CakePHP changes Blowfish passwords when getting user to verify email?

StackOverflow https://stackoverflow.com/questions/23106550

  •  04-07-2023
  •  | 
  •  

Question

I have followed the CakePHP book on hashing passwords using Blowfish encryption, this works, without any problems.

I have now followed this guide, http://www.nikatrex.com/blog/?p=300 , in order to see how to verify my users email account. This works, the email I build with a link to a path to my site that then takes the email within the URL string gets the token saved within my database and if right it sets my active and verify database fields to true!

However, it also seems to change my saved Blowfish password, each time I test the link, CakePHP seems to write a new Blowfish hash into the users passwords field.

I know that the salt for Blowfish is generated at run time, so even if the password entered by the user is the same, it will save a different hashed password. That is not my problem, when I verify my users email, it re-saved the password even know I am not telling it to so.

So this is my users model to Blowfish the password, 

  public function beforeSave($options = array()) {
      if (isset($this->data[$this->alias]['password'])) {
        $this->data[$this->alias]['password'] = Security::hash($this->data[$this->alias]['password'],'blowfish');
      }
      return true;
  } //End of BeforeSave

I have built (this is a temp, quick method for now to send email, because for some reason CakePHP email was not working for me, but I think this is down to my LAMP stack config /gmail settings) a simple mail to PHP code, this is the line that sends the link to my user,

  $message .= '<a href="verifymyuser/t:'.$hash.'/n:'.$this->data['User']['email'].'">CLICK HERE</a>';

This is my function that loads when the user clicks the link,

public function VerifyMe() {    
    if (!empty($this->passedArgs['n']) && !empty($this->passedArgs['t'])){
        $SentEmail = $this->passedArgs['n'];
        $SentToken = $this->passedArgs['t'];

        $GetUserToVerify = $this->User->findByEmail($SentEmail);

        if ($GetUserToVerify['User']['active'] == 0){
            if($GetUserToVerify['User']['token'] == $SentToken) {
                $GetUserToVerify['User']['active'] = true;
                $GetUserToVerify['User']['token'] = NULL;
                $GetUserToVerify['User']['verified'] = true;
                $this->User->save($GetUserToVerify);
                $this->Session->setFlash('Thank You, your email has been verified successfully, enjoy', 'GoodFlashMsg', array(), 'Good');
                $this->redirect('/login');  
                exit();         
            } 
        }  else {
            $this->Session->setFlash('You are already verified', 'BadFlashMsg', array(), 'Bad');
            $this->redirect('/');   
        } 
    } 
}

I am setting an 'active; 'verified' tag into the database, if later I wanted to de-active the user I can. I am also wiping the 'token' to null so that if the user changes their email address then I can set a new token, I just want to make sure it will be a new token!

I am sure its done to my model, but I can not see what is wrong with it, its got an if check for isset for the password field, which its not? Unless I am not understanding something about the way data is moving?

Thanks.

Was it helpful?

Solution

Actually what is happening is hard to find with this information. Try this, hope this will temporally solve your problem....

$this->User->save($GetUserToVerify, array(
    'fieldList' = array('token','active','verified')));
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top