Exclude auth and users controllers

Author: bencroker

CHANGELOG.md

@@ -2,7 +2,7 @@
 
 ## 5.2.0 - Unreleased
 
-- Added front-end login actions to the list of excluded actions ([#34](https://github.com/putyourlightson/craft-snaptcha/issues/34)).
+- The `auth` and `users` controllers are now excluded from validation, except for `users/save-user` ([#34](https://github.com/putyourlightson/craft-snaptcha/issues/34)).
 
 ## 5.1.2 - 2025-07-01
 

src/services/SnaptchaService.php

@@ -40,10 +40,8 @@ class SnaptchaService extends Component
      */
     public const EXCLUDE_CONTROLLER_ACTIONS = [
         // Craft CMS actions
-        'users/login',
         'graphql/api',
         'templates/render',
-        'auth/verify-totp',
         // Plugins actions
         'ad-wizard/tracking/click',
         'commerce/webhooks/process-webhook',
@@ -136,6 +134,12 @@ public function isExcludedControllerAction(Action $action): bool
             return true;
         }
 
+        // Exclude auth and user controllers (except for `users/save-user`)
+        if (str_starts_with($controllerAction, 'auth/') ||
+            (str_starts_with($controllerAction, 'users/') && $controllerAction !== 'users/save-user')) {
+            return true;
+        }
+
         return false;
     }