Fixed password recovery email to use new HMAC scheme. Closes boxmeup#93

cjsaylor · Feb 26, 2012 · 16e6ff3 · 16e6ff3
1 parent e150e37
commit 16e6ff3
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/app/config/routes.php b/app/config/routes.php
@@ -29,6 +29,7 @@
 
 	// Application
 	Router::connect('/dashboard', array('controller' => 'containers', 'action' => 'dashboard'));
+	Router::connect('/forgot_login/*', array('controller' => 'users', 'action' => 'qr_login'));
 
 	// Feedback plugin
 	Router::connect('/feedback', array('plugin' => 'feedback', 'controller' => 'communicate', 'action' => 'index'));

diff --git a/app/controllers/users_controller.php b/app/controllers/users_controller.php
@@ -108,6 +108,10 @@ public function forgot_password() {
 			if($this->User->verifyEmail($this->data['User']['email'])) {
 				$new_password = $this->User->resetPassword($this->data['User']['email']);
 				if($new_password) {
+					$apiKey = ClassRegistry::init('Api.ApiUser')->getApiKey($this->User->getUserIdByEmail($this->data['User']['email']));
+					$secretKey = ClassRegistry::init('Api.ApiUser')->getSecretKey($apiKey);
+					$dynKey = base64_encode(date('c'));
+					$hash = sha1($dynKey . $secretKey);
 					$this->Email->to = $this->data['User']['email'];
 					$this->Email->subject = 'Boxmeup Password Recovery';
 					$this->Email->replyTo = 'no-reply@boxmeupapp.com';
@@ -116,7 +120,9 @@ public function forgot_password() {
 					$this->Email->sendAs = 'text';
 					$this->set(array(
 						'password' => $new_password,
-						'api_key' => ClassRegistry::init('Api.ApiUser')->getApiKey($this->User->getUserIdByEmail($this->data['User']['email']))
+						'api_key' => $apiKey,
+						'dynamic_key' => $dynKey,
+						'hash' => $hash
 					));
 					$this->Email->send();
 				}

diff --git a/app/views/elements/email/text/forgot_password.ctp b/app/views/elements/email/text/forgot_password.ctp
@@ -10,4 +10,13 @@ Your recovery key is: <?php echo $password; ?>
 Follow this link to sign in and reset your password:
 
 
-<?php echo 'http://boxmeupapp.com/users/qr_login/' . $api_key; ?>
+<?php echo 'http://boxmeupapp.com/forgot_login/' . $api_key . '/' . $dynamic_key . '/' . $hash; ?>
+
+
+Please note: this login is only valid for 15 minutes.
+
+
+Thanks,
+
+
+Boxmeup Team
diff --git a/app/views/users/forgot_password.ctp b/app/views/users/forgot_password.ctp
@@ -9,7 +9,7 @@
 		echo $form->end();
 	?>
 		<br/>
-		Enter your registered email address will reset your password and send a new password to the registered email address.
+		Entering your registered email address will reset your password and send a new password to the registered email address.
 <?php } else { ?>
 	<p>Forgot password feature is temporarily unavailable.</p>
 <?php } ?>