File: src/auth/auth.service.ts (verifyCaptcha)
Returns true and logs a warning when the secret isn't configured. NODE_ENV is not checked.
Impact: A misconfigured production deploy effectively disables bot protection on /auth/login.
Fix: Only bypass when process.env.NODE_ENV !== 'production'. Throw otherwise.
File:
src/auth/auth.service.ts(verifyCaptcha)Returns
trueand logs a warning when the secret isn't configured.NODE_ENVis not checked.Impact: A misconfigured production deploy effectively disables bot protection on
/auth/login.Fix: Only bypass when
process.env.NODE_ENV !== 'production'. Throw otherwise.