SilverStripe 3.1.x - Extend lostpassword form to include captcha

Question

Whats the best/correct way to extend/modify the LostPasswordForm in SilverStripe 3.1.x to include recaptcha? Another security issue, which was classified as medium risk. Here's what they say:

Observation: The Forgot Password functionality can be used to spam the email address of an admin user.

Sample Affected URL: http://example.com/Security/LostPasswordForm

Impact: A malicious user may use a bot or an automated method to repeatedly submit a Forgot Password request. The email inbox could be rendered inaccessible or useless due to the large number of messages.

Recommendation: Implement a one time use challenge-response test such as a CAPTCHA during the Forgot Password request to prevent automated bots or to slow down humans who attempt to flood the user's email inboxes. This CAPTCHA functionality should expire after one use.

As time is of the essence here, any pointers (or even a complete solution) would be greatly appreciated. It would be easy to implement hacking away at the core, but it's not best-practice. Can someone share how it should be done by properly extending?

Answer 1

I think overriding the default template is the way to go,
but you should be able to use a custom class extending MemberLoginForm rather than altering the core file...

_config.php

Object::useCustomClass('MemberLoginForm', 'MyExtendedMemberLoginForm');

MyExtendedMemberLoginForm.php

class MyExtendedMemberLoginForm extends MemberLoginForm {
  //override methods, add your fields...
}