feat: Refine captcha configuration and drivers

Introduce a configurable captcha manager with drivers for image,
Cloudflare Turnstile, and Google reCAPTCHA, including fallback
behaviour.

Refactor login, signup, complain, and related flows to use the new
abstraction while simplifying the legacy image endpoint.

Document captcha environment options and restore classic defaults in
.env.example.

Signed-off-by: Qi HU <github@spcsky.com>

public/complains.php

@@ -18,7 +18,7 @@ if($_SERVER['REQUEST_METHOD'] === 'POST'){
     switch($action = filter_input(INPUT_POST, 'action', FILTER_SANITIZE_FULL_SPECIAL_CHARS)){
         case 'new':
             cur_user_check();
-            check_code ($_POST['imagehash'], $_POST['imagestring'],'complains.php');
+            check_code ($_POST['imagehash'] ?? null, $_POST['imagestring'] ?? null,'complains.php');
             \Nexus\Database\NexusLock::lockOrFail("complains:lock:" . getip(), 10);
             $email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
             \Nexus\Database\NexusLock::lockOrFail("complains:lock:" . $email, 600);

public/confirm_resend.php

@@ -29,7 +29,7 @@ bark($lang_confirm_resend['std_need_admin_verification']);
 if ($_SERVER["REQUEST_METHOD"] == "POST")
 {
 	if ($iv == "yes")
-	check_code ($_POST['imagehash'], $_POST['imagestring'],"confirm_resend.php",true);
+	check_code ($_POST['imagehash'] ?? null, $_POST['imagestring'] ?? null,"confirm_resend.php",true);
 	$email = unesc(htmlspecialchars(trim($_POST["email"] ?? '')));
 	$wantpassword = unesc(htmlspecialchars(trim($_POST["wantpassword"])));
 	$passagain = unesc(htmlspecialchars(trim($_POST["passagain"])));

public/image.php

@@ -1,60 +1,22 @@
 <?php
 require_once("../include/bittorrent.php");
 dbconn();
-$action = $_GET['action'];
-$imagehash = $_GET['imagehash'];
-if($action == "regimage")
-{
-		$query = "SELECT * FROM regimages WHERE imagehash= ".sqlesc($imagehash);
-		$sql = sql_query($query);
-		$regimage = mysql_fetch_array($sql);
-		$imagestring = $regimage['imagestring'];
-		$space = $newstring = '';
-		for($i=0;$i<strlen($imagestring);$i++)
-		{
-			$newstring .= $space.$imagestring[$i];
-			$space = " ";
-		}
-		$imagestring = $newstring;
 
-	if(function_exists("imagecreatefrompng"))
-	{
-		$fontwidth = imageFontWidth(5);
-		$fontheight = imageFontHeight(5);
-		$textwidth = $fontwidth*strlen($imagestring);
-		$textheight = $fontheight;
+$action = $_GET['action'] ?? '';
+$imagehash = $_GET['imagehash'] ?? '';
 
-		$randimg = rand(1, 5);
-		$im = imagecreatefrompng("pic/regimages/reg".$randimg.".png");
-
-		$imgheight = 40;
-		$imgwidth = 150;
-		$textposh = floor(($imgwidth-$textwidth)/2);
-		$textposv = floor(($imgheight-$textheight)/2);
-
-			$dots = $imgheight*$imgwidth/35;
-			$gd = imagecreatetruecolor($imgwidth, $imgheight);
-			for($i=1;$i<=$dots;$i++)
-			{
-				imagesetpixel($im, rand(0, $imgwidth), rand(0, $imgheight), imagecolorallocate($gd, rand(0, 255), rand(0, 255), rand(0, 255)));
-			}
-
-		$textcolor = imagecolorallocate($im, 0, 0, 0);
-		imagestring($im, 5, $textposh, $textposv, $imagestring, $textcolor);
-
-		// output the image
-		header("Content-type: image/png");
-		imagepng($im);
-		imagedestroy($im);
-		exit;
-	}
-	else
-	{
-		header("Location: pic/clear.gif");
-	}
+if ($action !== 'regimage') {
+    http_response_code(404);
+    exit('Invalid captcha action');
 }
-else
-{
-	die('invalid action');
+
+$driver = captcha_manager()->driver('image');
+
+if (!method_exists($driver, 'outputImage')) {
+    http_response_code(404);
+    exit('Captcha driver does not support image rendering');
 }
+
+$driver->outputImage($imagehash);
+
 ?>

public/recover.php

@@ -28,7 +28,7 @@ $mailTwoFour = sprintf($lang_recover['mail_two_four'], $siteName);
 if ($_SERVER["REQUEST_METHOD"] == "POST")
 {
 	if ($iv == "yes")
-	check_code ($_POST['imagehash'], $_POST['imagestring'],"recover.php",true);
+	check_code ($_POST['imagehash'] ?? null, $_POST['imagestring'] ?? null,"recover.php",true);
 	$email = unesc(htmlspecialchars(trim($_POST["email"] ?? '')));
 	$email = safe_email($email);
 	if (!$email)

public/takelogin.php

@@ -15,7 +15,7 @@ function bark($text = "")
   stderr($lang_takelogin['std_login_fail'], $text,false);
 }
 if ($iv == "yes") {
-    check_code ($_POST['imagehash'], $_POST['imagestring'],'login.php',true);
+    check_code($_POST['imagehash'] ?? null, $_POST['imagestring'] ?? null, 'login.php', true);
 }
 //同时支持新旧两种登录方式
 $useChallengeResponse = \App\Models\Setting::getIsUseChallengeResponseAuthentication();

public/takesignup.php

@@ -21,13 +21,13 @@ if ($type == 'invite'){
 registration_check();
 failedloginscheck ("Invite Signup");
 if ($iv == "yes")
-	check_code ($_POST['imagehash'], $_POST['imagestring'],'signup.php?type=invite&invitenumber='.htmlspecialchars($_POST['hash']));
+	check_code ($_POST['imagehash'] ?? null, $_POST['imagestring'] ?? null,'signup.php?type=invite&invitenumber='.htmlspecialchars($_POST['hash']));
 }
 else{
 registration_check("normal");
 failedloginscheck ("Signup");
 if ($iv == "yes")
-	check_code ($_POST['imagehash'], $_POST['imagestring']);
+	check_code ($_POST['imagehash'] ?? null, $_POST['imagestring'] ?? null);
 }
 function isportopen($port)
 {