modifiedcontent Posted November 29, 2020 Share Posted November 29, 2020 The modules don't really work for me. I have a custom login and registration process directly in template files and just want to add password reset. I don't need admin etc. The following works: Spoiler <?php if($user->isLoggedin()) { $session->logout(); $session->redirect('/'); } else { if ($input->post->submitforgot) { $email = $input->post->useroremail; if (filter_var($email, FILTER_VALIDATE_EMAIL)) { $finduser = $users->get("email=".$email); $founduser = $finduser->name; } else { $founduser = $input->post->useroremail; } if($users->get($founduser)->id) { $lostmember = $users->get($founduser); $note = 'We found your account. Check your inbox for an email with a password reset link.'; $pass = passworder(8); $activation = md5($pass."randomstringhereforextraprotection"); $lostmember->of(false); $lostmember->activation = $activation; $lostmember->save(); $lostmember->of(true); $activationlink = 'https://' . $config->httpHost . $_SERVER['REQUEST_URI'] . '?key='. $activation .'#join'; $message = strip_tags(wirePopulateStringTags($pages->get('/join')->passreset_message,[ 'fullname' => $lostmember->fullname, 'activatelink' => $activationlink, 'username' => $lostmember->name ])); $mail->send($lostmember->email, 'My Website<admin@mywebsite.com>', 'Your password reset link', $message); } else { $note = 'Member does not exist. What are you even doing here?'; } } if ($note) { echo $note; } else { ?> <form action='<?php echo $config->urls->root; ?>#forgot' method=post id=forgotpass autocomplete=on> <section class=field> <label for=useroremail>Email or username</label> <input id=useroremail type=text name=useroremail placeholder='' autocomplete=username required> </section> <input type=submit name=submitforgot value='reset password' /> </form> <?php } } ?> My PHP knowledge is very limited - I don't understand namespace, hooks, etc. etc. I have to start from a basic proof-of-concept and then improve on that as needed. Are there obvious mistakes in the code above? Obvious security risks? The process is really slow; it takes forever after clicking submit to find the user in the database. Could the code be more efficient? Any comments / suggestions much appreciated. Link to comment Share on other sites More sharing options...
netcarver Posted November 30, 2020 Share Posted November 30, 2020 Hi @modifiedcontent have you considered just using Ryan's ProcessForgotPasswords module that is already part of PW and just loading it in your template file and having it take care of things for you? I've not tried it myself in my own template files but it is certainly possible. Something like this might work for you on your reset page template (totally untested, but you seem to be willing to experiment)... <?php if ($user->isLoggedin()) { $session->logout(); $session->redirect('/'); } else { $pfp = wire()->modules->get("ProcessForgotPassword"); $pfp->useInlineNotices = true; $pfp->emailFrom = 'your-from-address@your.domain'; echo $pfp->execute(); } There are several other settings like 'useInlineNotices' that are documented in the module from lines 17-28, linked here. You'll be better served using this core module if you can, rather than writing something yourself. If you do want to use this as a learning opportunity, and decide to go with your own code then I'd suggest research in the following areas: CSRF tokens, session variables, cryptographically secure random number generators, MD5 weaknesses and password hashing. 1 1 Link to comment Share on other sites More sharing options...
modifiedcontent Posted November 30, 2020 Share Posted November 30, 2020 Thanks @netcarver. I could not figure out how to use that ProcessForgotPasswords module. There were no instructions anywhere. It looks like it depends on other modules or assumes your login/register process is structured a certain way. Thanks for the other suggestions. Replacing md5() was going to be next. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now