Merge pull request #2934 from coreos-inc/joseph.schorr/QS-78/email-recovery

Security fixes for password recovery

static/css/directives/ui/recovery-form.css

@@ -5,4 +5,24 @@
 
 .recovery-form-element input {
     margin-bottom: 10px;
+}
+
+.recovery-form-element .captcha {
+    display: block;
+    text-align: center;
+}
+
+.recovery-form-element .captcha div {
+    display: inline-block;
+    margin: 2px;
+}
+
+.recovery-form-element .captcha {
+    height: 0px;
+    transition: height ease-in-out 250ms;
+    overflow: hidden;
+}
+
+.recovery-form-element .captcha.expanded {
+    height: 94px;
 }

static/directives/recovery-form.html

@@ -5,7 +5,7 @@
   </div>
   <div ng-show="!sendingRecovery">
     <div class="co-alert co-alert-success" ng-show="sent.status == 'sent'">
-        Account recovery email was sent to {{ recovery.email }}.
+      Instructions on how to reset your password have been sent to {{ recovery.email }}. If you do not receive the email, please try again shortly.
     </div>
     <div class="co-alert co-alert-danger" ng-show="invalidRecovery">{{ errorMessage }}</div>
     <div class="co-alert co-alert-info" ng-show="sent.status == 'org'">
@@ -18,6 +18,14 @@
 
     <form class="form-signin" ng-submit="sendRecovery()" ng-show="!sent">
       <input type="text" class="form-control" placeholder="Email" ng-model="recovery.email">
+
+      <div quay-require="['RECAPTCHA']">
+        <div class="captcha"
+             ng-class="{'expanded': recovery.email}">
+          <div vc-recaptcha ng-model="recovery.recaptcha_response" key="Config.RECAPTCHA_SITE_KEY"></div>
+        </div>
+      </div>
+    
       <button class="btn btn-primary btn-block" type="submit">Send Recovery Email</button>
     </form>
   </div>