Boston
USD |EN |AE
Cs-cart Email verification with 2FA
Write a review
$16000 $19000
Add to cart

Cs-cart Email verification with 2FA

Write a review
Zclues Developer
+16175556985
Ask a question
10 days
Price in points: 160 points
+

Minimum quantity for "Cs-cart Email verification with 2FA" is 1.

Add to wish list Compare
Payment options
Our advantages
  • — 12 months warranty
  • — Return and exchange
  • — Different payment methods
  • — Best price


    Find similar
    Description
    CS-CART ADDON VERSION 1.0 MULTIVENDOR / ULTIMATE CS-CART 4.17.1+
    Cart-Power (Zclues)

    Email Verification

    Complete email security suite for CS-Cart — combines token-based email verification after registration, OTP pre-registration verification before form submission, guest order verification, and a fully built-in TOTP Two-Factor Authentication system compatible with Google Authenticator and Authy.

    3
    DB Tables
    4
    Email Events
    2FA
    TOTP Built-in
    11
    Settings
    AES
    256-CBC Encrypted
    Who Benefits
    Administrator
    • Full control over all verification settings
    • Configure link lifetime, OTP length, resend timers
    • Auto-delete unverified users via CRON
    • Mark all legacy accounts as pre-verified
    • Choose whether vendor/admin registration requires OTP
    • View verification status columns on user profile pages
    Customer / Vendor
    • OTP popup before registration form submits
    • Receives email with verification link after registration
    • Resend OTP button with countdown timer
    • Can set up TOTP 2FA from their profile page
    • Download or re-generate 2FA backup codes
    • Secure login with 2FA code on subsequent sign-ins
    Guest Shopper
    • Optional email verification on guest checkout orders
    • Verification link sent to the order email address
    • Guest verification status tracked in separate table
    • Verified guests are automatically trusted on account creation
    Verification Flows
    Pre-Registration OTP
    1. User fills email on registration form
    2. Clicks "Confirm Email" button — OTP popup appears
    3. Digits-only OTP code arrives by email
    4. User enters OTP → verified status stored in session
    5. Form submit proceeds → account created already verified
    Configurable OTP length (default: 6 digits), 10-min expiry, max 3 sends/hour
    Post-Registration Link
    1. Account created without OTP — marked not verified
    2. Unique token generated and stored in DB
    3. Email sent with secure verification link
    4. User clicks link → verified status updated
    5. Optional: block login until verified
    Configurable link lifetime (default: 5 hours). Resend blocked by timer.
    Guest Checkout Verification
    1. Guest places order on storefront
    2. Verification link sent to order's email
    3. Guest clicks link → guest verified flag set
    4. If guest later registers with same email → auto-verified
    Optional — enabled per setting. Separate notification template for guests.
    Two-Factor Authentication (TOTP)

    A fully self-contained TOTP (Time-based One-Time Password) system built directly into the addon — no external service required. Implements RFC 6238 with AES-256-CBC encrypted secret storage using CS-Cart's own CRYPT_KEY.

    QR Code Setup

    3-step setup wizard: download authenticator app → scan QR code → enter first verification code. Works with Google Authenticator, Authy, and any RFC 6238-compatible app.

    Backup Codes

    10 single-use backup codes generated on 2FA setup. Each code can only be used once. Users are prompted to download them. Used backup codes are permanently invalidated.

    Encrypted Storage

    TOTP secret key is encrypted with AES-256-CBC before storage. Encryption key derived from CS-Cart's own CRYPT_KEY via SHA-256. IV is random per encryption, prepended to ciphertext, base64-encoded.

    Clock Drift Tolerance

    Verification window of ±8 time steps (±4 minutes) ensures codes work even with server/client clock differences. Window is configurable via setting override. Min: 1, Max: 12 steps.

    Password Recovery 2FA

    2FA is enforced on password recovery and ekey login flows. A pending recovery state is stored in session so the recovery page requests the 2FA code before proceeding.

    Disable 2FA with Password

    Users can disable 2FA from their profile by entering their current account password as confirmation. A strong warning popup explains the security implications before proceeding.

