Why can you enable the captcah on the login and registration but not on the forgotten password page?
It was flagged as a major security issue on a recent scan as they were able to access the forgotten password page and send hundreds of emails via it, blocking up the email account. I dont want to remove it, but I should be able to apply capcha to all forms?
5 Answer(s)
-
0
- In ABP, the built-in Google reCAPTCHA integration is provided for Login (and, depending on the UI/module, Register) but the Account module’s
/Account/ForgotPasswordUI does not include a reCAPTCHA challenge by default. That’s why you can toggle it for login/registration but don’t see an option for the forgotten password page. - To protect the forgot-password endpoint from being abused to send大量 reset emails, implement one (or both) of the following ABP-aligned mitigations:
- Add CAPTCHA to the Forgot Password UI (recommended)
- Create your own Razor Page for
/Account/ForgotPassword(same way you customize Login/Register pages in ABP: copy the page into your host project underPages/Accountso it overrides the module page). - In that custom
ForgotPassword.cshtml, render your CAPTCHA widget (Google reCAPTCHA or any other). - In
ForgotPassword.cshtml.cs, validate the CAPTCHA before calling the underlying password reset flow. If CAPTCHA fails, return the page with an error message and do not send the email.
- Add server-side throttling to stop email flooding (also recommended)
- Even with CAPTCHA, you should rate-limit the forgot-password action (per IP, per email, per tenant) to prevent abuse and to protect your SMTP provider.
- In ABP, the password reset email is sent from the Account application service. You can override the method that sends password reset links/codes and add throttling/guards there.
- ABP support guidance shows overriding
SendPasswordResetCodeAsynconAccountAppServicevia service replacement:
- ABP support guidance shows overriding
[Dependency(ReplaceServices = true)] [ExposeServices(typeof(IAccountAppService))] public class MyAccountAppService : AccountAppService { public MyAccountAppService(/* same ctor deps as base */) : base(/* ... */) { } public override async Task SendPasswordResetCodeAsync(SendPasswordResetCodeDto input) { // 1) Rate limit / throttle here (per IP/email/etc.) // 2) Optionally perform extra checks // 3) Then call base or replicate base logic await base.SendPasswordResetCodeAsync(input); } }Add your throttling logic before calling
base.SendPasswordResetCodeAsync(input).If you implement (1), you stop most automated attacks at the UI level. If you implement (2), you protect the system even if attackers bypass the UI and call the endpoint directly.
Links:
- https://abp.io/docs/latest/modules/account
- https://abp.io/support/questions/4488
- https://abp.io/support/questions/489
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
- In ABP, the built-in Google reCAPTCHA integration is provided for Login (and, depending on the UI/module, Register) but the Account module’s
-
0
But why is this not in the options by default given that it poses a security risk, and that its already in place for the login and registration
-
0
hi
We will support it in 10.3 version.
Add optional CAPTCHA support for the Forgot Password page (new UseCaptchaOnForgotPassword setting), following the same pattern as Login and Registration
Thanks.
-
0
fantastic thank you
-
0
: )
