Switch to a system where you can use either a verifyCode or a captcha token for any endpoint with one or the other

src/routes/account/forgot-username/post.ts

@@ -3,15 +3,17 @@ import {
   getClientIp,
   getDatabaseConnection,
   jsonResponse,
-  sendEmail
+  sendEmail,
+  verifyTurstileOrVerifyCode
 } from '../../../lib/util'
-import { users, verifyCodes } from '../../../lib/tables'
-import { and, desc, eq, sql } from 'drizzle-orm'
 import isEmail from 'validator/lib/isEmail'
+import { users } from '../../../lib/tables'
+import { eq } from 'drizzle-orm'
 
 type Body = {
+  token: string | null
+  verifyCode: string | null
   email: string
-  verifyCode: string
 }
 
 export async function handler (context: Context) {
@@ -57,38 +59,14 @@ export async function handler (context: Context) {
     )
   }
   const time = Math.floor(Date.now() / 1000)
-  const codeExists = await db0
-    .select({ id: verifyCodes.id })
-    .from(verifyCodes)
-    .where(
-      and(
-        eq(verifyCodes.ip, ip),
-        eq(verifyCodes.usedTimestamp, 0),
-        eq(verifyCodes.code, body.verifyCode),
-        sql`${verifyCodes.timestamp} >= UNIX_TIMESTAMP() - 600`
-      )
-    )
-    .orderBy(desc(verifyCodes.id))
-    .limit(1)
-    .execute()
-  if (codeExists[0]) {
-    await db0
-      .update(verifyCodes)
-      .set({ usedTimestamp: time })
-      .where(
-        and(
-          eq(verifyCodes.id, codeExists[0].id),
-          eq(verifyCodes.ip, ip),
-          eq(verifyCodes.usedTimestamp, 0),
-          eq(verifyCodes.code, body.verifyCode)
-        )
-      )
-      .execute()
-  } else
+  if (!(await verifyTurstileOrVerifyCode(body.token, body.verifyCode, ip, db0)))
     return jsonResponse(
       {
         success: false,
-        message: 'Invalid verify code (codes can only be used once)'
+        message:
+          body.token != null
+            ? 'Invalid captcha token'
+            : 'Invalid verify code (codes can only be used once)'
       },
       400
     )