How to enable recaptcha on lost password page OJS 3.1.1.4

Juan_Pablo_Giron_Rui · April 30, 2019, 1:52pm

Hi everyboy,

I want to know, if it is possible enable recaptcha on /lostpassword page on my OJS 3 installation?. There are many fakes users (I know it because the email address does not exist in remote server). I don’t know how nor when, but everyday I am receiving 5 emails that says: “Reported error: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient’s email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 https://support.google.com/mail/?p=NoSuchUser h2si4170516qtc.262 - gsmtp”

I think the solution is activate recaptcha on lostpassword, or there are other solutions?

thanks!

ctgraham · May 3, 2019, 12:27pm

OJS should only try to send a forgot password email to a user’s email if it exists in OJS.

So the situation you are proposing is:

A user registers for an account in OJS with a fake email address.
A user tries to reset the OJS password using that fake email address.
The mailserver responds that the email address is not found.

Do you have email validation turned on in config.inc.php? I could imagine a spammer registering, not being able to validate, and then trying the password reset process.

If you already have ReCAPTCHA enabled on your registration page, and the spammers are bypassing that to do the initial registration, I don’t expect that adding ReCAPTCHA to the lost password page will help much.

There are other tools like formHoneypot or Akismet which might help with spam registrations if spammers are completing ReCAPTCHA.

If you really want to add ReCAPTCHA to the lost password page, this will be surprisingly complex. You can find the basic code which makes it happen on the registration form:

github.com

pkp/pkp-lib/blob/0c5224b8e9df334bb48470616ffb2c255e6b063e/classes/user/form/RegistrationForm.inc.php#L60-L64


		$this->captchaEnabled = Config::getVar('captcha', 'captcha_on_register') && Config::getVar('captcha', 'recaptcha');
		if ($this->captchaEnabled) {
			$request = Application::get()->getRequest();
			$this->addCheck(new FormValidatorReCaptcha($this, $request->getRemoteAddr(), 'common.captcha.error.invalid-input-response', $request->getServerHost()));
		}

and template:

github.com

pkp/pkp-lib/blob/0c5224b8e9df334bb48470616ffb2c255e6b063e/templates/frontend/pages/userRegister.tpl#L166-L175


		{* recaptcha spam blocker *}
		{if $reCaptchaHtml}
			<fieldset class="recaptcha_wrapper">
				<div class="fields">
					<div class="recaptcha">
						{$reCaptchaHtml}
					</div>
				</div>
			</fieldset>
		{/if}

But the lost password page does not use the form architecture, so we can’t use the normal form validation. You would need to modify the handlers and template directly:

github.com

pkp/pkp-lib/blob/0c5224b8e9df334bb48470616ffb2c255e6b063e/pages/login/LoginHandler.inc.php#L152-L197


	/**
	 * Display form to reset a user's password.
	 */
	function lostPassword($args, $request) {
		$this->setupTemplate($request);
		$templateMgr = TemplateManager::getManager($request);
		$templateMgr->display('frontend/pages/userLostPassword.tpl');
	}

	/**
	 * Send a request to reset a user's password
	 */
	function requestResetPassword($args, $request) {
		$this->setupTemplate($request);
		$templateMgr = TemplateManager::getManager($request);

		$email = $request->getUserVar('email');
		$userDao = DAORegistry::getDAO('UserDAO');
		$user = $userDao->getUserByEmail($email);

This file has been truncated. show original

github.com

pkp/pkp-lib/blob/0c5224b8e9df334bb48470616ffb2c255e6b063e/templates/frontend/pages/userLostPassword.tpl#L1-L57


{**
 * templates/frontend/pages/userLostPassword.tpl
 *
 * Copyright (c) 2014-2018 Simon Fraser University
 * Copyright (c) 2000-2018 John Willinsky
 * Distributed under the GNU GPL v2. For full terms see the file docs/COPYING.
 *
 * Password reset form.
 *
 *}
{include file="frontend/components/header.tpl" pageTitle="user.login.resetPassword"}

<div class="page page_lost_password">
	{include file="frontend/components/breadcrumbs.tpl" currentTitleKey="user.login.resetPassword"}

	<p>{translate key="user.login.resetPasswordInstructions"}</p>

	<form class="cmp_form lost_password" id="lostPasswordForm" action="{url page="login" op="requestResetPassword"}" method="post">
		{csrf}
		{if $error}

This file has been truncated. show original

Juan_Pablo_Giron_Rui · May 3, 2019, 12:45pm

Hello dear @ctgraham,

Thank you for you clear answer. The problem that I am facing is that my OJS 2 had not email validation turned on. After upgrading to OJS 3.1.1.4 I activated that option. Actually, I have more than 11k users per journal, many of them are fake users.

I was analyzing that spammers are completing ReCAPTCHA V2 on registration page. I will try to use the tools that you mentioned above.

thank you for all

Juan_Pablo_Giron_Rui · May 3, 2019, 1:52pm

Hello @ctgraham,

I installed the tool formHoneypot but I am seeing that there is a Fatal error on my apache error log when OJS system tries to use it tool.

error:
PHP Fatal error: Call to a member function getId() on null in /var/www/html/plugins/generic/formHoneypot/FormHoneypotPlugin.inc.php on line 287

ctgraham · May 3, 2019, 2:22pm

Does the URL you are using for registration reference the site context /index/user/register, or a specific journal context like myjournal/user/register?

Do you have a single journal in your site, or multiple?

Juan_Pablo_Giron_Rui · May 3, 2019, 2:36pm

In my site there are multiple journals (revistas.javerianacali.edu.co). I am testing registration with and without context.

thanks.

ctgraham · May 3, 2019, 3:12pm

Does it fail in both the journal context and the site context, or only in one or the other?

Juan_Pablo_Giron_Rui · May 3, 2019, 3:32pm

@ctgraham, It fail when I try to register in site context. I don’t know why at index/admin/settings, I can not setting up the plugin, as appear next:

ctgraham · May 3, 2019, 3:43pm

Ah. I wasn’t aware this was even a possibility.

The plugin will not currently work in the Site context. I’ll open a issue to address this, but for now you will need to disable the plugin for the Site context. Sorry for the inconvenience.

Juan_Pablo_Giron_Rui · May 3, 2019, 4:04pm

Thank you for the support.

Ala_a_hamda · December 4, 2022, 9:29am

LoginHandler.inc.php is handlers page for lost pass?What changes do I need to make
iam add recaptcha in templet but Does not appear
{if $reCaptchaHtml} in code Where is it added?

ctgraham · December 5, 2022, 11:05pm

Hi, @Ala_a_hamda . Are you familiar with PHP coding? If so, please post the code you are trying (preferably in Github), and we can offer advice. If you post the code directly here, please be sure to mention what version of the software you are using.