CakePHP – Activating User Account via Email

Jonny — Tue, 03 Jun 2008 21:11:20 +0000

Continuing on from my User Registration with the AuthComponent post I’m going to cover how to activate user account’s via email. Before we get down to the code lets look at a simple use case first.

Activating User Accounts Via Email Use Case
Goal: To confirm that users are registering with a valid email address, force them to activate their account before they can log in.

User registers for an account, all validations passes and $User->save() has been called
At this point we flag that the user’s account is pending activation. An email gets sent to the email address the user registered with. The email contains a unique activation link
The user recieves the activation email and clicks the activation link
The system (your website) handles the incoming link, checks that the activation link is correct (the hash matches) and marks the user’s account as “active” – the user can now log in!

Alternative Path: The activation link is rejected by the system (it’s invalid / wasn’t copied correctly) – we present some helpful information to the user.

Time for Some Code!
Okay, let’s start simple – the basic User Table we created in the previous article needs to be expanded to include an “active” flag (boolean) to indicate if the user’s account has been activated yet:

– Table structure for table `users`
CREATE TABLE IF NOT EXISTS `users` (
`id` INT(11) NOT NULL AUTO_INCREMENT,
`username` VARCHAR(20) NOT NULL,
`password` VARCHAR(50) NOT NULL,
`email` VARCHAR(255) NOT NULL,
`active` TINYINT(1) NOT NULL DEFAULT ‘0′,
`created` DATETIME NOT NULL,
`modified` DATETIME NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=INNODB DEFAULT CHARSET=latin1;

Okay, let’s go ahead and hook this into our Users Controller’s login() action to stop “un-activated” users from loging in (after all, that is the primary goal of performing this work).

// Note: not all logic is show!
uses(’sanitize’);
class UsersController extends AppController
{
var $name = ‘Users’;
var $components = array(‘Auth’);
function login() {
// Check for incoming login request.
if ($this->data) {
// Use the AuthComponent’s login action
if ($this->Auth->login($this->data)) {
// Retrieve user data
$results = $this->User->find(array(‘User.username’ => $this->data[‘User’][‘username’]), array(‘User.active’), null, false);
// Check to see if the User’s account isn’t active
if ($results[‘User’][‘active’] == 0) {
// Uh Oh!
$this->Session->setFlash(‘Your account has not been activated yet!’);
$this->Auth->logout();
$this->redirect(‘/users/login’);
}
// Cool, user is active, redirect post login
else {
$this->redirect(‘/’);
}
}
}
}
}
?>

With this login check in place, we now need to sort out sending out the email which will actually “activate” the user’s account for them. Before we start with the controller actions, let’s defined some custom logic in the Model. As a quick side note, I work to the principle of skinny controllers, fat models (and so should you). What this means, in a nutshell – is that any logic which relates to a Model (in our case, generating the Confirmation Link) should be done in the Model – so let’s do that now.

# /app/models/user.php
# please note that validation logic is not shown
Class User extends AppModel
{
var $name = ‘User’;

/**
* Creates an activation hash for the current user.
*
* @param Void
* @return String activation hash.
*/
function getActivationHash()
{
if (!isset($this->id)) {
return false;
}
return substr(Security::hash(Configure::read(‘Security.salt’) . $this->field(‘created’) . date(‘Ymd’)), 0, 8);
}
}
?>

So, incase you didn’t gather, we can grab a unique Activation Hash for any given user by calling $User->getActivationHash() from inside the controller. Let’s just break down what we are doing in the getActivationHash funciton and the reason why we’re doing it.

When we send the email to the user, we are going to send them a link which they can click on to activate their account. If we don’t create unique activation links then users would be able to “guess” or craft activation links for other users, for example, if we didn’t use an activation hash our links may look like this: http://mysite.com/user/activate/jreeves/ – Hmm, well I know that my username is jreeves, so I could guess pretty easily that /users/activate/dchang is going to active someone elses’ account… not great.

