0

In my system the registrations will not be allowed for any users. They must be invited by email.

I need to validate that the user is active on the system. To make this the users will receive an email with an certain url that validate your account.

This url (route) could contain user identification and your validation code saved on the database after "pre-registration". 

hostname/accountConfirm?user=token&cod=userCodeSavedOnTheDatabase

The token must be generated from user email.

How i can generate the token and check it to identify user?

Alexandre Thebaldi
  • 4,546
  • 6
  • 41
  • 55

2 Answers2

1

I'd recommend using something like this for generating the code

$code = bin2hex(openssl_random_pseudo_bytes(40));

Store this in the database with any other info you might need to identify the user. Validate the code during registration, and either remove it afterwards or invalidate it somehow (e.g. set a "used" flag)

rjdown
  • 9,162
  • 3
  • 32
  • 45
1

Generate a random String like this and use the user email as a cipher that is one option or you use any built php functions to generate a token. 

$pool ='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';  
$token= '';
for ($i = 0; $i < 8; $i++){
   $token.= substr($pool, mt_rand(0, strlen($pool) -1), 1);
}
$cipher = new McryptCipher($user_email);
$encrypted_token= $cipher ->encrypt($token);

As far as the validation goes, you can choose to save the token and some user data into a table, maybe add expire time to the token and clean up function to delete expired registration and spam registration. an other option would be to save the temporary registration into file. 

$epxire_time = timestamp() + 1800; // 30 min
$pending_registration = json_encode['token' => $encrypted_token, 'user' => $user_email,'epxire' => $epire_time]; 

file_put_contents($path/to/file/,$pending_registrations);

Send an email confirmation to user with link to validation. Validation process, you would normally retrieve parameters from the url;

$token = $_GET['token'];
// additional param
// decrypt the token 
$token = $cipher->decrypt($token );
$file = file_get_contents($path/to/file);

and validate the token, validate token expiration , user_email like you would normally do....

if($valid_token){
  // save user, redirect to login  
}else{
    // return response invalid token   
     return json_encode['statusCode' => 400, 'errorMessage' => 'Invalid ...','urltorequestnewotken' => 'http://...'];
}

Saving pending registration into a temporary file it is just an other way to minimize spams and bots cluttering your database just like you would use a captcha. Hope this help.

mdamia
  • 4,447
  • 1
  • 24
  • 23