fix: added captcha support for email otp form

[Velka-DEV]

No description provided.

[AlexProgrammerDE]

By default better auth doesn't enforce captchas on anything except ["/sign-up/email", "/sign-in/email", "/forget-password",]
Source: https://www.better-auth.com/docs/plugins/captcha#plugin-options
So maybe make this a toggleable feature? By default this wouldn't be a needed captcha and make devs incorrectly think the email otp endpoint is protected.

[Velka-DEV]

Hey @AlexProgrammerDE,

I think this check is already in place here

    if (action) {
        const endpoints = captcha.endpoints || DEFAULT_CAPTCHA_ENDPOINTS
        if (!endpoints.includes(action)) {
            return null
        }
    }

The endpoint need to be enabled in the configuration to display the captcha

[AlexProgrammerDE]

Yes, you are showing me the relevant line of code, however this list doesn't appear to include the email otp endpoint. Maybe I am missing something

better-auth-ui/src/components/captcha/captcha.tsx

Lines 11 to 16 in e337fd9

	// Default captcha endpoints
	const DEFAULT_CAPTCHA_ENDPOINTS = [
	"/sign-up/email",
	"/sign-in/email",
	"/forget-password"
	]

[Velka-DEV]

Like MagicLink, the email OTP captcha endpoint needs to be added when initializing the AuthUIProvider component:

      <AuthUIProvider
        emailOtp
        captcha={{
          provider: 'cloudflare-turnstile',
          siteKey: import.meta.env.VITE_TURNSTILE_SITEKEY,
          endpoints: [
            '/email-otp/send-verification-otp'
          ]
        }}
        [...]
      >

While it's already togglable, you're right that we should consider adding an example to the documentation.