Stop Spam Signups in Odoo 15 with Google reCAPTCHA

Why is reCAPTCHA Essential?

If your Odoo 15 website allows public user registrations, you’ve probably run into spam bots creating fake accounts or misusing your password reset forms. This can clutter your database, harm your reputation, and create security risks.

While Odoo 16 and above offer native support for reCAPTCHA-like integrations and better form protection mechanisms, Odoo 15 does not have built-in reCAPTCHA validation for signup and password reset forms.

In this article, you’ll learn how to implement a custom Google reCAPTCHA v3 integration for Odoo 15 to stop spam user registrations and protect your forms.

Why Google reCAPTCHA v3?

Google reCAPTCHA v3 works invisibly in the background, scoring each request for potential spam behaviour without interrupting legitimate users with checkbox challenges or image tests. It offers a seamless user experience while still providing strong bot protection.

Since Odoo v15 lacks native integration for this, we’ll be extending the system through:

  • Custom frontend widgets for token handling
  • Backend controller overrides to validate reCAPTCHA tokens before proceeding with signup or password reset

Important Note on Odoo Version Compatibility

This guide is specifically for Odoo 15, where these protections are not natively available. From Odoo 16 onwards, form protections like reCAPTCHA can be configured via system settings and built-in features. So if you’re using Odoo 16, 17, or later, you likely won’t need this guide — but for Odoo 15, it’s your go-to solution.

Step-by-Step Implementation

1. Get Google reCAPTCHA v3 Credentials

  • Go to: Google reCAPTCHA Console
  • Choose reCAPTCHA v3
  • Enter your domain (or localhost for testing)
  • Copy the Site Key and Secret Key
Google reCAPTCHA v3

2. Create Frontend Public Widget to Attach reCAPTCHA Token

Create a JavaScript file static/src/js/recaptcha_signup.js in your custom module:

odoo.define('your_module_name.signup_recaptcha', function (require) {
    'use strict';
    const publicWidget = require('web.public.widget');
    const { ReCaptcha } = require('google_recaptcha.ReCaptchaV3');
    publicWidget.registry.SignupCaptcha = publicWidget.Widget.extend({
        selector: ".oe_signup_form",
        events: {
            submit: "_onSubmit",
        },
        tokenName: "signup",
        init() {
            this._super(...arguments);
            this._recaptcha = new ReCaptcha();
        },
        async willStart() {
            return this._recaptcha.loadLibs();
        },
        _onSubmit(ev) {
            if (this._recaptcha._publicKey && !this.$el.find("input[name='recaptcha_token_response']").length) {
                ev.preventDefault();
                this._recaptcha.getToken(this.tokenName).then((tokenCaptcha) => {
                    this.$el.append(
                        `<input name="recaptcha_token_response" type="hidden" value="${tokenCaptcha.token}"/>`
                    );
                    this.$el.submit();
                });
            }
        },
    });
});

3. UX — Disable Submit Button on Click

To prevent multiple form submissions during token generation, modify the form behaviour:

odoo.define('your_module_name.signup_inherit', function (require) {
    'use strict';
    var publicWidget = require('web.public.widget');
    var SignUpForm = publicWidget.registry.SignUpForm;
    publicWidget.registry.SignUpForm = SignUpForm.extend({
        _onSubmit: function () {
            var $btn = this.$('.oe_login_buttons > button[type="submit"]');
            if ($btn.prop("disabled")) {
                return;
            }
            $btn.attr('disabled', 'disabled');
            $btn.prepend('<i class="fa fa-refresh fa-spin"/> ');
        },
    });
});

