[17.0][FIX] auth_signup_verify_email: ignore captcha fields in passwordless signup

[jdma-eledia]

Problem

When passwordless signup is used, the controller forwards raw request parameters to res.users.signup().
If captcha modules are enabled (Cloudflare Turnstile / reCAPTCHA), extra POST fields such as
turnstile_captcha and recaptcha_token_response are present and get passed to user creation.

This causes signup to crash with:
SignupError: Invalid field 'turnstile_captcha' on model 'res.users'

Root cause

passwordless_signup() was using request.params directly and only removed redirect and token,
leaving captcha/transient fields in values.

Fix

• Use a mutable copy of request params (dict(request.params)).
• Remove transient/non-user fields before calling signup, including:
  • turnstile_captcha
  • recaptcha_token_response
  • g-recaptcha-response
  • csrf_token
  • confirm_password
  • redirect
  • token
• Keep captcha verification in flow, but call it only when _verify_request_recaptcha_token
  exists on ir.http (to avoid hard dependency regressions when captcha addon is not installed).

Tests

Added a regression test that posts captcha fields together with a valid signup email and
verifies the passwordless signup still succeeds.

Impact

• Fixes signup crash in installations using captcha on /web/signup.
• Backward-compatible for deployments without captcha modules.