-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email activation, login and reset password. #682
Comments
Ok, just saw the |
I solved it that way : Firstly, define After that, my class public function findAuth(Query $query, array $options = [])
{
$identifier = Hash::get($options, 'username');
if (empty($identifier)) {
throw new \BadMethodCallException(__d('Missing \'username\' in options data'));
}
$where = $query->clause('where') ?: [];
$query
->where(function ($exp) use ($identifier, $where) {
$or = $exp->or_([$this->aliasField('email') => $identifier]);
return $or->add($where);
}, [], true);
return $query;
} My class public function login()
{
$this->set('titleForLayout', __('Sign in'));
$this->getEventManager()->on(UsersAuthComponent::EVENT_AFTER_LOGIN, function (Event $event, $data) {
if($data['active'] === false) {
$this->RememberMe->destroy($event);
$this->Auth->logout();
return $this->redirect('/users/confirmEmail');
}
});
parent::login();
} I do not know if this is the way to go but it certainly address my issues. |
I remember some discussion regarding a similar issue, and at the end we need to keep some balance between usability and security, we should not provide messages that could expose existing user names to attackers, in this case an attacker could determine a valid username that is not yet activated because he would get a specific message. I like the way you did, checking first the user/pw is correct and then forcing a redirect to validate the token for accounts not yet validated. In this case we could even go to a more detailed page that shows exactly what happened to the user. I'll mark this ticket as improvement. Thanks, |
What is this ticket status? Any updates? I got he same scenario in the Cake4 version of the plugin. In my opinion, we could simplify the process a little bit. ....
|
@jtraulle do you have an example of the confirmEmail() method? Is the user required to re-enter his username/email? |
@mstroink The /**
* Display a simple page to instruct user to validate his/her account
*
* @return void
*/
public function confirmEmail()
{
$this->set('titleForLayout', __('Confirm your email address'));
} The corresponding view is just a basic message instructing the user to click on the link sent via email to validate its account. When the user click on the link, its account is validated and it needs to authenticate to login 🙂 |
@steinkel can we close this? |
This is a :
If I am not wrong, the same
token
field is used in database to validate the user email address when usingUsers.Email.validate
and when the user request to reset password.So, if a user :
users/src/Model/Behavior/AuthFinderBehavior.php
Line 58 in 601e483
users/src/Model/Behavior/AuthFinderBehavior.php
Lines 30 to 35 in 601e483
In my opinion, when a user logs in, the plugin should first check if username and password are correct, then, if user is not activated, display a specific error message.
On the other hand, if the user request to reset its password and his/her account is not active, then, the plugin should :
The text was updated successfully, but these errors were encountered: