Contribute to the DSpace Development Fund
The newly established DSpace Development Fund supports the development of new features prioritized by DSpace Governance. For a list of planned features see the fund wiki page.
This feature is available starting from DSpace 7.4
This feature, when enabled, offers a powerful additional layer of protection against possible unwanted behaviors like massive registrations performed by bots using random or stolen email addresses. Feature can be enabled or disabled by decision of DSpace instance administrator, and is based on Google reCAPTCHA.
ReCAPTCHA supported versions are v2 with both invisible (https://developers.google.com/recaptcha/docs/invisible) and checkbox (https://developers.google.com/recaptcha/docs/display) verification modes, and v3 (https://developers.google.com/recaptcha/docs/v3)
Before enabling the feature, a valid site and secret pair should be obtained from Google reCAPTCHA system, by registering the DSpace application on which verification will be set on reCAPTCHA admin panel (https://www.google.com/recaptcha/admin)
How to enable the feature
Once site and secret are available, following property, set in configuration files (dspace.cfg or local.cfg) enables the CAPTCHA verification
registration.verification.enabled = true
Whereas, in case v2 of Google reCAPTCHA is to be enabled, these properties, in configuration files, must be set
google.recaptcha.version = v2 google.recaptcha.mode = <invisible or checkbox depending on which mode is wanted> google.recaptcha.key.site = <your site here> google.recaptcha.key.secret = <your secret here>
In case v3 of Google reCAPTCHA is to be enabled, properties to be set are:
google.recaptcha.version = v3 google.recaptcha.key.site = <your site here> google.recaptcha.key.secret = <your secret here> google.recaptcha.site-verify = https://www.google.com/recaptcha/api/siteverify google.recaptcha.key.threshold = <score threshold> google.recaptcha.mode = invisible
google.recaptcha.key.threshold property is related to reCAPTCHA verification logic. v3 assigns to each request made against verification APIs, in this case by DSpace system during registration process. reCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). By default a good threshold could be 0.5. For further information, see https://developers.google.com/recaptcha/docs/v3#interpreting_the_score
Once feature is enabled, the user registration will actually be performed if and only if the CAPTCHA token, passed in registration payload, is verified during registration process itself and is considered valid. Each registration request, even if made using DSpace REST APIs must have a captcha token in its header.
A new type of cookie has been added to DSpace cookie set, "Registration and Password Recovery". This cookie is proposed only when CAPTCHA verification is enabled.
This cookie option must be enabled by users before registering, otherwise they won't be able to perform a registration