I have just started using CakePHP and love using it! I have created a login system and registration system, however am really struggling with the "forgotten password" section.
I want to use a tokenhash and expiry date in the Users DB so that it cant be abused, users would need to enter username and email to get an activation link emailed to them with a newly generated tokenhash
There are quite a few tutorials out there but I find most of them work for the first part e.g. emailing the activation link/ resetting token and timer but all seem to fail on the change of the password.
Please help me, either with a working tutorial from the net or a solution that applies the above required things.
Thanks in advance
Steve
Below I am writing the code that I wrote for one of my project, this might help you out.
1- I created a new table which contains the unique token for every user.
Table Name:- user_password_resets
Columns : userclient_id, token
2- A email template name as:- change_password.html inside /webroot/template/change_password.html
public function login_send() {
$this->isLoggedIn(); //Check if the user is logged in
if($this->request->is('post')) { #if the form is submitted
$login = $this->data['User']['login'];
$conditions = array('User.login'=>$login);
if($this->User->hasAny($conditions)) {
$users = $this->User->find('first', array('conditions'=>$conditions));
#Generate the token
$token = md5(uniqid(rand(),true));
#Save token and other details in user_password_reset_links table
$users = $this->User->find('first', array('conditions'=>array('User.login'=>$login)));
$my_name = $users['User']['first_name'];
$reset_links = array();
$reset_links['UserPasswordReset']['userclient_id'] = $users['User']['client_id'];
$reset_links['UserPasswordReset']['token'] = $token;
$conditions = array('UserPasswordReset.userclient_id'=>$users['User']['client_id']);
if($this->UserPasswordReset->hasAny($conditions)) {
$user_id = $users['User']['client_id'];
$this->UserPasswordReset->updateAll(array('UserPasswordReset.token'=>"'$token'"), array("UserPasswordReset.userclient_id"=>"$user_id"));
} else {
$this->UserPasswordReset->create();
$this->UserPasswordReset->save($reset_links);
}
$password_reset_link = BASE_URL."users/reset_password/$token";
#Send Welcome Email
$mailContent = file_get_contents(BASE_URL . "templates/change_password.html");
$rootlink = BASE_URL;
$arrMail = array(
"{NICK}" => ucfirst($my_name),
"{rootlink}" => BASE_URL,
"{SITE_TITLE}" => SITE_TITLE,
"{PASSWORD_RESET_LINK}"=>$password_reset_link
);
$mails = explode(',', $users['User']['email']);
$msg = #str_replace(array_keys($arrMail), array_values($arrMail), $mailContent);
$data = array();
$data['to'] = #$mails[0];
$data['body'] = $msg;
$data['subject'] = SITE_TITLE.'- Reset Password.';
$this->send_mail($data);
$this->Session->setFlash('A password reset link has been sent to the email address.', 'default', array('class'=>'successMsg'));
$this->redirect(array('controller'=>'users', 'action'=>'login'));
exit;
} else {
$this->Session->setFlash('The Username entered is not registered with Captain Marketing.', 'default', array('class'=>'errorMsg'));
$this->redirect(array('controller'=>'users', 'action'=>'login_send'));
exit;
}
}
$this->set('title_for_layout', '-Send password reset link');
}
Related
I have created a condition to check if name and password are correct the only issue here is when i test it it goes complete the opposite of what i want. It doesnt matter if i put it right or wrong the message will always be "You have successfuly logged in". Im using PDO just to know
<?php
include('connection.php');
$name = $_POST['name'];
$password = $_POST['password'];
$data = $_POST;
$statment = $connection->prepare('SELECT * FROM registration WHERE name = :name AND password = :password');
if($statment){
$result = $statment->execute([
':name' => $data['name'],
':password' => $data['password']
]);
}
if($data['name'] == $name && $data['password'] == $password){
echo 'You have successfuly logged in';
}else {
die('Incorrect username or password');
}
?>
You have made your script overly complicated .. The easiest way is to bind and execute .. Then you can simply check if there are any rows, and THEN compare with your data array created from the executed statement.
<?php
include('connection.php');
$name = $_POST['name'];
$password = $_POST['password'];
$statment = $connection->prepare("SELECT name, password FROM registration
WHERE name = ? AND password = ?");
$statment ->bind_param("ss", $name, $password);
$statment ->execute();
$result = $stmt->get_result();
if ($result ->num_rows > 0) {
$data = $result->fetch_array();
}else{
echo "No results found";
}
if($data['name'] == $name && $data['password'] == $password){
echo 'You have successfuly logged in';
}else {
die('Incorrect username or password');
}
?>
(bear in mind I wrote that freehand, and it has not been tested or debugged, but the principals are there)
ON A SIDE NOTE
That being said .. You should never be storing passwords in a open "text" field. You should be encrypting them. The easiest way is to use bcrypt to build out a hash:
$options = [
'cost' => 12,
];
$newPass = password_hash($pass, PASSWORD_BCRYPT, $options);
And store that in your database .. Then you can compare it like so ..
if (password_verify($pss, $pwdCheck)
$pss being what was sent in from the form .. and $pwdCheck being the hash you SELECTED from the database -- Brought into your current code set, would look something like:
if($data['name'] == $name && password_verify($password, $data['password']){
I have custom Magento script file as below which does login by just passing email and password to that PHP file.