4. Extend Signup and Reset Password Controllers

In your Python controller file:


import logging
import requests
from odoo import http, _
from odoo.http import request
from odoo.exceptions import UserError
from odoo.addons.auth_signup.models.res_users import SignupError
from odoo.addons.auth_signup.controllers.main import AuthSignupHome
_logger = logging.getLogger(__name__)
class WebSignup(AuthSignupHome):
    @http.route('/web/signup', type='http', auth='public', website=True, sitemap=False)
    def web_auth_signup(self, *args, **kw):
        qcontext = self.get_auth_signup_qcontext()
        if not qcontext.get('token') and not qcontext.get('signup_enabled'):
            raise werkzeug.exceptions.NotFound()
        if 'error' not in qcontext and request.httprequest.method == 'POST':
            try:
                # C U S T O M  C O D E  S T A R T
                if not request.env['ir.http']._verify_request_recaptcha_token('signup'):
                    raise UserError(_"Suspicious activity detected by Google reCaptcha.")
                # C U S T O M  C O D E  E N D
                self.do_signup(qcontext)
                # Send an account creation confirmation email
                if qcontext.get('token'):
                    User = request.env['res.users']
                    user_sudo = User.sudo().search(
                        User._get_login_domain(qcontext.get('login')), order=User._get_login_order(), limit=1
                    )
                    template = request.env.ref('auth_signup.mail_template_user_signup_account_created', raise_if_not_found=False)
                    if user_sudo and template:
                        template.sudo().send_mail(user_sudo.id, force_send=True)
                return self.web_login(*args, **kw)
            except UserError as e:
                qcontext['error'] = e.args[0]
            except (SignupError, AssertionError) as e:
                if request.env["res.users"].sudo().search([( "login", "=", qcontext.get("login"))]):
                    qcontext["error"] = _( "Another user is already registered using this email address.")
                else:
                    _logger.error("%s", e)
                    qcontext['error'] = _( "Could not create a new account.")
        response = request.render('auth_signup.signup', qcontext)
        response.headers['X-Frame-Options'] = 'DENY'
        return response
    @http.route('/web/reset_password', type='http', auth='public', website=True, sitemap=False)
    def web_auth_reset_password(self, *args, **kw):
        qcontext = self.get_auth_signup_qcontext()
        if not qcontext.get('token') and not qcontext.get('reset_password_enabled'):
            raise werkzeug.exceptions.NotFound()
        if 'error' not in qcontext and request.httprequest.method == 'POST':
            try:
                # C U S T O M  C O D E  S T A R T
                if not request.env['ir.http']._verify_request_recaptcha_token('password_reset'):
                    raise UserError(_"Suspicious activity detected by Google reCaptcha.")
                # C U S T O M  C O D E  E N D
                if qcontext.get('token'):
                    self.do_signup(qcontext)
                    return self.web_login(*args, **kw)
                else:
                    login = qcontext.get('login')
                    assert login, _( "No login provided.")
                    _logger.info(
                        "Password reset attempt for <%s> by user <%s> from %s",
                        login, request.env.user.login, request.httprequest.remote_addr)
                    request.env['res.users'].sudo().reset_password(login)
                    qcontext['message'] = _( "An email has been sent with credentials to reset your password")
            except UserError as e:
                qcontext['error'] = e.args[0]
            except SignupError:
                qcontext['error'] = _( "Could not reset your password")
                _logger.exception('error when resetting password')
            except Exception as e:
                qcontext['error'] = str(e)
        response = request.render('auth_signup.reset_password', qcontext)
        response.headers['X-Frame-Options'] = 'DENY'
        return response

This override adds a security check for reCAPTCHA tokens in both the signup and reset password forms, rejecting suspicious submissions.

Note: This custom code is cleanly built on top of Odoo 15’s auth_signup module structure. The exact implementation differs from the native features available in Odoo 16+.

Final Result

  • Seamless, invisible protection for signup and password reset forms
  • Blocks spam bots effectively on Odoo 15
  • Mimics the behaviour of later Odoo versions’ built-in protections
  • Keeps your database clean and your users safe

Wrapping Up

Odoo 15 lacks native reCAPTCHA integration for signup and password reset forms, which makes your site vulnerable to spam and abuse. This custom implementation offers a clean, effective, and developer-friendly solution to fill that gap.

If you’re working with Odoo 16 and above, you already have access to native, configurable reCAPTCHA and form protection settings. But for Odoo 15 users, this guide helps bridge that gap.

Found this article useful?

Explore more development guides and solutions from our team.

Check out more posts

Share

Vijay Elangovan 21 May, 2025
Our blogs
Archive
Sign in to leave a comment
Creating a Custom Show More / Show Less OWL Widget
For Text Fields in Odoo