Can anybody explain how magento customer login works.
In fact, I have a bit weird situation. I need to copy all the customer from existing website to new magento website (I want my customers to use the same username password to login to new website). I know how the passwords have been encrypted in the old website (using normal php encrypt() function with salt) but I can't decrypt them. So I thought of adding a new field in customer account called 'oldpassword' (I followed this blog to create new field in customer account).
What I want now is, when importing the customers, save the old encrypted passwords in 'oldpassword' field. When customer tries to login, it should match the password with oldpassword field using the old encryption method. If password, matches, it should generate the standard magento password and save that in default password field. So next time when customer tries to log in, it should check if default password field is not empty, then just login normally.
ADDED
Still waiting for help
I have overwritten the customer->advanceContoller but not quite sure what changes to make in loginPostAction.
Please go to page: app/code/core/Mage/Customer/Model/Customer.php
You can see function public function authenticate($login, $password)
Also you can see
/**
* Validate password with salted hash
*
* #param string $password
* #return boolean
*/
public function validatePassword($password)
{
if (!($hash = $this->getPasswordHash())) {
return false;
}
return Mage::helper('core')->validateHash($password, $hash);
}
/**
* Encrypt password
*
* #param string $password
* #return string
*/
public function encryptPassword($password)
{
return Mage::helper('core')->encrypt($password);
}
/**
* Decrypt password
*
* #param string $password
* #return string
*/
public function decryptPassword($password)
{
return Mage::helper('core')->decrypt($password);
}
Please check this file.
Related
I have written one extbase plugin, that creates the FE users from front end form.
The create action is something like this
/**
* action create
*
* #param \TYPO3\Usermanagement\Domain\Model\Users $newUsers
* #return void
*/
public function createAction(\TYPO3\Usermanagement\Domain\Model\Users $newUsers) {
$this->usersRepository->add($newUsers);
}
Here I want to validate for same username or email already exists or not.
How can I do this ?
Any suggestions ?
Thank you.
You don't need to bind a $newUser as an action's param, instead you can just read some fields using $this->request->hasArgument('something') and $this->request->getArgument('something') to validate properties yourself, and create new user object manually like.
public function createAction() {
$newUsers = new \TYPO3\Usermanagement\Domain\Model\Users();
// do something with $newUsers object...
$this->usersRepository->add($newUsers);
}
It will not throw an exception in case when there's no valid user object in the request, so it will allow you to handle form's error as you want/need.
It will also allow you to use some preprocessing before saving ie hashing/salting passwords.
Does anybody know where I might find the functions for where a forgotten password reset link is generated in the email that is sent to the user?
For some odd reason mine is generating the reset password link with a different store view in the URL than the store view that was used to reset the password.
The link should be:
example.com/customer/account/resetpassword/?id=555&token=55555555555555555
But it is being generated as such:
example.com/otherStoreView/customer/account/resetpassword/?id=555&token=55555555555555555
To fix this, open the file "app\code\local\Mage\Customer\Model\Customer.php".
Look for the function sendPasswordResetConfirmationEmail(). It is near the line 685.
This function looks like this:
/**
* Send email with reset password confirmation link
*
* #return Mage_Customer_Model_Customer
*/
public function sendPasswordResetConfirmationEmail()
{
$storeId = $this->getStoreId();
if (!$storeId) {
$storeId = $this->_getWebsiteStoreId();
}
$this->_sendEmailTemplate(self::XML_PATH_FORGOT_EMAIL_TEMPLATE, self::XML_PATH_FORGOT_EMAIL_IDENTITY,
array('customer' => $this), $storeId);
return $this;
}
In this function, Magento is getting the store id where the user was registered, but we need the store id where he made the password reset request. We just need to remove some lines and add a new one:
public function sendPasswordResetConfirmationEmail()
{
# this will get the current store ID
$storeId = Mage::app()->getStore()->getStoreId();
$this->_sendEmailTemplate(self::XML_PATH_FORGOT_EMAIL_TEMPLATE, self::XML_PATH_FORGOT_EMAIL_IDENTITY,
array('customer' => $this), $storeId);
return $this;
}
This worked for me, I hope it helps.
The email template for that is:
app/locale/langcode_COUNRTYCODE/template/email/account_password_reset_confirmation.html
And the line that generates the URL is
{{store url="customer/account/resetpassword/" _query_id=$customer.id _query_token=$customer.rp_token}}
I created a module where it return via xml the payment details in Magento Admin order page.
It works very well with a single store config data.
But if I have diferents payment credentials for Store Id 1 and store Id 2 [p.e. for backoffice key 1111-1111-1111-1111 (store 1) and other 2222-2222-2222-2222 (store 2), I only can return the default values for admin view with this function...
$subent_id = Mage::getStoreConfig('payment/multibancopayment/subentidade');
Does any one khow how i can get store specific data based in order store id?
Example: in admin order page details, if the order was made in store 1 I need 1111-1111-1111-1111, but if was made in store 2, I need 2222-2222-2222-2222. For now I'm just getting default values with the function above.
Did you try
$subent_id = Mage::getStoreConfig('payment/multibancopayment/subentidade', $storeIdHere);
See /app/Mage.php
/**
* Retrieve config value for store by path
*
* #param string $path
* #param mixed $store
* #return mixed
*/
public static function getStoreConfig($path, $store = null)
{
return self::app()->getStore($store)->getConfig($path);
}
Entire class here
I just noticed magento enterprise and community both edition uses different algorithms for storing password. I know community edition uses md5. Can anyone tell me which mechanism is used in enterprise edition and how can we decrypt enterprise password if we want to migrate to community edition?