It works fine when i'm making a call from browser.
But, I want to make this call through Drupal Module which i have created.
As i expected call is happening from Drupal module and i'm getting success message too. But login is not happening.
My hunch is that magento have some login restrictions which happening outside magento root folder.
Please find the source below.
Drupal directory - /www/drupal/
Magento directory - /www/drupal/store/
/www/drupal/store/api_config.php
<?php
error_reporting(E_ALL);
ini_set('display_errors', 'On');
require_once (dirname(dirname(realpath(__FILE__))).'/store/app/Mage.php');
umask(0);
Mage::app();
Mage::getSingleton('core/session', array('name' => 'frontend'));
$websiteId = Mage::app()->getWebsite()->getId();
$store = Mage::app()->getStore();
$response = array();
/www/drupal/store/api_login.php
<?php
require_once "api_config.php";
$session = Mage::getSingleton('customer/session');
//$session->start();
if (isset($_GET['email']) && !empty($_GET['email']) && isset($_GET['password']) && !empty($_GET['password'] )) {
if (!filter_var($_GET['email'], FILTER_VALIDATE_EMAIL) === false) {
$email = $_GET['email'];
$password = $_GET['password'];
try {
if ($session->login($email, $password )) {
$response['status'] = 'success';
$response['data'] = array($_GET);
$response['message'] = array('User loggedin Successfully.');
} else {
$response['status'] = 'error';
$response['data'] = array($_GET);
$response['message'] = array('User login failed.');
}
if ($session->getCustomer()->getIsJustConfirmed()) {
$this->_welcomeCustomer($session->getCustomer(), true);
}
} catch (Mage_Core_Exception $e) {
switch ($e->getCode()) {
case Mage_Customer_Model_Customer::EXCEPTION_EMAIL_NOT_CONFIRMED:
$value = Mage::helper('customer')->getEmailConfirmationUrl($email);
$message = Mage::helper('customer')->__('This account is not confirmed. Click here to resend confirmation email.', $value);
break;
case Mage_Customer_Model_Customer::EXCEPTION_INVALID_EMAIL_OR_PASSWORD:
$message = $e->getMessage();
break;
default:
$message = $e->getMessage();
}
//$session->addError($message);
$response['status'] = 'error';
$response['data'] = array($_GET);
$response['message'] = array($message);
echo $message;
$session->setUsername($email);
} catch (Exception $e) {
$response['status'] = 'error';
$response['data'] = array($_GET);
$response['message'] = array($e);
// Mage::logException($e); // PA DSS violation: this exception log can disclose customer password
}
} else {
//$session->addError('Login and password are required.');
$response['status'] = 'error';
$response['data'] = array($_GET);
$response['message'] = array('Invalid Email address');
}
} else {
//$session->addError('Login and password are required.');
$response['status'] = 'error';
$response['data'] = array($_GET);
$response['message'] = array('Login and password are required.');
}
print_r(json_encode($response, JSON_FORCE_OBJECT));die;
?>
/www/drupal/sites/all/modules/single_signon/single_signon.module
<?php
function single_signon_user_login(&$edit, $account) {
//store variable values
$postData = array();
$postData['email'] = $account->mail;
$postData['password'] = $edit['input']['pass'];
$inc = 1; //count of registration
if (!empty($postData['email']) && !empty($postData['password'])) {
// use of drupal_http_request
$data = http_build_query($postData, '', '&');
//$url = url('http://127.0.0.1/drupal/store/api_login.php?'.$data);
//$headers = array('Content-Type' => 'application/x-www-form-urlencoded');
//print_r($url);
// the actual sending of the data
$JSONresponse = drupal_http_request('http://127.0.0.1/drupal/store/api_login.php?email=john#example.com&password=password');
//print_r($JSONresponse);die;
$response = json_decode($JSONresponse->data, true);
if ($response['status']=='success') {
$inc+=1;
$message = 'Logged in successfully('.$inc.')';
drupal_set_message($message, $type = 'status', $repeat = FALSE); //message goes here
} else {
$message = 'Logged in failed. Due to '.$response['message'].'('.$inc.')';
drupal_set_message($message, $type = 'error ', $repeat = FALSE);
}
} else {
$message = 'Not able to log inside store('.$inc.')';
drupal_set_message($message, $type = 'status', $repeat = FALSE); //message goes here
}
}
?>
Any suggestions for findings to solve this mystery would be really helpful.
