Code Monkey home page Code Monkey logo

whmcs_autoauth's Introduction

WHMCS Auto Authentication

By JonTheWong from Zenith Media Canada

zenithmedia.ca

Intro

This script was made to allow end users of WHMCS to login to their accounts automatically. You would add the provided code into your email templates and create a temporary link for your clients to access their invoices, quotes and general login.

Script was created with the help of Serg & McGuyver and the great documentation of WHMCS - AutoAuth & WHMCS - Security Policy

Confirmed working with WHMCS

We have tested this script with the following versions.

Installation

To install this script you need to place all files in your root directory of WHMCS

example: /home/user/public_html/domain/whmcs/

Generate a hash and enter it in configuration.php above the last ?>

$autoauthkey = "REPLACE-WITH-SYSTEM-KEY";

Also include it into the script.

You can generate a hash using; openssl rand -hex 32 on linux.

Then add this value to the top of your email template;

{assign var='hash' value=$client_email|cat:"REPLACE-THIS-PART-WITH-SECRET-KEY"}

Then add this link anywhere in your email template.

Login Auth: {$whmcs_url}lauth.php?email={$client_email}&zmkey={$hash|md5}

Invoice Auth: {$whmcs_url}iauth.php?email={$client_email}&invoice={$invoice_num}&zmkey={$hash|md5}

Quote Auth: {$whmcs_url}qauth.php?email={$client_email}&quote={$quote_number}&zmkey={$zmkey|md5}

Notes

Quick note for version 7+

Due to security settings, you have to modify configuration.php and add the following code to the bottom, above the last ?>

$smarty_security_policy = array(
    'mail' => array(
        'php_modifiers' => array(
            'md5',
            'time',
            'sha1',
            'urlencode',
            'header',
        ),
    ),
);

Known Bugs

Additional information according to WHMCS documentation.

The timestamp must be within 15 minutes of the server time for the autoauth to be accepted, otherwise the link is considered to be expired

Based on my testing the links do no expire.

Based on the above code, when we make a request using the l/i/qauth.php links it redirects to the $url and that generates a new timestamp + hash. But this does not expire? How can it expire if the hash is based on a timestamp, changing it every time.

The initial email+secretkey hash is constant.. include timestamp in that generation?

&timestamp={time()} is possible with above security policy.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.