So, what is getActivationHash doing? Basically, it’s taking the datetime of when the user created their account (this will be unique for each user), adding in the Day-Month-Year value (so that activation links only last for 24 hours) and combining the whole shebang with the Security.salt value from CakePHP’s core.ini and Hashing it (with either MD5 or SHA-1 depending on your Cake’s settings). In case you are wondering, this process is called salting and it makes any unique value (such as a password, or MD5 hash), almost impossible to guess.

Okay, enough talk, let’s hook this into the register action so that this email gets sent out.

# /controllers/users_controller.php
# please note that not all code is shown…
uses(’sanitize’);
class UsersController extends AppController {
var $name = ‘Users’;
// Include the Email Component so we can send some out :)
var $components = array(‘Email’, ‘Auth’);

// Allow users to access the following action when not logged in
function beforeFilter() {
$this->Auth->allow(‘register’, ‘thanks’, ‘confirm’, ‘logout’);
$this->Auth->autoRedirect = false;
}

// Allows a user to sign up for a new account
function register() {
if (!empty($this->data)) {
// See my previous post if this is forgien to you
$this->data[‘User’][‘password’] = $this->Auth->password($this->data[‘User’][‘passwrd’]);
$this->User->data = Sanitize::clean($this->data);
// Successfully created account – send activation email
if ($this->User->save()) {
$this->__sendActivationEmail($this->User->getLastInsertID());

// this view is not show / listed – use your imagination and inform
// users that an activation email has been sent out to them.
$this->redirect(‘/users/thanks’);
}
// Failed, clear password field
else {
$this->data[‘User’][‘passwrd’] = null;
}
}
}

/**
* Send out an activation email to the user.id specified by $user_id
* @param Int $user_id User to send activation email to
* @return Boolean indicates success
*/
function __sendActivationEmail($user_id) {
$user = $this->User->find(array(‘User.id’ => $user_id), array(‘User.email’, ‘User.username’), null, false);
if ($user === false) {
debug(__METHOD__." failed to retrieve User data for user.id: {$user_id}");
return false;
}

// Set data for the "view" of the Email
$this->set(‘activate_url’, ‘http://’ . env(‘SERVER_NAME’) . ‘/users/activate/’ . $user[‘User’][‘id’] . ‘/’ . $this->User->getActivationHash());
$this->set(‘username’, $this->data[‘User’][‘username’]);

$this->Email->to = $user[‘User’][‘email’];
$this->Email->subject = env(‘SERVER_NAME’) . ‘ – Please confirm your email address’;
$this->Email->from = ‘noreply@’ . env(‘SERVER_NAME’);
$this->Email->template = ‘user_confirm’;
$this->Email->sendAs = ‘text’; // you probably want to use both :)
return $this->Email->send();
}
}
?>

Okay, now we’re cooking – time to create the Email “views” which will be sent out with the emails – in case you are not familiar with the EmailComponent then now would be a good time to refer to the CookBook. So, let’s create the plain text email template which will contain the activation link set above:

# /app/views/elements/email/text/user_confirm.ctp
?>
Hey there = $username ?>, we will have you up and running in no time, but first we just need you to confirm your user account by clicking the link below:

= $activate_url ?>

Phew! The end is in sight, just one more controller action to hook up (and probably the most important one) – /users/activate – I’m sure you can figure out what this is going to do.

# /controllers/user_controller.php
# note that only the activate function is shown…

/**
* Activates a user account from an incoming link
*
* @param Int $user_id User.id to activate
* @param String $in_hash Incoming Activation Hash from the email
*/
function activate($user_id = null, $in_hash = null) {
$this->User->id = $id;
if ($this->User->exists() && ($in_hash == $this->User->getActivationHash()))
{
// Update the active flag in the database
$this->User->saveField(‘active’, 1);

// Let the user know they can now log in!
$this->Session->setFlash(‘Your account has been activated, please log in below’);
$this->redirect(‘login’);
}

// Activation failed, render ‘/views/user/activate.ctp’ which should tell the user.
}
?>

And there we have it, now when your users register they have to confirm their user accounts via Email – job done!

JonnyReeves.co.uk » cakephp user activate email

CakePHP – Activating User Account via Email