fix: skip verification for partner onboarding requests in TurnstileMi…

[SarahSync]

…ddleware

Added a condition to the TurnstileMiddleware to bypass token verification for requests that include a partner ID in the header, allowing for smoother onboarding processes.

Description

Describe the purpose of this PR along with any background information and the impacts of the proposed change. For the benefit of the community, please do not assume prior context.

Provide details that support your chosen implementation, including: breaking changes, alternatives considered, changes to the API, contracts etc.

References

Include any links supporting this change such as a:

• GitHub Issue/PR number addressed or fixed e.g closes Save previous provider rates in priority queue to reduce order failures #407
• StackOverflow post
• Support forum thread
• Related pull requests/issues from other repos

If there are no references, simply delete this section.

Testing

Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this project has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.

Also include details of the environment this PR was developed in (language/platform/browser version).

• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation and tests for new/changed functionality in this PR
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not main

By submitting a PR, I agree to Paycrest's Contributor Code of Conduct and Contribution Guide.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on February 26

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Unvalidated header bypasses bot protection entirely

High Severity

The bypass checks only that X-Partner-Id is non-empty — the value is never validated against a known list of legitimate partner IDs, a database, a config allowlist, or any cryptographic proof. Any bot or attacker can include X-Partner-Id: anything in a request to completely skip Cloudflare Turnstile on both the auth/register and auth/login endpoints, enabling brute-force login attacks and mass automated account creation.