    Security Features
    Rate Limiting

    OTP send requests are limited to 3 per hour per email. Exceeding the limit returns a user-friendly error and blocks further sends for the remainder of that hour. Prevents email flood abuse.

    Account Lockout

    5 failed OTP attempts triggers a 15-minute account lock on successive verifications. The attempt counter is tracked per OTP record in the DB. Prevents brute-force attacks.

    OTP & Token Expiry

    OTP codes expire after 10 minutes. Email verification links expire after a configurable number of hours (default 5h). Tokens are cryptographically random (alphanumeric, default 15 chars) with collision check.

    Auto-Delete Unverified Users

    CRON job deletes users who never verified their email after a configurable number of days (default 30). Users with placed orders are never deleted. Setting to 0 disables deletion entirely.

    Resend Cooldown Timer

    The resend OTP/link button shows a live countdown timer (default 60 seconds). The resend action is blocked server-side as well — not just in UI — until the timer expires. Countdown is configurable in settings.

    Login Without Verification Option

    Admin can allow login even for unverified users (softer mode). When disabled, unverified users are blocked at login with a clear notification to check their email. Separation of registration and auth flows.

    Database Schema
    cscart_zks_email_verification — Token & link tracking
    tokenPK, varchar(15)
    emailvarchar(128)
    is_verified_guestINT(1)
    created_atTIMESTAMP
    last_send_emailTIMESTAMP — resend guard
    cscart_zks_email_otp — OTP pre-registration codes
    idPK, AUTO_INCREMENT
    emailvarchar(128), indexed
    otp_codevarchar(10), indexed
    user_typechar(1): C/V
    is_verifiedINT(1)
    attemptsINT(3) — lockout counter
    created_atTIMESTAMP
    expires_atTIMESTAMP — 10-min expiry
    cscart_zks_user_2fa — Two-Factor Authentication
    user_idPK, INT
    secret_keyvarchar(255) — AES encrypted
    is_enabledTINYINT(1), indexed
    backup_codesTEXT — 10 one-time codes
    recovery_emailvarchar(128)
    secret_hashvarchar(64)
    created_at / last_used_atTIMESTAMP
    Column added to existing table
    cscart_users
    zks_email_verified INT(1)
    Status codes: 0 = not verified, 1 = verified, 2 = existing (pre-addon) account
    Email Notification Events
    User Verification Email
    Sent after customer registration. Contains the unique verification link. Managed via CS-Cart notification manager.
    email_notifications_user
    Vendor Verification Email
    Sent after vendor registration. Separate template allows different branding or instructions for vendor accounts.
    email_notifications_vendor
    Guest Order Verification
    Sent when a guest places an order and verification_guest_orders is enabled. Dedicated template for non-registered shoppers.
    email_notifications_guest
    OTP Code Email
    Delivers the numeric OTP code for pre-registration flow. Includes intro text, the code prominently, expiry notice, and an ignore message if unrequested.
    email_notifications_otp
    Addon Settings
    General Settings
    Allow login without verification
    If enabled, unverified users can still sign in. Default: No (blocked)
    Verify guest orders
    Send verification email after a guest checkout. Default: No
    Link verification lifetime (hours)
    How long a verification link stays valid. Default: 5 hours
    Resend timer (seconds)
    Cooldown between resend requests. Default: 60 seconds
    Delete unverified users after (days)
    0 = never delete. Orders protect users from deletion. Default: 30 days
    Consider existing accounts as verified
    Accounts created before addon install get status 2 (EXISTED = trusted). Default: Yes
    Don't delete old unverified accounts
    Protects pre-install accounts from CRON deletion regardless of status. Default: Yes
    Delete verification data on uninstall
    Drop tables and column when addon is removed. Default: No
    Enable pre-registration OTP
    Verify email via OTP popup before the registration form submits. Default: Yes
    Skip verification for admin
    Admin-area registrations bypass OTP verification. Default: Yes
    OTP code length
    Number of digits in the OTP (numeric only). Default: 6
    CRON Settings
    CRON Password
    Protects the automated cleanup endpoint. Access via …?cron_password=YOUR_PASS. Default: cron_password
    CRON Template
    Shows the ready-to-use CRON command string in the settings panel for easy setup.
    What CRON does
    • Deletes unverified users older than N days
    • Cleans up expired OTP records from zks_email_otp
    • Skips users who have placed any orders
    • Respects "don't delete old accounts" setting
    File Structure
    email_verification/
    ├── app/addons/zks_email_verification/
    │ ├── addon.xml — settings, email_templates ref
    │ ├── func.php — all hooks, OTP, 2FA, encryption (1331 lines)
    │ ├── config.php / init.php
    │ ├── resources/email_templates.xml — 4 CS-Cart email events
    │ ├── controllers/backend/ → profiles.post.php, zks_email_verification.php
    │ ├── controllers/frontend/ → auth.post, checkout.post, companies.pre, profiles.pre, two_factor.php, zks_email_verification.php
    │ ├── controllers/common/ → auth.pre.php
    │ ├── schemas/notifications/ — event notification schemas
    │ └── Tygh/Addons/EmailVerification/ → Notifications/
    ├── design/backend/templates/addons/zks_email_verification/
    │ ├── hooks/profiles/ → account_info.post.tpl
    │ ├── hooks/vendors/ → detailed_content.post.tpl
    │ ├── views/two_factor/ → (2FA admin view)
    │ └── settings/ → cron_template.tpl
    ├── design/themes/responsive/templates/addons/zks_email_verification/
    │ ├── components/ → 2fa_login_popup.tpl, 2fa_setup_popup.tpl, email.tpl, email_otp_registration.tpl
    │ ├── hooks/index/ → login_buttons.post.tpl, scripts, styles
    │ ├── hooks/profiles/ → 2fa_settings.post, account_info.override, account_update.post, create_profile.post
    │ ├── hooks/vendors/ → apply_fields.post.tpl
    │ ├── views/ → guest_verification.tpl, otp_verification.tpl, two_factor/recovery_verify.tpl, two_factor/setup.tpl
    │ └── overrides/ — template overrides
    └── var/langs/en/ → addons/zks_email_verification.po
    Requirements & Notes
    Requirements
    • CS-Cart Multi-Vendor / Ultimate
    • CS-Cart core version 4.17.1+
    • Core addon tags must be active
    • PHP openssl extension (for AES-256 2FA)
    • InnoDB MySQL engine, utf8mb4 charset
    Upgrade Safe