I'm not sure to understand it well : You have a php script using data send in the URL (GET) to connect a user in a session. And you would like the Drupal server to use it to connect directly to your Magento.
I think your code is working, but unfortunately it could not help the user to connect to Magento.
As this is the Drupal server asking for the connection, it would be the Drupal server session that will be connected and not the navigation user one.
If the user have to be connected, in his navigator, to the Magento server, it has to be the navigator witch must call the Magento script directly.
It could be done in an iframe or via Ajax I think.
I think you can also find some other solutions, as OAuth, but it will need a lot more of coding.
EDIT
I found some interesting subject about your problem :
Getting logged in user ID from Magento in external script - multiple session issue?
Magento Session from external page (same domain)
Magento external login will not create session cookie
I think you have to manually create the Magento session cookie on the user navigator, from the Drupal script.
You'll need to send back to Drupal the SessionID from Magento, using this method (I think, you'll have to verify) :
$response['sessionId'] = $session->getEncryptedSessionId();
And inside the Drupal script, you'll have to record a new cookie with the Magento session information. Maybe you have to have a look at a working Magento cookie to see how it is defined and what is its name.
if ($response['status']=='success') {
...
setcookie('frontend', $response['sessionId'], time() + 3600 * 24 * 180, '/');
...
}
You'll probably have to declare, in the settings of Magento, the path for cookies at '/'.
Can you give an example of the structure of the session cookie from Magento ?
When I handle a CREATE post form, i'll do :
public function handlecreer(Requests\CreerUtilisateurRequest $request)
{
// handle create form
// all fields in one line... YEAH !!!
$user = new User($request->except('password','role'));
$user->password = bcrypt(Request::input('password'));
$user->save();
....}
But if I have an UPDATE post form I'll do :
public function handleUpdate(Requests\UpdateUtilisateurRequest $request)
{
// handle update form
$user = User::findOrFail(Request::input('id'));// find
// one line by field... BOH !!!
$user->name = Request::input('name');
$user->email = Request::input('email');
$user->password = bcrypt(Request::input('password'));
$user->telephone= Request::input('telephone');
$user->fonction = Request::input('fonction');
$user->divers = Request::input('divers');
$user->save();
....}
Is there a simplest way of processing the update post form ?
Thanks,
Paguemaou
All mass assignable attributes (the one in $fillable) can be set using fill():
$user = User::findOrFail(Request::input('id'));
$user->fill($request->except('password', 'role'));
$user->password = bcrypt(Request::input('password'));
$user->save();
i tried to send activation code to user mail (currently gmail) from localhost.. when submit the user information saved in database but the message not sent..so why not sent ?
var $components = array('Email','Auth','Recaptcha');
// Allows a user to sign up for a new account
function register () {
if (!empty($this->data)) {
// See my previous post if this is forgien to you
if($this->data['User']['password'] == $this->Auth->password($this->data['User']['password_confirm'])){
$this->User->data = Sanitize::clean($this->data);
// Successfully created account - send activation email
if($this->Recaptcha->valid($this->params['form'])){
if ($this->User->save()) {
$this->__sendActivationEmail($this->User->getLastInsertID());
$this->Session->setFlash('activation code sent check your mail');
$this->redirect('/users/register');
}else {
$this->data['User']['password'] = null;
}
}else{
$this->data['User']['password'] = null;
$this->Session->setFlash('wrong captcha please try again');
}
}else{
$this->data['User']['password'] = null;
$this->Session->setFlash('password not match');
}
}
}
this function Send out an activation email to the user.id specified by $user_id
#param Int $user_id User to send activation email to
#return Boolean indicates success
function __sendActivationEmail($user_id) {
$user = $this->User->find(array('User.id' => $user_id), array('User.id','User.email', 'User.username'), null, false);
if ($user === false) {
debug(__METHOD__." failed to retrieve User data for user.id: {$user_id}");
return false;
}
// Set data for the "view" of the Email
$this->set('activate_url', 'http://' . env('SERVER_NAME') . '/cakenews/users/activate/' . $user['User']['id'] . '/' . $this->User->getActivationHash());
$this->set('username', $this->data['User']['username']);
$this->Email->to = $user['User']['email'];
$this->Email->subject = env('SERVER_NAME') . ' - Please confirm your email address';
$this->Email->from = 'spcialist#gmail.com';
$this->Email->template = 'user_confirm';
$this->Email->delivery = 'smtp';
$this->Email->smtpOptions = array(
'port'=>'465',
'timeout'=>'30',
'host' => 'ssl://smtp.gmail.com',
'username'=>'spcialist#gmail.com',
'password'=>1234567,
);
$this->Email->sendAs = 'text'; // you probably want to use both :)
return $this->Email->send();
}
You wrote you are on localhost, you probably can't send emails but will probably work once online.
try debugging
function __sendActivationEmail($user_id) {
$this->Email->delivery = 'debug';
....
