fix(login): fix captcha headers for manual login

[TheodoreSpeaks]

Summary

Manual sign in failed due to the captcha header not being passed. We incorrectly passed the header to better-auth, fixed this to use the headers key instead.

Also we weren't updating the error message properly on user email already exists. Use direct set message to set the error.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

• Validated locally that manual sign in works now.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 7, 2026 10:12pm

[TheodoreSpeaks]

@BugBot review

[cursor]

PR Summary

Medium Risk
Touches signup/auth flow by changing how CAPTCHA tokens are sent and how Turnstile env config is read, which can break account creation if misconfigured. Scope is small and localized to the signup form UI.

Overview
Fixes email/password signup so the Turnstile CAPTCHA token is actually sent by moving it from fetchOptions.headers to the top-level headers option on client.signUp.email.

Also changes Turnstile site key initialization from useMemo to a useEffect+state, and corrects the "user already exists" path to set emailError directly so the proper message is shown.

^{Reviewed by Cursor Bugbot for commit 99bfc99. Bugbot is set up for automated code reviews on this repo. Configure here.}

[TheodoreSpeaks]

@BugBot review

[greptile-apps]

Greptile Summary

This PR fixes two bugs in the manual signup flow: (1) the Cloudflare Turnstile captcha token is now correctly passed via the headers key to client.signUp.email(), and (2) the USER_ALREADY_EXISTS error path now directly sets the correct email error message.

• ✅ Captcha header fix: headers: { 'x-captcha-response': token } is correctly placed in the options object passed to client.signUp.email()
• ✅ USER_ALREADY_EXISTS error message fixed to use a direct string rather than the broken errorMessage[0] pattern
• ⚠️ The BAD_REQUEST and INVALID_EMAIL error branches still use setEmailError(errorMessage[0]) — which resolves to 'Failed to create account' (the initial array value at index 0) rather than the specific messages pushed to index 1. Users hitting these error paths will see the wrong error message.

Confidence Score: 4/5

Safe to merge after fixing the remaining BAD_REQUEST/INVALID_EMAIL error message bug

The primary captcha fix is correct and the USER_ALREADY_EXISTS error message improvement is good. However, the BAD_REQUEST and INVALID_EMAIL branches still display 'Failed to create account' instead of their specific error messages — a P1 issue for user-facing error feedback that was left unfixed while a parallel pattern was corrected in this same PR.

apps/sim/app/(auth)/signup/signup-form.tsx — specifically the BAD_REQUEST and INVALID_EMAIL error handling branches in the onError callback (lines 285–294)

Vulnerabilities

No security concerns identified. The captcha token is forwarded correctly via request headers and not exposed client-side beyond its intended use.

Important Files Changed

Filename	Overview
apps/sim/app/(auth)/signup/signup-form.tsx	Correctly fixes captcha header passing and USER_ALREADY_EXISTS error message; BAD_REQUEST and INVALID_EMAIL branches still show wrong error via errorMessage[0] bug

Sequence Diagram

sequenceDiagram
    participant User
    participant SignupForm
    participant Turnstile
    participant BetterAuth

    User->>SignupForm: Submit signup form
    SignupForm->>Turnstile: widget.reset() + execute()
    Turnstile-->>SignupForm: captcha token
    SignupForm->>BetterAuth: client.signUp.email(credentials, { headers: { 'x-captcha-response': token } })
    alt Success
        BetterAuth-->>SignupForm: response (no error)
        SignupForm->>User: redirect to /verify
    else USER_ALREADY_EXISTS
        BetterAuth-->>SignupForm: error
        SignupForm->>User: setEmailError('An account with this email already exists...') ✅
    else BAD_REQUEST / INVALID_EMAIL
        BetterAuth-->>SignupForm: error
        SignupForm->>User: setEmailError(errorMessage[0]) → 'Failed to create account' ⚠️
    end

Loading

Comments Outside Diff (1)

1. apps/sim/app/(auth)/signup/signup-form.tsx, line 285-294 (link)

   Wrong error message shown for BAD_REQUEST and INVALID_EMAIL

   Both branches push a specific error message to errorMessage but then call setEmailError(errorMessage[0]), which always resolves to the initial value 'Failed to create account' — not the pushed message (which lands at index 1). Users will see the generic fallback rather than the specific error.

   This PR already fixed the USER_ALREADY_EXISTS case by calling setEmailError(...) directly. The same direct-string pattern should be applied here:

_{Reviews (1): Last reviewed commit: "Catch user already exists, remove login ..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 99bfc99. Configure here.}