Tuesday, November 10, 2015

PrestaShop: Improved Customer Password Recovery

Ever since I started using PrestaShop, I hated the password recovery method: send email with link, clicking on link sends you a new password via email.

For me, this method has various problems:
  • Two emails to the client are needed. Not all emails arrive instantly, so this can slow down a customer that wants to do business with you.
  • A password is being sent as plain text to the user.
  • The password auto-generated by PrestaShop is hard for the user to remember.
  • The customer's secure key is sent out as plain text (it's the "token" parameter in the URL of the first email).
Therefore, I decided to change the "forgotten password" feature. My goal was to send ONE email to the user, which directs them to a page to change their password.

The link which allows the password must be unique to the user, can only be used once, and additionally will only work if used within some arbitrary amount of time... let's say one hour.

FORGOT YOUR PASSWORD?


Looking at the code, I decided that a complete override of the PasswordController was needed. I did this as an override. I created the file /override/controllers/front/PasswordController.php, with public function postProcess, and deleted the /cache/class_index.php to make sure my overridden controller gets called.

I also extensively changed my theme's password.tpl to handle the new method. In addition, the text of the template, the error message, and the email needed to be changed to reflect the new implementation.

In order to limit the tokens to 1 hour, I needed to add a new MySQL table.

CREATE TABLE `customer_extra_info` (
  `id_customer` int(10) unsigned NOT NULL,
  `datetime_password_request` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
  `token_password_request` varchar(32) NOT NULL DEFAULT '-1',
  PRIMARY KEY (`id_customer`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

I plan to use this table for more customer specific info, which explains it's "non-specific" name.


No comments: