diff --git a/libraries/Ion_auth.php b/libraries/Ion_auth.php index c0635234b..345357bd0 100644 --- a/libraries/Ion_auth.php +++ b/libraries/Ion_auth.php @@ -264,7 +264,7 @@ public function register($identity, $password, $email, $additional_data = [], $g return FALSE; } - // deactivate so the user much follow the activation flow + // deactivate so the user must follow the activation flow $deactivate = $this->ion_auth_model->deactivate($id); // the deactivate method call adds a message, here we need to clear that diff --git a/models/Ion_auth_model.php b/models/Ion_auth_model.php index 867fb0fc1..f6a942339 100644 --- a/models/Ion_auth_model.php +++ b/models/Ion_auth_model.php @@ -46,18 +46,31 @@ class Ion_auth_model extends CI_Model /** * activation code - * + * + * Set by deactivate() function + * Also set on register() function, if email_activation + * option is activated + * + * This is the value devs should give to the user + * (in an email, usually) + * + * It contains the *user* version of the activation code + * It's a value of the form "selector.validator" + * + * This is not the same activation_code as the one in DB. + * The DB contains a *hashed* version of the validator + * and a selector in another column. + * + * THe selector is not private, and only used to lookup + * the validator. + * + * The validator is private, and to be only known by the user + * So in case of DB leak, nothing could be actually used. + * * @var string */ public $activation_code; - /** - * forgotten password key - * - * @var string - */ - public $forgotten_password_code; - /** * new password * @@ -359,11 +372,42 @@ public function rehash_password_if_needed($hash, $identity, $password) } } + /** + * Get a user by its activation code + * + * @param bool $user_code the activation code + * It's the *user* one, containing "selector.validator" + * the one you got in activation_code member + * + * @return bool|object + * @author Indigo + */ + public function get_user_by_activation_code($user_code) + { + // Retrieve the token object from the code + $token = $this->_retrieve_selector_validator_couple($user_code); + + // Retrieve the user according to this selector + $user = $this->where('activation_selector', $token->selector)->users()->row(); + + if ($user) + { + // Check the hash against the validator + if ($this->verify_password($token->validator, $user->activation_code)) + { + return $user; + } + } + + return FALSE; + } + /** * Validates and removes activation code. * - * @param int|string $id - * @param bool $code if omitted, simply activate the user without check + * @param int|string $id the user identifier + * @param bool $code the *user* activation code + * if omitted, simply activate the user without check * * @return bool * @author Mathew @@ -372,40 +416,14 @@ public function activate($id, $code = FALSE) { $this->trigger_events('pre_activate'); - $token = $this->_retrieve_selector_validator_couple($code); - - if ($token !== FALSE) - { - // A token was provided, we need to check it - - $query = $this->db->select([$this->identity_column, 'activation_code']) - ->where('activation_selector', $token->selector) - ->where('id', $id) - ->limit(1) - ->get($this->tables['users']); - - if ($query->num_rows() === 1) - { - $user = $query->row(); - - if ($this->verify_password($token->validator, $user->activation_code)) - { - $data = [ - 'activation_selector' => NULL, - 'activation_code' => NULL, - 'active' => 1 - ]; - - $this->trigger_events('extra_where'); - $this->db->update($this->tables['users'], $data, ['id' => $id]); - return TRUE; - } - } + if ($code !== FALSE) { + $user = $this->get_user_by_activation_code($code); } - else - { - // A token was NOT provided, simply activate the user + // Activate if no code is given + // Or if a user was found with this code, and that it matches the id + if ($code === FALSE || ($user && $user->id === $id)) + { $data = [ 'activation_selector' => NULL, 'activation_code' => NULL, @@ -2644,6 +2662,7 @@ protected function _get_hash_algo() /** * Generate a random selector/validator couple + * This is a user code * * @param $selector_size int size of the selector token * @param $validator_size int size of the validator token @@ -2677,7 +2696,7 @@ protected function _generate_selector_validator_couple($selector_size = 40, $val /** * Retrieve remember cookie info * - * @param $user_code string + * @param $user_code string A user code of the form "selector.validator" * * @return object * ->selector simple token to retrieve the user in DB