Add reCAPTCHA enforcement to forgot-password reset requests by Copilot · Pull Request #156 · crackmesone/crackmesone_python

Copilot · 2026-04-15T18:54:25Z

Bots were able to automate password reset submissions because /forgot-password had no CAPTCHA gate on submit. This change adds reCAPTCHA validation to the forgot-password flow so reset emails are only processed after human verification.

Controller: enforce CAPTCHA on reset request
- Added reCAPTCHA verification in forgot_password_post before email-service and user lookup logic.
- On failed verification, the handler returns the forgot-password form with a clear validation error.
UI: render CAPTCHA on forgot-password form
- Added reCAPTCHA widget to templates/password_reset/forgot.html when RECAPTCHA_SITEKEY is configured.
- Added accessible labeling/grouping around the CAPTCHA block.
Focused coverage
- Added tests/test_password_reset_captcha.py to validate:
  - invalid CAPTCHA blocks processing
  - valid CAPTCHA allows normal reset-request flow

# app/controllers/password_reset.py
if not verify_recaptcha(request):
    flash('Verification failed. Please complete the challenge and try again.', FLASH_ERROR)
    return render_template('password_reset/forgot.html')

- https://github.com/user-attachments/assets/6af6bd7e-d22b-4d04-8778-94f555825f9d

Agent-Logs-Url: https://github.com/crackmesone/crackmesone_python/sessions/59812f80-da94-45b1-8fd9-e15132e8b109 Co-authored-by: AsyncFor <52682610+AsyncFor@users.noreply.github.com>

Initial plan

7f1f859

Copilot AI assigned Copilot and AsyncFor Apr 15, 2026

Copilot started work on behalf of AsyncFor April 15, 2026 18:54 View session

Copilot AI linked an issue Apr 15, 2026 that may be closed by this pull request

Add captcha for password reset #155

Open

Copilot AI and others added 2 commits April 15, 2026 18:59

Add reCAPTCHA validation to forgot-password flow

ec2da45

Agent-Logs-Url: https://github.com/crackmesone/crackmesone_python/sessions/59812f80-da94-45b1-8fd9-e15132e8b109 Co-authored-by: AsyncFor <52682610+AsyncFor@users.noreply.github.com>

Polish forgot-password captcha UX and accessibility

a3ca418

Agent-Logs-Url: https://github.com/crackmesone/crackmesone_python/sessions/59812f80-da94-45b1-8fd9-e15132e8b109 Co-authored-by: AsyncFor <52682610+AsyncFor@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add captcha to password reset functionality~~ Add reCAPTCHA enforcement to forgot-password reset requests Apr 15, 2026

Copilot AI requested a review from AsyncFor April 15, 2026 19:05

Copilot finished work on behalf of AsyncFor April 15, 2026 19:05

AsyncFor marked this pull request as ready for review April 15, 2026 19:05

AsyncFor requested a review from xusheng6 April 15, 2026 19:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add reCAPTCHA enforcement to forgot-password reset requests#156

Add reCAPTCHA enforcement to forgot-password reset requests#156
Copilot wants to merge 3 commits intomainfrom
copilot/add-captcha-for-password-reset

Copilot AI commented Apr 15, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Apr 15, 2026 •

edited

Loading