FIX: move hp request from /users to /token (PR #10795)

hp is a valid username and we should not prevent users from registering it.


Do we still need the stubs here?

Is there a reason we moved the methods to ApplicationController instead of SessionController?

Aside from some minor comments, the PR looks good.

Problem is that this is shared between SessionController and UsersController. In UsersController we check value before account is activated:

  def honeypot_or_challenge_fails?(params)
    return false if is_api?
    params[:password_confirmation] != honeypot_value ||
    params[:challenge] != challenge_value.try(:reverse)

yes, SessionController is setting honeypot_value and challenge_value, and UsersController is checking that values are correct