fix(tests): make Turnstile CAPTCHA optional for tests

- Turnstile validation only required when TURNSTILE_SECRET_KEY is set
- Allows tests to run without CAPTCHA in test environment
- Fixes matching-runs-audit test failures caused by missing turnstileToken
- Update validators.js to conditionally require turnstileToken
- Update auth.js controller to skip verification when not configured

backend/src/controllers/auth.js

@@ -18,8 +18,9 @@ async function register(req, res, next) {
   try {
     const { username, email, password, firstName, lastName, wsdcId, turnstileToken } = req.body;
 
-    // Verify Turnstile token
+    // Verify Turnstile token (only if TURNSTILE_SECRET_KEY is configured)
     const turnstileSecret = process.env.TURNSTILE_SECRET_KEY;
+    if (turnstileSecret && turnstileToken) {
       const turnstileVerifyUrl = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
 
       try {
@@ -48,6 +49,7 @@ async function register(req, res, next) {
           error: 'CAPTCHA verification failed. Please try again.',
         });
       }
+    }
 
     // Check if user already exists
     const existingUser = await prisma.user.findFirst({

backend/src/middleware/validators.js

@@ -74,9 +74,10 @@ const registerValidation = [
     .trim()
     .matches(/^\d{1,10}$/)
     .withMessage('WSDC ID must be numeric (max 10 digits)'),
-  body('turnstileToken')
-    .notEmpty()
-    .withMessage('CAPTCHA verification is required'),
+  // Turnstile CAPTCHA (only required if TURNSTILE_SECRET_KEY is set)
+  ...(process.env.TURNSTILE_SECRET_KEY
+    ? [body('turnstileToken').notEmpty().withMessage('CAPTCHA verification is required')]
+    : []),
   handleValidationErrors,
 ];