Airsonic supports requiring anybody attempting to reset a user’s password to solve a CAPTCHA, making it more difficult for attackers to automatically cause passwords to be reset. Versions 10.1.2 and older supported this by default, but did so using a service that stopped working at the end of March 2018 (making it impossible for users to reset their passwords).
The new CAPTCHA support is disabled by default because it requires additional configuration. This documentation will walk through the process.
The settings controlling CAPTCHA use can be found in the advanced settings pane of the Airsonic web interface.
Checking the box will cause the CAPTCHA to be shown on the password reset page; if the site and secret keys are not provided Airsonic will use default testing keys which will cause a warning to be shown on the CAPTCHA and make all verifications pass. While this configuration is not any more secure, the mere presence of a CAPTCHA (even if it does nothing) may deter some unsophisticated attackers.
To obtain reCAPTCHA keys it is necessary to register with Google, here. Register a new site with any label (the label merely identifies a site in the admin console) and select “reCAPTCHA v2” as the type.
After registering, the reCAPTCHA admin panel will show site and secret keys. Copy these into the Airsonic settings; the other information for client and server-side integration is unnecessary because Airsonic already implements those integrations.
It is possible to test CAPTCHA configuration by logging out of Airsonic and selecting “Forgotten your password?” on the login page. If the CAPTCHA is enabled and correctly configured, the page should include a “I’m not a robot” widget like below.