I think it's on your app/etc/local.xml or app/etc/enterprise.xml on Magento EE
The Decrypt function On Magento Enterprise Edition
/**
* Decrypt a string
*
* #param string $data
* #return string
*/
public function decrypt($data)
{
return str_replace("\x0", '', trim($this->_getCrypt()->decrypt(base64_decode((string)$data))));
}
and
/**
* Instantiate crypt model
*
* #param string $key
* #return Varien_Crypt_Mcrypt
*/
protected function _getCrypt($key = null)
{
if (!$this->_crypt) {
if (null === $key) {
$key = (string)Mage::getConfig()->getNode('global/crypt/key');
}
$this->_crypt = Varien_Crypt::factory()->init($key);
}
return $this->_crypt;
}
it seems like the same function on Enterprise Edition or Community Edition.
You should ask the cript key to Magento Enterprise Edition's Owner and decrypt it with CE. It would be fine because i'm sneaking to Magento Enterprise Edition's Code and the code is the same with Community Edition (for encryption/decryption)
added after comment 1:
/**
* Hash a string
*
* #param string $data
* #return string
*/
public function hash($data)
{
return md5($data);
}
/**
* Validate hash against hashing method (with or without salt)
*
* #param string $password
* #param string $hash
* #return bool
* #throws Exception
*/
public function validateHash($password, $hash)
{
$hashArr = explode(':', $hash);
switch (count($hashArr)) {
case 1:
return $this->hash($password) === $hash;
case 2:
return $this->hash($hashArr[1] . $password) === $hashArr[0];
}
Mage::throwException('Invalid hash.');
}
Hashes are one way encryption. You're not supposed to be able to decrypt the password.
Basic operations for passwords:
The customer signs up for an account and enters a password. The system adds a salt, encrypts the password and stores the resulting password hash in the database.
The customer logs in, enters the password. The system adds a salt, encrypts the password and compares the generated password hash with the stored password hash. When the hashes are equal, the login system knows the customer knows the password without actually knowing the password itself.
So, if one system uses SHA1 and another uses old, expired MD5, the only way you can get the password back into the system is to have the customer reenter the password so the new hash algorithm gets invoked and the new hash gets stored.
You have the Enterprise source code, write a module that uses the Enterprise hashing function to store and compare the passwords and you'll have CE with an updated, security enhanced method to store passwords and should be able to bring the password hashes over from the old site.
Some additional information:
The encryption method used is found in the Mage_Core_Model_Encryption class.
Three functions of interest are:
public function hash($data)
public function getHash($password, $salt = false)
public function validateHash($password, $hash)
Function Code From 1.7.x.x
>
public function hash($data)
{
return md5($data);
}
>
public function getHash($password, $salt = false)
{
if (is_integer($salt)) {
$salt = $this->_helper->getRandomString($salt);
}
return $salt === false ? $this->hash($password) : $this->hash($salt . $password) . ':' . $salt;
}
>
public function validateHash($password, $hash)
{
$hashArr = explode(':', $hash);
switch (count($hashArr)) {
case 1:
return $this->hash($password) === $hash;
case 2:
return $this->hash($hashArr[1] . $password) === $hashArr[0];
}
Mage::throwException('Invalid hash.');
}
It appears that both CE and Enterprise use the same routines, you will have to check that out as you have the Enterprise code.
Changing the Encryption Key in your app/etc/local.xml file to match the key in your Enterprise version and then importing the Enterprise data into the CE datapbase will allow access to encrypted data. Passwords, though are stored as hashes (see above function blocks) and non-reversible due to that. The pertinent section in local.xml where the encryption key is stored:
<crypt>
<key>< ![CDATA[-encryption-key-here-]]></key>
</crypt>
We also moved to a different system with a different password algorithm. What we did was indeed like Fiasco suggests:
-> write a custom module that overwrites Magento_Core_Model_Encryption and change the hash function to match the algorithm of the encrypted passwords.
In your module config:
<global>
<helpers>
<core>
<encryption_model>MyCompany_Module_Model_Encryption</encryption_model>
</core>
</helpers>
</global>
I have done a successful migration from Magento Enterprise to Magento Community in the past. If the passwords are salted you will not be able to decrypt them to use them for Magento Community.
Your best option is to send out a mass newsletter saying people have to change their password OR auto generate a password for each customer and send it to them.
They should both use MD5.
Perhaps one has salt and one doesn't - but it will be backwards compatible.
I have multiple blocks shown on the user profile page, user/uid
On each of them, I need to print the user name.
I've been doing a $user = user_load(arg(1)); print $user->name; on each block. Since there is no caching, as you can image the performance is HORRIBLE.
Is there either a way to get the user name more efficiently or to cache user_load.
Thanks.
Just add an intermediate function to provide the static caching yourself:
/**
* Proxy for user_load(), providing static caching
* NOTE: Only works for the common use of user_load($uid) - will NOT load by name or email
*
* #param int $uid - The uid of the user to load
* #param bool $reset - Wether to reset the static cache for the given uid, defaults to FALSE
* #return stdClass - A fully-loaded $user object upon successful user load or FALSE if user cannot be loaded.
*/
function yourModule_user_load_cached($uid, $reset = FALSE) {
static $users = array();
// Do we need to (re)load the user?
if (!isset($users[$uid]) || $reset) {
$users[$uid] = user_load($uid);
}
return $users[$uid];
}
Use menu_get_object() which is the proper way to retrieve an object (user, node, etc.) loaded from the URL of a properly declared page. It will return the user object that has already been loaded using the uid found at arg(1) for a menu item which use %user in its path (ie. $items['user/%user'], $items['user/%user/view'], etc. in user_menu().
$account = menu_get_object('user');
The user is a global.
function myfunction() {
global $user;
}