Skip login captcha when any idb_* cookie exists, not just idb_$z

[konard]

Summary

• index.php login guard now skips verifyCaptcha() when the user holds any idb_* cookie, not just idb_$z (the current-database token).
• Added tests/index-captcha-skip.test.mjs to verify this behavior.

Problem

PR #131 fixed captcha skipping only for users who already have a token for the current database (idb_$z). But a user may be authenticated to a different database and carry an idb_<other> cookie. In that case the server still demanded a captcha even though the client already hid the widget — making the form unsubmittable.

How to reproduce the issue

1. Log in to database A — acquires idb_A cookie.
2. Navigate to the login page for database B.
3. The client hides the captcha widget (correct — any idb_* cookie is found).
4. Submit the login form → server rejects it with a captcha error (bug — server only checked idb_$z i.e. idb_B).

What changed

index.php login guard (line 8001):

// Before (PR #131)
if(isset($_POST["smart-token"]) && !isset($_COOKIE["idb_$z"]) && !verifyCaptcha($_POST["smart-token"])){

// After (this PR)
$hasAnyIdbCookie = (bool)preg_grep('/^idb_/', array_keys($_COOKIE));
if(isset($_POST["smart-token"]) && !$hasAnyIdbCookie && !verifyCaptcha($_POST["smart-token"])){

This mirrors the client-side hasIdbCookie() check already in src/pages/Home.tsx.

Test plan

• npm test — all 9 tests pass
• New test index.php skips SmartCaptcha verification for users with any idb_* cookie on login passes

Fixes #132

[konard]

Working session summary

Done. Here's what was fixed and why:

Root cause: PR #131 introduced captcha skipping in index.php but checked only $_COOKIE["idb_$z"] — the token for the current database. The client-side (Home.tsx) correctly checks for any idb_* cookie, so when a user was authenticated to a different database they'd see no captcha widget but the server would still reject the form with a captcha error.

Fix: index.php:8001 now uses preg_grep('/^idb_/', array_keys($_COOKIE)) to detect any idb_* cookie, exactly mirroring the client-side hasIdbCookie() logic. All 9 tests pass.

PR: #133

---

This summary was automatically extracted from the AI working session output.

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost: $0.568802

📊 Context and tokens usage:

• peak request: 26.4K / 1M (3%) input tokens, 5.0K / 64K (8%) output tokens

Total: (25 new + 47.1K cache writes + 1.1M cache reads) input tokens, 5.0K output tokens, $0.568802 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: sonnet
• Model: Claude Sonnet 4.6 (claude-sonnet-4-6)

📎 Log file uploaded as Gist (1342KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• No CI/CD checks are configured for this repository
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag