Invitation code and users database in Wordpress - database

I need your precious help. I'm working hard on organizing a contest linked to a wordpress site. That's the way it should work:
There's a contest. The user have to register as new user in WP (there's also the Facebook Connect/Open Graph) to enter the contest.
When a new user register himself, the system sends him an email: "Congratulations! You are a new user. Here there are some invitation codes (or links) to invite your friends. If they register here with the invitation code (or link), you'll receive a gift".
How can i do this workflow? I need to generate some codes (or links) every time a new user enter the WP site and assign them (linking those data to the users). I need to know if a new user (called B) comes to my site thanks to another user (called A), in order to give to A a gift.
Thank you guys.

You must make a frontend registration. Then, after user is registered you send him an email like www.yourdomain.com/register?uid=his_id(link to te registration form with his id as a parameter).
The when he passes the link to his friend B, friend B is registering and you check if there's a $_GET['uid']. It yes you add him a meta containing the id.
To make a front-end registeration, you should check this article.
For mail sending you could use wp_mail() function.
For passing params in the url and accessing you must be familiar with $_GET
For adding a meta for an user you must use the add_user_meta(). function.
The above steps are not necessarily difficult if you know basic PHP and willing to learn from Wordpress codex.

We created a plug called Cm Invitation Codes that allows you to assign codes per groups. This way you can know from which site each registration is coming and control also the number of user registration from a specific site. Try CM Invitation Code in WordPress Plugin Directory http://wordpress.org/extend/plugins/cm-invitation-codes/

Related

Firebase, Changing User password via Email with unique password requirements

Currently, Firebase offers the option to send an email to a users email who wishes to change their password. Unfortunately, Firebase does not allow you to edit their password requirements which I believe is locked at requiring only 6 characters.
For many people this is inadequate and insecure.
I recently made an application that allows users to create quizzes either for themselves or for others. In this application, I stores personal information of my users and I wanted to make sure that their accounts were secure so I required more from my passwords. Unfortunately, when a user wishes to change their email, the default Firebase function does not keep my security which leads to confusion as a user can change their passwords according to Firebase's lax constraints but then they still couldn't log in because they used an invalid password. (I blocked invalid passwords from the text box before even checking with Firebase).
After I encountered this error, I came to StackOverflow for help to see if anyone else had this issue and came up with a solution. Unfortunately, I was met with harsh criticism and harassment by users who claim to be Firebase officials and Administrators who did not care about my question.
Then, I after a week of research and testing, I found the solution using React and 3rd party libraries to handle this.
Please, see my answer below and if you have a more creative solution, I would be interested in seeing that as well.
To solve this problem, the only answer is to create your own mailer service with your own basic mailer service, host website, and API.
What you need:
An application which uses Firebase.
A hosted API which uses Firebase and a 3rd party Mailer such as Node with NodeMailer - hosted on Heroku
A React app which can communicate with the API
What I did:
First, I created my API which accepts calls from my specified IP addresses. This API can receive requests to reset a password when the password is known or unknown. When the password is known, I send an email to the user using NodeMailer and I send a special HTML file so the email looks official. It is quite easy to copy the layout of Firebase's emails if you wish.
More Info can be found here: https://nodemailer.com/message/
Then, I created a React App that is hosted on Heroku. When the user clicks a link in the email, it will send them to this website with the required information in the query. This app, much like when the Firebase link is clicked is just a simple text box and submit button. However, now you can customize it to require password confirmation with a second text box. You can also add a company logo and custom colors so it isn't so HTML 1 looking like the link you see from Firebase. Most importantly, you can now control the password that the user enters to add your unique requirements.
On submit, the app will send the new password, username and old password if available to the API.
If you do not know how to create a React App or a Node API, you can see a detailed tutorial here: https://www.techandstartup.com/tutorials/build-api-with-node-express-and-mongodb
Finally, the API can log into the users account if a password is present and then change the password. Detailed steps can be seen from: https://www.codegrepper.com/code-examples/javascript/firebase+user+change+password
If a current password is not present, then the API can delete the user and recreate it with the desired password. Deleting a user can be seen: https://www.codegrepper.com/code-examples/javascript/firebase+delete+user Then you simply recreate a user. Example code: https://www.codegrepper.com/search.php?q=firebase%20createUserWithEmailAndPassword
With these steps, you can now send a password reset email to a user. The email will be completely unique as you will be designing it yourself. The password will be to your exact specifications as your React App will control the data on submit. And the page itself will look much more user friendly as it's not the default Firebase page.
Hopefully this helps you or your company with working around the Firebase reset password with email function. I am still holding out hope that another user may have a more elegant or basic solution than this as creating an API and hosting a website just for 1 function is not appealing in many cases.

