-5

In my table the password is in encrypted form. i used MD5 to encrypt password.now i want to send password if emailid is present in database. everything is working correctly...but the password is sending in encrypted form in email to user.

how i decrypt this before sending email and send original password to useron email.

below is my code..

function forgotpassword() {
        $this->layout = "layout_login";
        if (!empty($this->request->data)) {
            $email = $this->request->data['User']['email'];
            if (!empty($email)) {
                $user = $this->User->find('first', array(
                    'conditions' => array(
                        'User.email' => $this->request->data['User']['email'],
                        'User.status' => 1
                    )
                ));              
                if(!$user) {
                $this->Session->setFlash("No Such E-mail address registerd with us"); 
                } else {                
                $subject = "Account Password from Kaya Dispatch";
                $this->Email->from = 'luckybajpai87@gmail.com';
                $to = trim($this->request->data['User']['email']);
                $this->Email->sendAs = 'both';               
                $this->Email->to = $to;
                $this->Email->subject = $subject;
                $email = $user['User']['email'];  
                $password = md5($user['User']['password']); 
                $message = "";
                $message .= "Please find the below Email ID and Password of your account: <br/><br/>";
                $message .= "<b>Your Email:</b> " .$email. "<br/>";              
                $message .= "<b>Your Password:</b> " . $password . "<br/>";
                $message .= "<br/>Thanks, <br/>Support Team";              
                if ($this->Email->send($message)) {
                    $this->Session->setFlash("Password Send Successfully to your email");
                    } else {
                        $this->Session->setFlash("Something Went Wrong.Email is not send");
                    }
                } 
            }
        }
    }
martin ingle
  • 1
  • 6
  • 3
    never. You cant revert MD5 because it's hach – splash58 May 09 '16 at 13:00
  • 2
    You should never be able to do this. Hashing (you're not using encryption) is one-way, it can't be unhashed. Even if it could be, you should never be able to get the password of your users. – Jonnix May 09 '16 at 13:00
  • 4
    **Sidenote**: It really isn't a great idea to decrypt passwords and send them to users as it's not secure. A better way is to reset the password if users forget their passwords. Also, `md5()` is not secure, use `password_hash()` and `password_verify` instead – Panda May 09 '16 at 13:00
  • 3
    Not a good idea and for too many reasons. What you should be doing is to send a unique token and deleted when they chose their own password (reset) with a hashing function of this century. – Funk Forty Niner May 09 '16 at 13:03
  • 1
    You do realise that EMAIL is possibly the MOST INSECURE mechanism for communicating anything you dont want the whole world to know ___Dont you___ – RiggsFolly May 09 '16 at 13:05
  • 2
    see about BCRYPT at http://stackoverflow.com/questions/37099640/how-do-i-store-user-password-with-bcrypt – Yair.R May 09 '16 at 13:06

1 Answers1

0

If you want make method forgotPassword you can make this in two steps:

First step:

Find user by email and if exist, generate temporary token, we´ll send it to user via mail and we´ll save in database too

View: (Users/forgot_password.ctp)

<?= $this -> Form -> create('User') ?>
  <?= __('Forgot password'); ?>
  <?= $this -> Flash -> render('auth') ?>
  <?= $this -> Form -> input('email' , ['type' => 'text','label' => ['text' => __('Email')]]) ?>
  <?= $this -> Form -> button(__('Send mail'), ['class' => 'btn btn-lg btn-primary btn-block']) ?>
<?= $this -> Form -> end() ?>

Method:

(Users model should have 'passwod_digest' field to save temporary token)

public function forgotPassword() {
    if($this -> request -> is('post')) {

        $user_email = $this -> request -> data['email'];
        if(filter_var($user_email, FILTER_VALIDATE_EMAIL)) {

            $user = $this -> Users -> findByEmail($user_email) -> first();

            if($user){
                $token = sha1($user_email . time());

                $user['password_digest'] = $token;

                $this -> Users -> save($user);

                $email = new Email('default');

                $path = Router::url('/', true);
                $prefix = null;

                if(isset($this -> request -> params['prefix'])) {

                    $prefix = $this -> request->params['prefix'] . DS;

                } 

                $message = __('To regenerate password follow this link: ') . $path . $prefix .'users' . DS . 'resetPassword' . DS . $token;

                $email 
                    -> from([yourAppEmail@yourAppEmail.com => yourAppName])
                    -> to($user_email)
                    -> subject(__('Reset password'))
                    -> send($message);
                $this -> Flash -> success(__('Please check your email'));
            } else{
                $this -> Flash -> error(__('This email not extist in our data base.'));
            }
        } else {
            $this -> Flash -> error(__('It´s not email format.'));
        }
    }
}

The user who recived mail like this:

To regenerate password follow this link:

http ://www.yourAppUrl.com/users/resetPassword/9bf31c7ff062936a96d3c8bd1f8f2ff3

Now we make second step to create new password:

View: (Users/rest_password.ctp)

<?= $this -> Form -> create(null, ['class'=>'form-register', 'error' => false]) ?>
  <?= $this -> Flash -> render('auth') ?>
  <?= $this -> Form -> input('password', ['type' => 'password', 'label' => ['text' => __('Password')]]) ?>
  <?= $this -> Form -> input('confirm_password' , ['type' => 'password', 'label' => ['text' => __('Confirm Password')]]) ?>
  <?= $this -> Form -> button(__('Send'), ['class' => 'btn btn-lg btn-primary btn-block']) ?>
<?= $this -> Form -> end() ?>

Method: 

public function resetPassword() {

    //Check if param exist and exist user with token pass
    if(isset($this -> request -> params['pass'][0]) && $this -> Users -> exists(['password_digest' => $this -> request->params['pass'][0]])) {

        if($this -> request -> is('post')) {

            //Find user with magical function by find by Password Digest 
            $user = $this -> Users -> findByPasswordDigest($this -> request -> params['pass'][0]) -> first();

            $user = $this -> Users -> patchEntity($user, $this -> request -> data);

            $user['password_digest'] = null; //Clean token in data base

            if ($this -> Users -> save($user)) {
                $this -> Flash -> success(__('The new password has been saved!, please Login now with your new password'));
                return $this -> redirect(['action' => 'login']);
            } else {
                $this -> Flash -> error(__('This is not valid password.'));
            }
        } 
    } else {
        //No param or not user with this token
        $this -> Flash -> error(__('This is not valid token.'));
        return $this -> redirect(['controller' => 'Pages', 'action' => 'home']);
    }
}

[EDIT] Don´t forget add this methods to be allowed without registration: 

// In AppController.php    
public function beforeFilter(Event $event) {

    //Autorized acctions without registration   
    $this -> Auth -> allow(array('forgotPassword', 'resetPassword'));
}

Or 

//In UsersController.php
public function beforeFilter(Event $event) {

    parent::beforeFilter($event);
    $this -> Auth -> allow(['forgotPassword', 'resetPassword']);
}
Jacek B Budzynski
  • 1,393
  • 1
  • 7
  • 13