}
Then in your layout
<?php echo $this->Session->flash('email'); ?>
And see what comes out.
I am applying this tutorial: Activating User Account via Email
When I submit the message, it is sent like this:
Hey there ahmed, we will have you up and running in no time, but first we just need you to confirm your user account by clicking the link below:
http://localhost/cakenews/users/activate/24/8877ae4a
The problem is that I want to create file users/active.ctp to receive activation code when the user clicks on the link. But I dont know what to write on this file to active user
<?php
# /controllers/users_controller.php
# please note that not all code is shown...
uses('sanitize');
class UsersController extends AppController {
var $name = 'Users';
// Include the Email Component so we can send some out :)
var $components = array('Email', 'Auth');
// Allow users to access the following action when not logged in
function beforeFilter() {
$this->Auth->allow('register', 'confirm', 'logout');
$this->Auth->autoRedirect = false;
}
// Allows a user to sign up for a new account
function register() {
if (!empty($this->data)) {
// See my previous post if this is forgien to you
$this->data['User']['password'] = $this->Auth->password($this->data['User']['passwrd']);
$this->User->data = Sanitize::clean($this->data);
// Successfully created account - send activation email
if ($this->User->save()) {
$this->__sendActivationEmail($this->User->getLastInsertID());
// this view is not show / listed - use your imagination and inform
// users that an activation email has been sent out to them.
$this->redirect('/users/register');
}
// Failed, clear password field
else {
$this->data['User']['passwrd'] = null;
}
}
}
/**
* Send out an activation email to the user.id specified by $user_id
* #param Int $user_id User to send activation email to
* #return Boolean indicates success
*/
function __sendActivationEmail($user_id) {
$user = $this->User->find(array('User.id' => $user_id), array('User.id','User.email', 'User.username'), null, false);
if ($user === false) {
debug(__METHOD__." failed to retrieve User data for user.id: {$user_id}");
return false;
}
// Set data for the "view" of the Email
$this->set('activate_url', 'http://' . env('SERVER_NAME') . '/cakenews/users/activate/' . $user['User']['id'] . '/' . $this->User->getActivationHash());
$this->set('username', $this->data['User']['username']);
$this->Email->to = $user['User']['email'];
$this->Email->subject = env('SERVER_NAME') . ' - Please confirm your email address';
$this->Email->from = 'email#gmail.com';
$this->Email->template = 'user_confirm';
$this->Email->delivery = 'smtp';
$this->Email->smtpOptions = array(
'port'=>'465',
'timeout'=>'30',
'host' => 'ssl://smtp.gmail.com',
'username'=>'email#gmail.com',
'password'=>'password',
);
$this->Email->sendAs = 'text'; // you probably want to use both :)
return $this->Email->send();
}
}
/**
* Activates a user account from an incoming link
*
* #param Int $user_id User.id to activate
* #param String $in_hash Incoming Activation Hash from the email
*/
function activate($user_id = null, $in_hash = null) {
$this->User->id = $user_id;
if ($this->User->exists() && ($in_hash == $this->User->getActivationHash()))
{
// Update the active flag in the database
$this->User->saveField('active', 1);
// Let the user know they can now log in!
$this->Session->setFlash('Your account has been activated, please log in below');
$this->redirect('login');
}
// Activation failed, render '/views/user/activate.ctp' which should tell the user.
}
?>
and the model is
/**
* Creates an activation hash for the current user.
*
* #param Void
* #return String activation hash.
*/
function getActivationHash()
{
if (!isset($this->id)) {
return false;
}
return substr(Security::hash(Configure::read('Security.salt') . $this->field('created') . date('Ymd')), 0, 8);
}
}
?>
the views is cakenews\app\views\users\register.ctp
<fieldset>
<legend>Add a article</legend>
<?php
echo $form->create('User');
echo $form->input('username');
echo $form->input('password');
echo $form->input('email');
?>
</fieldset>
<?php echo $form->end('Post project'); ?>
In your controller action activate is handling the user activation. If user is verified it redirects to login action otherwise it will try to render activate.ctp file. So in that case you can just show a message to the user that your registration could not be completed. please try again. To set some data for the view (activate.ctp) you can use controller's set method.
If you don't want to render activate.ctp file at all redirect the user to somewhere else telling registration could not be completed.