Level 29
You shouldn't store a raw password and you shouldn't send an email containing a password. You could instead send an email with a signed url that will land the users to a view to set their own password or another similar flow (sms etc).
Dec 31, 2020
8
Level 5
Best way to store raw password along with bcrypt password for guest users who wants to create account
Hi, I have a guest checkout option where users enter details like name email mobile and other details and there is a option to select the checbox "Create an account with these details" if user selects this and select the payment gateway then on webhook or success i should send an email to crated user with automatically created password for this i should store the raw password. what is the best way to encode the password and decode?
Level 5
this flow sounds good?
- Create one signed URL
- crate a form if i run that url
- user will enter the password using that form and create only password.
- this link should not expire because user can click that link and create password any time
Is this fine?
Level 16
I think it’s worth considering expiring the token security wise, you don’t want some link to access an account been out there for too long. Maybe after expiring the token you can ask the user if he would like to generate new link by clicking a button.
Level 5
Thank you
Level 29
Sounds a lot better yep
Level 80
@deekshith You shouldn’t be storing plaintext passwords anywhere. You shouldn’t send plaintext passwords by email, either.
Instead, send the user an email saying an account’s been created for them, tell them they need to set a password, and that they can do this using the reset password route.
Level 5
Sure. Thank you.
Level 5
I have guest checkout option where if user enters details and select create account with these details then i am adding that user to db with auto created password like below,
at first user will be created like below,
if ($data['createaccount'] == 0) {
$orderType = "Guest";
$usercreate = User::create([
'user_type' => "G",
'name' => $request->username,
'email' => $request->useremail,
'mobile' => $request->usermobile,
'active_status' => 1,
]);
} else {
$orderType = "Normal";
$userPassword = generatePassword();
$usercreate = User::create([
'role_id' => 2,
'user_type' => "N",
'name' => $request->username,
'email' => $request->useremail,
'mobile' => $request->usermobile,
'password' => bcrypt($userPassword),
'token' => generateToken(),
'otp_status' => 1,
'active_status' => 1,
]);
if ($usercreate) {
Auth::loginUsingId($usercreate->id, TRUE);
Mail::to($request->useremail)->send(new \App\Mail\RegisterEmail($usercreate, $userPassword, "Guest"));
}
}
and user should select mode of payment and in online payment section i have code like below,
} elseif ($payment_method == "Online Payment") {
$onlineorderdata = [
'user_id' => $usercreate->id,
'order_type' => $orderType,
"order_no" => $get_order_id,
"address_id" => $address_id,
"billing_id" => $billing_address_id,
"bill_same_status" => $bill_same_as_address,
"coupon_id" => session()->get('coupon')['couponid'] ?? 0,
"coupon_price" => $couponAmount,
"shipping_price" => $shippingPrice,
"subtotal" => $subTotal,
"offerprice" => $offerPrice,
"total_price" => $totalPrice,
"mode" => $request->payment_type,
"order_status" => "Pending",
"pay_status" => "Pending",
"order_date" => date('Y-m-d'),
];
// return $onlineorderdata;
$order = Order::create($onlineorderdata);
foreach ($cart_items as $cartitem) {
$ordercart = new CartOrder;
$ordercart->cart_id = $cartitem->id;
$ordercart->order_id = $order->id;
$ordercart->save();
}
$order_id = $order->id;
$order_no = $get_order_id;
$myAddress = Order::with('myaddress')->where('id', $order->id)->first();
$myBillAddress = Order::with('mybillingaddress')->where('id', $order->id)->first();
$myAddressVal = ($myAddress) ? $myAddress->address : '';
$myBillAddressVal = ($myBillAddress) ? $myBillAddress->address : '';
$arr = array(
'receipt' => 'order_rcptid_'.$order_id,
'amount' => $totalPrice * 100,
'currency'=> 'INR',
'payment_capture' => 1,
);
$orderId = $this->api->Order->create($arr);
$razorpayOrderId = $orderId['id'];
$displayAmount = $amount = $orderId['amount'];
$logourl = url('websiteimages').'/'.'App\Setting'::getSettings()['logo'];
$data = [
"key" => $this->razorKey,
"amount" => $totalPrice * 100,
"name" => "Website",
"description" => "websiteOnline Payment",
"image" => $logourl,
"prefill" => [
"name" => $usercreate->name,
"email" => $usercreate->email,
"contact" => $usercreate->mobile,
],
"notes" => [
"address" => $myBillAddressVal,
"merchant_order_id" => $order_id,
"slotdate" => date('Y-m-d', strtotime($slotdate)),
"slottime" => $slottime,
],
"theme" => [
"color" => "#F37254"
],
"order_id" => $razorpayOrderId,
];
$data['display_currency'] = 'INR';
$data['display_amount'] = $displayAmount;
$jsondata = json_encode($data);
