Login — with Google reCAPTCHA v3 (invisible, score-based)

Standard POST + type=password form, with an invisible reCAPTCHA v3 token attached. The client requests a token via grecaptcha.execute(); the server verifies with Google's siteverify and gets a score (0.0–1.0). The site behaves like a real captcha-protected login: score ≥ 0.5 accepts and 302-redirects to /; below 0.5 returns 401 with a generic "Sign-in failed" page. The score itself is not shown to the user (that would defeat the simulation), but it is returned in a response header x-recaptcha-score — visible in your browser's network tab. Nothing is logged or persisted server-side.

Two interesting outcomes: (a) the intermediary's fingerprint / IP yields a low score → reCAPTCHA effectively gates the login (you see the 401); (b) the score comes back high → the intermediary looks human to Google (you see the 302 → /).

Submission target: POST /login/captcha-post. The function verifies the token via Google's siteverify and either 302-redirects to / (accept) or returns 401 (reject) — like a real captcha-protected login. The score is in the response's x-recaptcha-score header on every response. Nothing is persisted.