Skip to Content

Auth Signup Protection

by
Odoo
v 19.0 Third Party 1
Download for v 19.0 Deploy on Odoo.sh
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Lines of code 769
Technical Name kw_auth_signup_protection
LicenseLGPL-3
Websitehttps://github.com/kitworks-systems/addons
Versions 16.0 17.0 18.0 19.0
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Lines of code 769
Technical Name kw_auth_signup_protection
LicenseLGPL-3
Websitehttps://github.com/kitworks-systems/addons
Versions 16.0 17.0 18.0 19.0

Auth Signup Protection

License: LGPL-3 Kitworks Systems


Multi-layer signup form protection for Odoo. This module provides four independent protection mechanisms for the /web/signup page that can be enabled or disabled individually through Settings.

Key features:

  • Honeypot Field — a hidden form field that catches automated bots (enabled by default)
  • Google reCAPTCHA v3 — invisible CAPTCHA verification using Odoo's built-in google_recaptcha module
  • Disposable Email Blocking — prevents registration with throwaway email addresses (90+ pre-loaded domains)
  • Email Verification — requires email confirmation before user account creation with rate limiting and token expiration

Configuration

All protection layers are configured in Settings > Signup Protection. Each layer has an independent toggle and can be used in any combination.

1. Honeypot

Enabled by default. No additional configuration required.

A hidden field website_url is added to the signup form. The field is invisible to human users (hidden via CSS with opacity: 0; position: absolute; height: 0) but is typically filled in by automated bots. When the field contains a value, the signup is rejected with a generic error message.

2. Google reCAPTCHA v3

Disabled by default. Requires Google reCAPTCHA keys.

  1. Go to Settings > General Settings > Integrations and configure your reCAPTCHA v3 site key and secret key.
  2. Go to Settings > Signup Protection and enable Enable reCAPTCHA on Signup.

The reCAPTCHA token is obtained automatically via JavaScript before form submission and verified server-side using ir.http._verify_request_recaptcha_token().

3. Disposable Email Blocking

Disabled by default.

The module ships with 90+ known disposable email domains (mailinator.com, guerrillamail.com, yopmail.com, tempmail.com, etc.).

To manage the domain list, go to Settings > Technical > Disposable Email Domains. You can add new domains, archive or delete existing ones.

4. Email Verification

Disabled by default.

  1. Go to Settings > Signup Protection and enable Enable Email Verification on Signup.
  2. Optionally adjust the Verification Token Expiration (default: 24 hours).

When enabled, the signup flow changes:

  1. User fills in the signup form and submits it.
  2. Instead of creating a user account immediately, a pending signup record is created and a verification email is sent.
  3. The user clicks the verification link in the email.
  4. The user account is created and the user is logged in automatically.

Rate limiting is enforced: max 3 attempts per email per hour, max 5 attempts per IP per hour. A daily cron job cleans up expired pending signups and removes old records after 7 days.

Compatibility

This module is designed to work alongside other signup-related modules without conflicts:

  • kw_signup_form_base — fully compatible (different override points)
  • kw_signup_full_name — fully compatible (extra fields are preserved through JSON signup_values during email verification)

The module only overrides web_auth_signup() and does not modify do_signup(), _signup_create_user(), or signup_retrieve_info().

Technical Details

Models

  • kw.pending.signup — stores pending signup requests when email verification is enabled. Fields: login, name, password (temporary), signup_values (JSON), token (20-char), expiration, state (pending/verified/expired), ip_address.
  • kw.disposable.email.domain — stores known disposable email domains. Fields: name (unique), active.

Routes

  • /web/signup — enhanced with protection checks before standard signup flow
  • /web/signup/verify?token=... — email verification endpoint (creates user and authenticates)

Settings (ir.config_parameter)

  • kw_auth_signup_protection.honeypot_enabled (default: True)
  • kw_auth_signup_protection.recaptcha_enabled (default: False)
  • kw_auth_signup_protection.disposable_email_block (default: False)
  • kw_auth_signup_protection.email_verification (default: False)
  • kw_auth_signup_protection.token_expiration_hours (default: 24)

Bug Tracker

Bugs are tracked on GitHub Issues.

Maintainer

KitWorks Systems. Our web site: https://kitworks.systems

We can provide you further Odoo Support, Odoo implementation, Odoo customization, Odoo 3rd Party development and integration software, consulting services. Our main goal is to provide the best quality product for you.

For any questions contact us.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author, please use the developer contact information. They can usually be found in the description.
Please choose a rating from 1 to 5 for this module.