    Install function checks for column existence before ALTER TABLE — safe to re-run on upgrade. Secret_key column is auto-extended from varchar(32)varchar(255) if legacy install is detected. Includes UpgradeCenter integration.

    Uninstall Note

    By default, uninstall does not drop tables or the zks_email_verified column to preserve data. Enable the "Delete verification data on uninstall" setting first if you want a clean removal.

    Tags: Email Verification OTP Two-Factor Auth TOTP / Google Authenticator Security CRON Guest Orders MultiVendor Cart-Power
    v1.0  ·  cart-power.com
    Supplement Facts
    Serving Size: 1
    Servings Per Container: 25
    Amount Per Serving %Daily Value
    Compatible Youpitheme 12%

    * Daily Value not established.

    Features
    Compatible
    • Unitheme
    • Youpitheme
    Comptabile versions
    • 4.18.x ,
    • 4.17.x ,
    • 4.16.x ,
    • 4.15.x
    Cs-cart Core
    • Store Builder
    • Multi-vendor
    Improvement For
    • Admin
    • Vendor
    • Customer
    Capsule Servings Per Container
    25
    Serving Size
    1
    Find similar
    Reviews

    No reviews found

    Customer questions & answers.

    Search
    Sort by
    Please sign in to submit an answer.

    No customer questions. Be the first to ask a question.

    Be the first to ask a question!

    See all questions
    You may be interested
    • Most Popular
    • On Sale
    • Recently Viewed
     
    Fast and high quality delivery

    Our company makes delivery all over the country

    Quality assurance and service

    We offer only those goods, in which quality we are sure

    Returns within 30 days

    You have 30 days to test your purchase