I have a client who wants her WordPress users to be able to retrieve their username/password even in the unlikely event, that they have forgotten both their username, password AND email address. Instead, they want the users to be able to retrieve their login info based on user meta data.
Users are created through a CSV-import, and their private email addresses are stored under a 'user_private_email' user_meta key. Users are invited to join the site via this mail address, but when they log in the first time, they are prompted to enter their work email. So this overwrites $user_email in wp_user.
My question is: How do I get WP to also check the get_user_meta($user_id, 'user_private_email', true); variable, and use this to resend the login info?
Related
Lots of questions about email verification here on SO, but none seem to cover my scenario.
We would like to add users ourselves after an intake meeting. Our representative has a form to enter some details like company name, VAT number, contact data (which contains an email field), ... This data is saved in Firestore.
After this, an email is sent to the supplied email address which contains a link that takes the user to a form where his/her email address is displayed with a password and a password confirmation input field. When submitting this field, the user is created.
But now the user receives an email asking to confirm their email address. I assume, for security and privacy reasons, there's no way I can set the user's email address as verified.
I've looked at customizing the verification email, but that doesn't seem to solve my problem.
Creating the user with a random password after the intake meeting also doesn't seem to be a solution, as the user still has to verify and then reset the password in 2 steps. Or can I somehow redirect after the email verification to the 'set password' page? That would be an acceptable solution.
Is there any way to achieve the desired flow described above?
As a general workflow, you could achieve this using a Cloud Function along with either database system. You can also make use of App Check to further secure this process.
Representative adds base user information in their portal. Store the data securely in the database of your choice.
Send the user an invite email containing a short-lived verification token linked with the email added by the representative (this could be generated and fired off using an onCreate Cloud Function once the invitee's data is added to the database). This token should follow some standard like JWT so you can deserialize the contained email address or be exchangeable for the underlying email address.
When user clicks/copies the link to their browser, present them with an input form asking for the desired email and password. Note: the email field should be editable! The rep may have used an email the new user doesn't want to use with your platform.
If the token is still valid and not consumed, continue with the next steps.
If the token has expired and not consumed, send another email to reconfirm their email and restart this step.
If the token is already consumed, show an error and don't continue.
Submit the email, password and emailed token to your backend via a Callable Cloud Function.
Sign the user in using the authentication token returned by the function on success. Show an error otherwise.
In the callable function for creating the user:
Confirm the request comes from your app (if using App Check)
Confirm the validity of the emailed token
Pull the data the representative entered from the database linked with the emailed token's original email address.
Using that data, the updated email, the new password, and emailVerified=true, call the createUser API.
Using the User ID from the returned UserRecord, create the user's profile data in the database and also create a Custom Authentication Token.
Once their data has been created and the token generated, return the authentication token as the result of the request.
I have a requirement where I need to log in a new user to a Meteor application by default, and take the user to the reset password route after that.
I looked into this documentation, but I don't think it would apply here, because the password is not known. Here's my use case in detail :-
A user invites another new user by providing the invited user's email ID. The application sends email invite to the user, asking them to be taken to a route which normally requires logging into the application.
The new user who receives the email invite, is not yet signed up with the application. So, they need to pick a password to log in to the invited area of the application.
Currently, I am using the meteor-useraccounts:core package; to trigger the resetPasswd route for FlowRouter. Using the onSubmitHook, one can redirect the user to the proper location after successful reset of the password.
However, I am not able to figure out how to first log in the user automatically. Because if the user is not logged in, the reset password page won't open. Instead, it would show some error, indicating unauthorized action.
How could a link be sent via mail to the invited user, which would automatically log in the user?
I looked into this documentation, but I don't think it would apply
here, because the password is not known.
That is right, and because of that, in order to achieve that you have to create an account for that e-mail at the time the user enters a link sent by e-mail. Or create the account at time of invitation.
So possible solutions:
1) create an account for an e-mail provided in query (http://app/login?email=blabla#google.com) for a route, random password, reset password e-mail sent immediately after the login. (create login automatically login the user). That would also required some security key, so that no-one could create lots of accounts on different e-mail addresses.
2) create account at time of invitation, take random password and send it as a query parameter of the link sent to the invited user. When user enters the site, you take that password (and e-mail) and login him with that, and immediately send reset password for that e-mail
I am working on a wordpress site. I am selling a digital course on it.
Users interested in the course will pay locally via bank and send me payment details. so after i confirm their payment i will like to add their email and phone number also generate a unique code like password to append the email.
So they can enter their email and the password i gave to them to enter part of the site where they have access to the course materials.
$password = wp_generate_password( 8 );
This function creates password randomly
Given the following scenario:
I have an email address.
I want the owner of that email address to click on a link that I send to him by email.
The page that I want the user to visit must be protected by a password, this password can be included in the mail that I send to him.
The site that the user is interacting with is using the simple membership provider for the regular users, but I don't want to use that system for this special one time visitor, as it leads to more tasks administering and cleaning up.
What are my alternatives?
When you send the email to the user, generate a random password and save it in the table against the email address. You will also store some unique id that you will pass it to the link you provide in the email. This unique id in the url will be used to identify the email address and also the one time password (OTP). It is also better to have an expiry date for the password. So your database table will have the following columns.
Unique Link Id
Email address
One Time Password
Expiry Date
That's it. When the link is clicked, access the unique id, ask OTP to the user and validate.
I am developing an ASP.Net application that will need to verify that the user is legit and not a spam. Once the new user enters their first name, last name, email address, my application will send an email to verify the user's authenticity. The email would conatin a link that would confirm the users account.
I am looking help on what the logic is behind the email link. Once the user clicks the link, what happens?
I have had a website that has used Captcha, and not had much luck stopping spam (I know you can't stop 100% spam) similar to this Stopping spammers from creating accounts (reCaptcha not doing the trick)
As Rook has pointed out below, the simplest way is to use Captcha.
If you need to verify the email as well though, see below.
You could generate an approval GUID and pass it to the email URL which would mark the User as Active.
For example, add a column called ApprovalID to the users table and generate a new GUID when the user registers, i.e.
You should mark the user as inactive at this stage.
Example Guid 3F2504E0-4F89-11D3-9A0C-0305E82C3301
Then pass the User Id and GUID in the email body
Verify your account
Then a simple page verify.aspx
Code Behind
string UserId = Request[UserId].ToString(); // You can parse these as Guids
string ApprovalId = Request[ApprovalId].ToString();
TODO:
// Get user from database
// Match QueryString ApprovalId to Column ApprovalId
// Ask user to Log In
// Set user as active
Sending a confirmation link doesn't do anything to stop spam. Emailing someone a link with a Cryptographic Nonce just insures that they can receive email, bots can also receive email.
The best way stop spam is by using capthca, and I recocmend using reCapthca. You should prompt the user with a capthca when a user signs up for your service.