Module/Register: Fix email activation if cache is disabled

FusionWowCMS · Apr 30, 2024 · 73c9479 · 73c9479
1 parent 8579ae4
commit 73c9479
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 28 deletions.
diff --git a/application/modules/install/SQL/fusion_final_full.sql b/application/modules/install/SQL/fusion_final_full.sql
@@ -911,6 +911,8 @@ CREATE TABLE `pending_accounts` (
   `username` varchar(255) DEFAULT NULL,
   `email` varchar(255) DEFAULT NULL,
   `password` varchar(255) DEFAULT NULL,
+  `secret_key` VARCHAR(255) DEFAULT NULL,
+  `secret_iv` VARCHAR(255) DEFAULT NULL,
   `timestamp` int(11) DEFAULT NULL,
   `ip` varchar(255) DEFAULT NULL,
   `key` varchar(255) DEFAULT NULL,

diff --git a/application/modules/register/models/Activation_model.php b/application/modules/register/models/Activation_model.php
@@ -6,11 +6,16 @@ public function add($username, $password, $email): string
     {
         $random_string = bin2hex(random_bytes(32));
         // Generate unique key
-        $key = sha1($username . $email . $password . time() . $random_string);
+        $key  = sha1($username . $email . $password . time() . $random_string);
+
+        $_key = hash('sha256', bin2hex(random_bytes(50)));
+        $_iv  = substr(hash('sha256', bin2hex(random_bytes(50)), 0, 16));
 
         $data = [
             'username' => $username,
-            'password' =>  $this->encrypt($username, $password),
+            'password' =>  $this->encrypt($username, $password, $_key, $_iv),
+            'secret_key' =>  $_key,
+            'secret_iv' =>  $_iv,
             'email' => $email,
             'timestamp' => time(),
             'ip' => $this->input->ip_address(),
@@ -31,7 +36,7 @@ public function getAccount($key)
             $row = $query->getResultArray();
 
             if(isset($row[0]['password']))
-                $row[0]['password'] = $this->decrypt($row[0]['username'], $row[0]['password']);
+                $row[0]['password'] = $this->decrypt($row[0]['username'], $row[0]['password'], $row[0]['secret_key'], $row[0]['secret_iv']);
 
             return $row[0];
         }
@@ -55,41 +60,25 @@ public function remove($id, $username, $email)
      * @param string $string
      * @param string $action
      * @param string $username
+     * @param string $secret_key
+     * @param string $secret_iv
      * @return bool|string $output
      */
-    private function crypt(string $string, string $action, string $username): bool|string
+    private function crypt(string $string, string $action, string $username, string $secret_key, string $secret_iv): bool|string
     {
-        // Get keys cache
-        $keys = $this->cache->get('register_activation_keys_' . $username);
-
-        // Cache isn't available, generate keys
-        if($keys === FALSE)
-        {
-            $keys = [
-                'secret_key' => bin2hex(random_bytes(50)),
-                'secret_iv'  => bin2hex(random_bytes(50))
-            ];
-
-            // Save the keys for later
-            $this->cache->save('register_activation_keys_' . $username, $keys);
-        }
-
         $encrypt_method = 'AES-256-CBC';
-        $_key           = hash('sha256', $keys['secret_key']);
-        $_iv            = substr(hash('sha256', $keys['secret_iv']), 0, 16);
 
         // Initialize output
         $output = false;
 
         switch($action)
         {
             case 'e':
-                $output = base64_encode(openssl_encrypt($string, $encrypt_method, $_key, 0, $_iv)); # encrypt string
+                $output = base64_encode(openssl_encrypt($string, $encrypt_method, $secret_key, 0, $secret_iv)); # encrypt string
                 break;
 
             case 'd':
-                $output = openssl_decrypt(base64_decode($string), $encrypt_method, $_key, 0, $_iv); # decrypt string
-                $this->cache->delete('register_activation_keys_' . $username . '.cache');                # delete related cache keys
+                $output = openssl_decrypt(base64_decode($string), $encrypt_method, $secret_key, 0, $secret_iv); # decrypt string
                 break;
         }
 
@@ -100,21 +89,25 @@ private function crypt(string $string, string $action, string $username): bool|s
      * Creates a hash of the password we enter
      * @param string $username
      * @param string $password
+     * @param string $secret_key
+     * @param string $secret_iv
      * @return bool|string
      */
-    private function encrypt(string $username, string $password): bool|string
+    private function encrypt(string $username, string $password, string $secret_key, string $secret_iv): bool|string
     {
-        return $this->crypt($password, 'e', $username);
+        return $this->crypt($password, 'e', $username, $secret_key, $secret_iv);
     }
 
     /**
      * Decrypt hashed password we enter
      * @param string $username
      * @param string $password
+     * @param string $secret_key
+     * @param string $secret_iv
      * @return bool|string
      */
-    private function decrypt(string $username, string $password): bool|string
+    private function decrypt(string $username, string $password, string $secret_key, string $secret_iv): bool|string
     {
-        return $this->crypt($password, 'd', $username);
+        return $this->crypt($password, 'd', $username, $secret_key, $secret_iv);
     }
 }