feat(security): add Cloudflare Turnstile CAPTCHA to registration form

- Add Turnstile widget rendering in RegisterPage on step 2
- Implement programmatic widget initialization with callbacks
- Add token validation before form submission
- Update AuthContext and API service to pass turnstileToken
- Add backend verification via Cloudflare API in register controller
- Include client IP in verification request
- Add validation rule for turnstileToken
- Reset widget on registration error

backend/src/controllers/auth.js

@@ -16,7 +16,38 @@ const { getClientIP } = require('../utils/request');
 // Register new user (Phase 1.5 - with WSDC support and email verification)
 async function register(req, res, next) {
   try {
-    const { username, email, password, firstName, lastName, wsdcId } = req.body;
+    const { username, email, password, firstName, lastName, wsdcId, turnstileToken } = req.body;
+
+    // Verify Turnstile token
+    const turnstileSecret = process.env.TURNSTILE_SECRET_KEY;
+    const turnstileVerifyUrl = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
+
+    try {
+      const turnstileResponse = await fetch(turnstileVerifyUrl, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          secret: turnstileSecret,
+          response: turnstileToken,
+          remoteip: getClientIP(req),
+        }),
+      });
+
+      const turnstileResult = await turnstileResponse.json();
+
+      if (!turnstileResult.success) {
+        return res.status(400).json({
+          success: false,
+          error: 'CAPTCHA verification failed. Please try again.',
+        });
+      }
+    } catch (turnstileError) {
+      console.error('Turnstile verification error:', turnstileError);
+      return res.status(500).json({
+        success: false,
+        error: 'CAPTCHA verification failed. Please try again.',
+      });
+    }
 
     // Check if user already exists
     const existingUser = await prisma.user.findFirst({