Add ability to set hCaptcha either on registration form or on e-mail validation

Upshot of CAPTCHA on e-mail validation is it does not need to break the in-band
registration API.

config/routes.rb

@@ -44,6 +44,7 @@ Rails.application.routes.draw do
       resource :setup, only: [:show, :update], controller: :setup
       resource :challenge, only: [:create], controller: :challenges
       get 'sessions/security_key_options', to: 'sessions#webauthn_options'
+      post 'captcha_confirmation', to: 'confirmations#confirm_captcha', as: :captcha_confirmation
     end
   end