Send email with reset password link based on project

I have two projects where both of them use same firebase project. My problem is I want forgot password in both of the projects and both of them should point to different url in the respective project. Any help will be appreciated.
What I have achieved?
I have done forgot password for the first project and I get a email with link, for the second project I want email with different link (I am getting same link).
Any help will be appreciated.
There is only one password reset template per Firebase project, so you can't use the built-in template password reset flow to send different emails to different users in a single project. This usually isn't a problem, as the apps in a Firebase project are meant to be part of a single logical application.
If your use-case must use a single Firebase project, have a look at implementing a custom email handler, which is the page that the email links to.
If that is not enough, you can take control of the complete password reset flow yourself. This gives you full control of the emails that are sent, but does mean that you also have to arrange how to send that email and all actions from it yourself. For the actual password change, you'd then typically use the Admin SDK to update the user profile in a trusted environment.

Does exposing a user's uid in the url pose a security threat for Firebase?

I've got a small review system built in AngularJS and Firebase and the only way to identify which review is made by which user is via the uid of the user. The idea is when you then click on the user's name, you should be taken to the profile of that user.
So I would then create a route looking like /profile/{{review.author.uid}} which could translate into /profile/facebook:123234243 for example.
My question is, does it pose a security threat showing the uid in the url like this? Can it be used for any malicious actions against a user's third party account etc?
I've tried looking through their website but I can't find anything on this subject.
EDIT: Note that I need a Firebase specific answer, not a generic one about database id:s.

Integrate SurveyMonkey in an existing community

I have a cakePHP community. User are able to signup and login. I like to create a survey using SurveyMonkey.
Therefor I create the survey and make it available to my members using the direct URL. In my member database I have to save the information "did completed the survey = yes/no".
Is there any way to identify the user filling in the survey and write this information into the database?
SurveyMonkey has an API https://developer.surveymonkey.com/ , that let you collect info from your survey (completedf or not).
This is the only way i think, (if it s not include in your website).
I know that you can simply do this with Examinare Survey Tool. What you do first is that you use the API inside Examinare to add a recipient for all the users in the survey base.
Use the PHP Wrapper library in their developer site.
Loop it through and use the https://developer.examinare.com/php-wrapper-library/ and use the example code.
If you let people register with same email more than 1 time then save the ContactID into your database on the recipient.
Then to not create an email invite you use this : markrecipientstosurvey
The surveyID is available inside the Examinare account.
When you done this script part then make it as a cronjob for instance inside the crontab -e
I would run it every 30 minutes or 1 per hour.
Next part you create a page for the survey redirect where you use the function: listsurveysbyuser
to get the survey version and url
(there is a special link for the mobile user that even works for the normal mobile phone NOT only smartphones)
Now you just redirect them to the survey. If you want them to return to your site after then you use the redirect_url parameter that is added to the url or use the redirect inside your account. Ask support about that if you need :) They are fast... Never had to wait more than a couple of minutes.
When the person return then just check if they are marked as complete with the same api call: listsurveysbyuser
Looks much but it is very easy to implement and if you have any problems then just ask the support at support#examinare.com I have asked alot and never had them to say that it can not be done. Really nice!
EDIT:
I see that they just released a tutorial much better than my example:
https://developer.examinare.com/how-to-use-surveys-in-cakephp-with-very-little-development/
One option:
Use unique Custom Variables in the URL that is visited by each member of the community
For example, https://www.surveymonkey.com/s/your_survey?userid=$my_user_id
Note that you can create weblink or email collectors with the API (endpoints: create_flow or create_collector).
Then track the responses using the get_respondent_list or get_responses endpoints of the API.
Note: Please confirm with the Survey Monkey API team that the custom variables can be read via the API.
Another option:
Use the email collector (create_flow) API endpoint and send it to your members' email addresses.

Prevent multiple user registrations to game a referral system

I'm working on a free service web application where a user registers with username, email, password... standard user account stuff. There is a referral system where if the user refers three other users to sign up (using their referral code) the original user gets account upgrades.
There is incentive to game this by creating three other accounts using their referral code. Any ideas on how to prevent this? Could block IP or use a cookie but these seem like they are easily defeated. I want to make it easy for a user to create an account so I'd rather not do anything that requires extensive effort in account creation.
You could send them a text message and make them reply via text message or email from the mobile.

Resources