Add Captcha to Necessary Secure Account Areas

[Copilot]

This PR adds HCaptcha protection to three critical authentication pages that were missing captcha validation, enhancing security against automated attacks.

Changes Made

✅ Login Page (Areas/Identity/Pages/Account/Login.cshtml)

• Added HCaptcha widget to login form
• Implemented backend validation before login attempts
• Prevents automated brute force attacks

✅ Resend Email Confirmation Page (Areas/Identity/Pages/Account/ResendEmailConfirmation.cshtml)

• Added HCaptcha widget before email sending
• Added validation to prevent email spam abuse
• Protects against automated confirmation email requests

✅ Reset Password Page (Areas/Identity/Pages/Account/ResetPassword.cshtml)

• Added HCaptcha widget before password reset
• Implemented validation to block automated reset attempts
• Secures password recovery flow

✅ Register Page

• Already had captcha implementation (used as reference pattern)

Technical Implementation

Frontend Changes:

<div class="form-group">
    <div class="h-captcha" data-sitekey=@Model.CaptchaOptions.SiteKey></div>
</div>

<script src="https://js.hcaptcha.com/1/api.js" async defer></script>

Backend Changes:

• Injected existing ICaptchaService and IOptions<CaptchaOptions> into page models
• Added captcha response validation using proven error handling patterns
• Leveraged existing HCaptchaErrorDetails system for comprehensive error management

Security Benefits:

• Prevents automated bot attacks on login attempts
• Protects email systems from spam abuse
• Secures password reset functionality against automated attacks
• Maintains consistent user experience across all authentication flows

All implementations follow the same proven pattern as the existing Register page captcha, ensuring consistency and reliability.

Fixes #253.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• esm.ubuntu.com
  • Triggering command: /usr/lib/apt/methods/https (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[BenjaminMichaelis]

Does this fix #254?

[BenjaminMichaelis]

@copilot Does this fix #254?

[Copilot]

@copilot Does this fix #254?

No, this PR only addresses issue #253 (adding captcha to secure account areas like login/register/password reset). Issue #254 is about preventing content scraping by adding captcha after users browse multiple pages, which is a different use case and would require a separate implementation.