feat(auth): complete registration anti-spam and quota hardening

app/Services/Security/TurnstileVerifier.php

@@ -0,0 +1,51 @@
+<?php
+
+namespace App\Services\Security;
+
+use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Log;
+
+class TurnstileVerifier
+{
+    public function isEnabled(): bool
+    {
+        return (bool) config('registration.enable_turnstile', true)
+            && (string) config('services.turnstile.site_key', '') !== ''
+            && (string) config('services.turnstile.secret_key', '') !== '';
+    }
+
+    public function verify(string $token, ?string $ip = null): bool
+    {
+        if (! $this->isEnabled()) {
+            return true;
+        }
+
+        if (trim($token) === '') {
+            return false;
+        }
+
+        try {
+            $response = Http::asForm()
+                ->timeout((int) config('services.turnstile.timeout', 5))
+                ->post((string) config('services.turnstile.verify_url', 'https://challenges.cloudflare.com/turnstile/v0/siteverify'), [
+                    'secret' => (string) config('services.turnstile.secret_key', ''),
+                    'response' => $token,
+                    'remoteip' => $ip,
+                ]);
+
+            if ($response->failed()) {
+                return false;
+            }
+
+            $payload = $response->json();
+
+            return (bool) data_get($payload, 'success', false);
+        } catch (\Throwable $exception) {
+            Log::warning('turnstile verification request failed', [
+                'message' => $exception->getMessage(),
+            ]);
+
+            return false;
+        }
+    }
+}