$callbackurl = url('payment-status');
$cancelurl = url('payment-cancel'); ?>
<form method="POST" name="redirect" action="https://api.razorpay.com/v1/checkout/embedded">
<input type="hidden" name="key_id" value="<?php echo $this->razorKey; ?>">
<input type="hidden" name="order_id" value="<?php echo $razorpayOrderId; ?>">
<input type="hidden" name="name" value="<?php echo $data['name']; ?>">
<input type="hidden" name="description" value="<?php echo $data['description']; ?>">
<input type="hidden" name="image" value="<?php echo $data['image']; ?>">
<input type="hidden" name="prefill[name]" value="<?php echo $data['prefill']['name']; ?>">
<input type="hidden" name="prefill[contact]" value="<?php echo $data['prefill']['contact']; ?>">
<input type="hidden" name="prefill[email]" value="<?php echo $data['prefill']['email']; ?>">
<input type="hidden" name="notes[address]" value="<?php echo $myBillAddressVal; ?>" >
<input type="hidden" name="notes[merchant_order_id]" value="<?php echo $order_id; ?>" >
<input type="hidden" name="notes[merchant_order_no]" value="<?php echo $order_no; ?>" >
<input type="hidden" name="notes[slotdate]" value="<?php echo date('Y-m-d', strtotime($slotdate)); ?>" >
<input type="hidden" name="notes[slottime]" value="<?php echo $slottime; ?>" >
<input type="hidden" name="callback_url" value="<?php echo $callbackurl; ?>">
<input type="hidden" name="cancel_url" value="<?php echo $cancelurl; ?>">
<!-- <button>Submit</button> -->
</form>
<script language='javascript'>document.redirect.submit();</script>
<?php
}
This is callback_url function but if i return Auth::user() then i dont find auth user.
public function postThankYouPage(Request $request)
{
$success = true;
$error = "Payment Failed";
if (empty($request->razorpay_payment_id) === false) {
try {
// Please note that the razorpay order ID must
// come from a trusted source (session here, but
// could be database or something else)
$attributes = array(
'razorpay_order_id' => $request->razorpay_order_id,
'razorpay_payment_id' => $request->razorpay_payment_id,
'razorpay_signature' => $request->razorpay_signature
);
$this->api->utility->verifyPaymentSignature($attributes);
session()->forget('coupon');
} catch (SignatureVerificationError $e) {
$success = false;
$error = 'Razorpay Error : ' . $e->getMessage();
}
if ($success === true) {
$post = $request->getContent();
$data = json_decode($post, true);
$payment = $this->getPaymentEntity($request->razorpay_payment_id, $data);
$orderId = $payment['notes']['merchant_order_id'];
$orderNo = $payment['notes']['merchant_order_no'];
$slotdate = $payment['notes']['slotdate'];
$slottime = $payment['notes']['slottime'];
$checkOrder = Order::with('cartorders')
->where('id', '=', $orderId)
->where('order_no', '=', $orderNo)
->first();
$amount = $checkOrder->total_price;
if ($checkOrder->txn_id != $request->razorpay_payment_id) {
if ($checkOrder->pay_status == "Pending" || $checkOrder->order_status == "Pending") {
if ($payment['status'] === 'captured') {
$success = true;
} elseif ($payment['status'] === 'authorized') {
//
// If the payment is only authorized, we capture it
// If the merchant has enabled auto capture
//
try {
$payment->capture(array('amount' => $amount));
$success = true;
} catch (Exception $e) {
//
// Capture will fail if the payment is already captured
//
$log = array(
'message' => $e->getMessage(),
'payment_id' => $razorpayPaymentId,
'event' => $data['event']
);
error_log(json_encode($log));
//
// We re-fetch the payment entity and check if the payment is captured now
//
$payment = $this->getPaymentEntity($razorpayPaymentId, $data);
if ($payment['status'] === 'captured') {
$success = true;
}
}
}
$this->updatePaymentOrder($checkOrder, $request->razorpay_payment_id, $payment, $orderId, $slotdate, $slottime);
}
}
return redirect('order-confirmation/onlinepayment/'.$checkOrder->order_no)->with('message', 'You have successfully placed an order. we will deliver it soon. Check details below.');
} else {
return redirect('order-confirmation/onlinepayment/'.$checkOrder->order_no)->withErrors('Payment Failed. Go to checkout and complete the payment.');
}
} else {
return redirect('order-confirmation/onlinepayment/'.$checkOrder->order_no)->withErrors('Payment Failed. Go to checkout and complete the payment.');
}
}
But the same auth code is working if i select cod as payment method the code is like below,
elseif ($payment_method == "COD") {
$order = $this->createGuestOrder($orderdata, $cart_items, $usercreate->id);
$this->deleteCartItems($usercreate->id);
$this->updateCouponQuantity($order->coupon_id);
$my_order_det = $this->getOrderForTable($order->id);
return redirect('order-confirmation/cod/'.$get_order_id)->with('message', 'You have successfully placed an order. we will deliver it soon.');
}
Here if i return auth user then it is working fine.
Any solution for this?
Please or to participate in this conversation.