Add reCAPTCHA to password reset and confirmation email forms
What does this MR do and why?
Fixes #339147.
We have CAPTCHAs on the sign-in and sign-up pages - we should also have them on confirmation and password reset pages to reduce abuse.
One difference between these new reCAPTCHAS and existing ones is here we will show them all the time, when reCAPTCHA is enabled. For sign-in we show it selectively upon so many failed attempts. However, for these new pages we really don't have any concept of 'failures' to go off of. Given these pages are used less frequently I don't think it will be too much of a hinderance for users. If we find it is, we can probably add some rate limit trigger later on.
I consolidated some of the generic logic in the RecaptchaHelper
in hopes this helps us in the future, too. Otherwise, there is a bit of repetitive code. I'm not sure if there's a reasonable way to reduce that due to subtle differences. I'm open to feedback if someone spots other opportunities.
Screenshots or screen recordings
Password Reset
Before | After |
---|---|
![]() |
![]() |
Resend Confirmation
Before | After |
---|---|
![]() |
![]() |
How to set up and validate locally
Ensure you have reCAPTCHA configured according to https://docs.gitlab.com/ee/integration/recaptcha.html. Then, in your GDK/test instance, visit:
/users/password/new
/users/confirmation/new
Observe the CAPTCHA is shown and is required to submit the form.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.