I created Paypal IPN listener script for subscribe button. Everything works fine, but the password, that paypal sends, is hashed. The hash function is this:
<?php echo crypt("password", "nw"); ?>
It is described here: https://stackoverflow.com/a/17780339/789186. But in my task I need to store the password, using SHA-256 hashing. So, I am unable to use the hashed password, generated by Paypal.
Is there any alternative to generating the new password in my script and creating md5 hash from it?
You could build the creation of a un/pw into your sign up form. Save the un/pw to your database prior to sending the user over to PayPal for payment. Include your local record ID in the request so that it comes back in IPN, and then you can update the existing record using that record ID within an IPN script.
Yeah. Don't use the Paypal userid/password generation feature. It's more or less useless. What I do is register the username via his email address when I've receive both the 'signup' and the first payment, in a state where the password isn't valid (LDAP feature), and send him an email telling him to use the system's 'password reset' feature to set his initial password, with an appropriate expiring link.
Related
I am implementing an email verification service, with the purpose of confirming that the person registering is indeed the owner of that email address (specifically, that they work at the organisation that the email domain belongs to).
I will send an email post-registration with a single-use link in it that will set their status to verified = 1.
Users can choose to register and log-in using either a simple email/password combination, or by using the Google Sign In service.
My question is: do I need to verify the ones that have registered with Google Sign In? In order to provide their email address to me, they had to sign in with Google, who then confirmed the address. Is there anything I've missed here, or can I immediately consider these users to be the verified owners of these addresses?
If you are using google sign in there is no need to verify the user.
Whereas if have your own login system, then you must verify the email because
if the email is not verified then you cannot have forgotten password feature through email
and also the user might not have actually had the email so anyone else could create the same email and if you have forgotten password through email someone else could easily access others data.
I'm configuring Keycloak email verification for my website. I found the settings to require email verification for signups but that doesn't fit my use-case.
My website can be used without verified email, but some functions may be disabled. So when a user registers, I would like to send email verification emails but the user should logon regardless of actual verification. When a user chooses a function in the site that requires verified email, I want to have a link to resend the verification email.
I think this is not possible with the standard Keycloak features. I'm not sure how to go about implementing this. Perhaps it is possible with a custom SPI or API? I'm not very proficient with Java and JBoss but with some good examples and pointers I could give it a try to implement it.
How to make this work? Any help is welcome.
I have set up a magento store of my own for my business of grocery products.
I have almost configured each and everything.
I have a mail server and can have as many email addresses as I require.
I have a theme set up for the store.
While a user tries to log in and has forgot a password, there is a link to click saying "Forgot Password".
On clicking it, it displays "An email has been sent to your account with new password details."
I know this will not send an email as I have to configure entire system.
I do not want to send a new password by email. Instead I want to send a link. On clicking this link, the user can go the it and have an option of password reset.
Please help me with this. It will be much much appreciated.
Magento's standard "Forgot Password" functionality works exactly as you've described - it sends a link to the user to reset his or her password - it doesn't just send a new password.
Magento uses Zend_Mail to send emails. By default, Zend_Mail will use PHP's mail() function (via Zend_Mail_Transport_Sendmail), which will usually send emails via sendmail or similar, depending on the PHP configuration.
If you have your own mail server that you'd prefer to use, you can configure Magento to use SMTP. This does require some code, but, luckily, there are some good extensions out there that already do this, like aschroder/Magento-SMTP-Pro-Email-Extension.
I have a website where a user can login using MVC5 Identity. (Although this question is not specific to that technology)
For a user to register with this website we must have spoken to them over the phone and an account manager must go through a registration form which sets up an "unverified" account for the user.
Following this the user is sent an email verification link, along with a generated password to login. The registration you would normally fill out pre-login is done post-login.
So I was wondering if in this scenario I can simply treat the users first login as email verification becuase the only way they get their password is from the email.
Is there any way this could be exploited and open up any security holes/allow validation without owning the email?
Edit:
Wanted to add the password is temporary (expires after a fixed period) and the user will be able to drop into a password reset form and a have a new one emailed if they don't do it in time. If the user has given us the wrong email I assume most will phone us.
I do not see this having any exploitation or holes and you are right to think this can be used as the email verification. Try it, and see how it works. Maybe after the temporary password is typed the user is prompted to type in a new password of their choosing.
At http://docs.developer.intuit.com/0025_Intuit_Anywhere/0010_Getting_Started/0030_Integrate_your_app/0030_Signing_Into_and_out_of_Intuit_From_Within_Your_App/Sign-in/Implement_SSO_and_OpenID_in_Your_App
it says the following:
"Intuit does not verify the user email address associated with the user's OpenID account. Therefore, do not use the email address for authentication and do not link user accounts based on email address."
What does it mean "do not use the email address for authentication"? I mean, isn't the user already authenticated, through OpenId.
Also it says that the user email address is not verified. But what if my app needs to send an email to a user that has logged through OpenId. How can I be sure the user will actually get the email? What is the recommended pattern to handle that?
Thanks
EDIT: also, can I use the email to uniquely identify a user, and if not, what should I use to uniquely identify a user from the open id response?
EDIT 2: also, is the developer charged when a user logs in with open id and the 36 day trial expires? Or is it just when using the "Connect to quickbooks" that the developer is charged, in which case, open id authentication itself is free?
Clement,
It means when a customer goes to the Intuit Appcenter and creates an account the email is not verified immediately, so you cannot single sign on a user based only on their email address if they already have an account in your system. You need to prompt them to login one time to map the two accounts.
If they are completely new then you can auto provision an account on your side and single sign them in, if you require the customer to verify their email address then you can send them a verification email.
thanks
Jarred