Feature/auth rate limiting

[MohitBareja16]

Description

This PR patches a critical security vulnerability where the authentication endpoints were unprotected against bot spam and automated attacks. Specifically, this implements the missing sendOTP and forgotPassword controllers while ensuring that all entry points rigorously validate a captchaToken before proceeding.

🛡️ Security & Authentication Updates

• Implemented verifyRecaptcha Utility: Added a secure server-side utility in backend/lib/utils.js that integrates with Google's reCAPTCHA API (/recaptcha/api/siteverify) to validate incoming captchaTokens.
• Created sendOTP Endpoint: Built the /api/v1/auth/send-otp controller with strict CAPTCHA verification to prevent automated scripts from bypassing limits and exhausting our email service (Nodemailer) quotas.
• Created forgotPassword Endpoint: Built the /api/v1/auth/forgot-password controller, securing the password reset flow from malicious spam requests.
• Hardened Existing Endpoints: Updated both the login and signup controllers to strictly extract and validate the captchaToken. All invalid requests are now immediately rejected with a 403 Forbidden response.

🚏 Routing Updates

• Registered POST /send-otp and POST /forgot-password in backend/routes/user.routes.js.

Impact

• Security: Mitigates the risk of bot-driven Denial of Service (DoS) attacks on our email infrastructure.
• Cost: Prevents infrastructure cost spikes and Nodemailer quota exhaustion caused by fake email spam.
• Deliverability: Protects the server's IP/domain from being blacklisted for sending massive quantities of unsolicited spam emails.

Testing

• Verified that requests missing the captchaToken are rejected with a 400 Bad Request.
• Verified that requests with an invalid/fake captchaToken are blocked with a 403 Forbidden.
• Ensured normal authentication flows work as expected for genuine human requests.

[vercel]

@MohitBareja16 is attempting to deploy a commit to the Sameer's projects Team on Vercel.

A member of the Team first needs to authorize it.

[ThePlator]

Hi @MohitBareja16! Thank you for the contribution. Adding CAPTCHA verification to the Send OTP and Forgot Password routes is a great security addition.

However, there is a major technical blocker: this PR contains a version of the backend that is severely outdated. We have recently merged Dual-Token Auth, Multi-tab support, Swagger Docs, and Message Ticks.

Your current PR would accidentally delete/revert all of those features.

Please rebase your branch on the latest 'main' one last time. You should focus strictly on:

1. Updating the new sendOTP and forgotPassword controllers (which are already in main now) to include your CAPTCHA verification logic.
2. Ensuring your Rate Limiting middleware integrates with the current server.js.

We really want this security layer, but it must be applied to the current version of the project!