := ts.makeRequest(http.MethodPost, "http://localhost/passkeys/authentication/options", nil)
+	ts.Equal(http.StatusOK, w.Code)
+
+	var optionsResp PasskeyAuthenticationOptionsResponse
+	require.NoError(ts.T(), json.NewDecoder(w.Body).Decode(&optionsResp))
+	ts.NotEmpty(optionsResp.ChallengeID)
+}
+
 // registerPasskey is a test helper that registers a passkey for the test user
 // and returns the authenticator (with stored credential) for later assertion.
 func (ts *PasskeyTestSuite) registerPasskey() (*virtualAuthenticator, *PasskeyMetadataResponse) {

internal/api/passkey_test.go

@@ -22,18 +22,21 @@ import (
 // Flow-specific test methods live in their own files (passkey_register_test.go, etc.).
 type PasskeyTestSuite struct {
 	suite.Suite
-	API         *API
-	Config      *conf.GlobalConfiguration
-	TestUser    *models.User
-	TestSession *models.Session
+	API             *API
+	Config          *conf.GlobalConfiguration
+	TestUser        *models.User
+	TestSession     *models.Session
+	CaptchaVerifier *MockCaptchaVerifier
 }
 
 func TestPasskey(t *testing.T) {
-	api, config, err := setupAPIForTest()
+	mockCaptcha := &MockCaptchaVerifier{}
+	api, config, err := setupAPIForTest(WithCaptchaVerifier(mockCaptcha))
 	require.NoError(t, err)
 	ts := &PasskeyTestSuite{
-		API:    api,
-		Config: config,
+		API:             api,
+		Config:          config,
+		CaptchaVerifier: mockCaptcha,
 	}
 	defer api.db.Close()
 	suite.Run(t, ts)
@@ -42,6 +45,11 @@ func TestPasskey(t *testing.T) {
 func (ts *PasskeyTestSuite) SetupTest() {
 	models.TruncateAll(ts.API.db)
 
+	// Reset captcha state
+	ts.Config.Security.Captcha.Enabled = false
+	ts.CaptchaVerifier.Result = nil
+	ts.CaptchaVerifier.Err = nil
+
 	// Enable passkeys
 	ts.Config.Passkey.Enabled = true
 	ts.Config.Passkey.MaxPasskeysPerUser = 10