I'd like to generate user accounts in Zend Framework 2 with ZfcUser arbitrarily that I could then email to the user with either an activation link or some temporary credentials. I'm not sure if ZfcUser can be extended to do this securely, so I'm looking for help and suggestions.
I need to do this in my application for a letter of recommendation feature. It works by an existing user (someone who registered using ZfcUser the 'normal' way) requesting a letter of recommendation from someone by providing an email address for that person. At that point I would like to generate an account using ZfcUser with that given email and notify the person that someone has requested a letter of recommendation from them and that they should log in and complete it.
I gave some though to a one-time-use link for each letter request but I feel like it would make more sense to create an account for each email and the associated user so that someone who receives multiple request for letters can log in and be presented with all of their requests in a single place. I also think it may be wise to separate these sorts of user accounts into a different users table in my database, or at least append a flag field to my current users table schema.
I should note that I'm also currently using CdliTwoStageSignup in conjunction with ZfcUser. I don't necessarily need to use it for this as well, but it's in the tool bag.
I think the ZfcUser 'state' flag could be useful here but it's not really the tough part of what I'm trying to accomplish.
I've also found another clue as to how I could do this in the ZfcUser wiki on Github.
I'm looking for technical help in accomplishing this using ZfcUser but am definitely open to design ideas or improvements in general.
If anyone is looking for how to create a generic user that can be authenticated using ZfcUser it's just a matter of creating a new user, using $bcrypt to turn a plaintext password into a hash and saving it all to your user table. The basics are outlined below:
$newUser = new User();
$newUser->user_id = 'newUserId';
$newUser->email = 'newUser@gmail.com';
$password = 'newUserPassword'//This is extremely bad form, don't do it. You don't want any passwords hanging out in plaintext.
$bcrypt = new Bcrypt();
$bcrypt->setCost(14);
$newUser->password = $bcrypt->create($password);
$userTable->saveUser($newUser);
The Bcrypt cost I used here was 14. You can use whatever is appropriate for your application but it would be a good idea to pull your setting from the ZfcUser configuration file. You may also use a different value and Bcrypt will handle it without issue.
I don't suggest creating accounts and leaving passwords in plaintext in your code like I do in the example. You'd usually be getting user input and hashing that right away without storing it.
I've left out some important bits like user state and options like username and displayname for brevity. Don't forget about a user role if you're using BjyAuthorize too.