Boston

الدولة / المنطقة

اللغة

العملة

الرئيسية/Cs-cart Addons/Admin Tools/Cs-cart Email verification with 2FA

Cs-cart Email verification with 2FA

Write a review

‎$‎ 160⁰⁰ ‎$‎ 190⁰⁰

أضف للسلّة

Cs-cart Email verification with 2FA

Write a review

المتجر: Zclues Developer

Description Description Description Description Description D...

+16175556985

Ask a question

Our price: ‎$‎ 160⁰⁰ ‎$‎ 190⁰⁰ You Save: ‎$‎ 30.00

Return period: 10 يوم

السعر بالنقاط: 160 point

+ −

الحد الأدنى لكمية المنتج "Cs-cart Email verification with 2FA" يساوي 1.

Add to wish list مقارنة

Payment options

Our advantages

— 12 months warranty
— Return and exchange
— Different payment methods
— Best price

Find similar

Description

CS-CART ADDON VERSION 1.0 MULTIVENDOR / ULTIMATE CS-CART 4.17.1+

Cart-Power (Zclues)

Email Verification

Complete email security suite for CS-Cart — combines token-based email verification after registration, OTP pre-registration verification before form submission, guest order verification, and a fully built-in TOTP Two-Factor Authentication system compatible with Google Authenticator and Authy.

DB Tables

Email Events

2FA

TOTP Built-in

Settings

AES

256-CBC Encrypted

Who Benefits

Administrator

Full control over all verification settings
Configure link lifetime, OTP length, resend timers
Auto-delete unverified users via CRON
Mark all legacy accounts as pre-verified
Choose whether vendor/admin registration requires OTP
View verification status columns on user profile pages

Customer / Vendor

OTP popup before registration form submits
Receives email with verification link after registration
Resend OTP button with countdown timer
Can set up TOTP 2FA from their profile page
Download or re-generate 2FA backup codes
Secure login with 2FA code on subsequent sign-ins

Guest Shopper

Optional email verification on guest checkout orders
Verification link sent to the order email address
Guest verification status tracked in separate table
Verified guests are automatically trusted on account creation

Verification Flows

Pre-Registration OTP

User fills email on registration form
Clicks "Confirm Email" button — OTP popup appears
Digits-only OTP code arrives by email
User enters OTP → verified status stored in session
Form submit proceeds → account created already verified

Configurable OTP length (default: 6 digits), 10-min expiry, max 3 sends/hour

Post-Registration Link

Account created without OTP — marked not verified
Unique token generated and stored in DB
Email sent with secure verification link
User clicks link → verified status updated
Optional: block login until verified

Configurable link lifetime (default: 5 hours). Resend blocked by timer.

Guest Checkout Verification

Guest places order on storefront
Verification link sent to order's email
Guest clicks link → guest verified flag set
If guest later registers with same email → auto-verified

Optional — enabled per setting. Separate notification template for guests.

Two-Factor Authentication (TOTP)

A fully self-contained TOTP (Time-based One-Time Password) system built directly into the addon — no external service required. Implements RFC 6238 with AES-256-CBC encrypted secret storage using CS-Cart's own CRYPT_KEY.

QR Code Setup

3-step setup wizard: download authenticator app → scan QR code → enter first verification code. Works with Google Authenticator, Authy, and any RFC 6238-compatible app.

Backup Codes

10 single-use backup codes generated on 2FA setup. Each code can only be used once. Users are prompted to download them. Used backup codes are permanently invalidated.

Encrypted Storage

TOTP secret key is encrypted with AES-256-CBC before storage. Encryption key derived from CS-Cart's own CRYPT_KEY via SHA-256. IV is random per encryption, prepended to ciphertext, base64-encoded.

Clock Drift Tolerance

Verification window of ±8 time steps (±4 minutes) ensures codes work even with server/client clock differences. Window is configurable via setting override. Min: 1, Max: 12 steps.

Password Recovery 2FA

2FA is enforced on password recovery and ekey login flows. A pending recovery state is stored in session so the recovery page requests the 2FA code before proceeding.

Disable 2FA with Password

Users can disable 2FA from their profile by entering their current account password as confirmation. A strong warning popup explains the security implications before proceeding.

Security Features

Rate Limiting

OTP send requests are limited to 3 per hour per email. Exceeding the limit returns a user-friendly error and blocks further sends for the remainder of that hour. Prevents email flood abuse.

Account Lockout

5 failed OTP attempts triggers a 15-minute account lock on successive verifications. The attempt counter is tracked per OTP record in the DB. Prevents brute-force attacks.

OTP & Token Expiry

OTP codes expire after 10 minutes. Email verification links expire after a configurable number of hours (default 5h). Tokens are cryptographically random (alphanumeric, default 15 chars) with collision check.

Auto-Delete Unverified Users

CRON job deletes users who never verified their email after a configurable number of days (default 30). Users with placed orders are never deleted. Setting to 0 disables deletion entirely.

Resend Cooldown Timer

The resend OTP/link button shows a live countdown timer (default 60 seconds). The resend action is blocked server-side as well — not just in UI — until the timer expires. Countdown is configurable in settings.

Admin can allow login even for unverified users (softer mode). When disabled, unverified users are blocked at login with a clear notification to check their email. Separation of registration and auth flows.

Database Schema

cscart_zks_email_verification — Token & link tracking

tokenPK, varchar(15)

emailvarchar(128)

is_verified_guestINT(1)

created_atTIMESTAMP

last_send_emailTIMESTAMP — resend guard

cscart_zks_email_otp — OTP pre-registration codes

idPK, AUTO_INCREMENT

emailvarchar(128), indexed

otp_codevarchar(10), indexed

user_typechar(1): C/V

is_verifiedINT(1)

attemptsINT(3) — lockout counter

created_atTIMESTAMP

expires_atTIMESTAMP — 10-min expiry

cscart_zks_user_2fa — Two-Factor Authentication

user_idPK, INT

secret_keyvarchar(255) — AES encrypted

is_enabledTINYINT(1), indexed

backup_codesTEXT — 10 one-time codes

recovery_emailvarchar(128)

secret_hashvarchar(64)

created_at / last_used_atTIMESTAMP

Column added to existing table

cscart_users

zks_email_verified INT(1)

Status codes: 0 = not verified, 1 = verified, 2 = existing (pre-addon) account

Email Notification Events

User Verification Email

Sent after customer registration. Contains the unique verification link. Managed via CS-Cart notification manager.

email_notifications_user

Vendor Verification Email

Sent after vendor registration. Separate template allows different branding or instructions for vendor accounts.

email_notifications_vendor

Guest Order Verification

Sent when a guest places an order and verification_guest_orders is enabled. Dedicated template for non-registered shoppers.

email_notifications_guest

OTP Code Email

Delivers the numeric OTP code for pre-registration flow. Includes intro text, the code prominently, expiry notice, and an ignore message if unrequested.

email_notifications_otp

Addon Settings

General Settings

Allow login without verification

If enabled, unverified users can still sign in. Default: No (blocked)

Verify guest orders

Send verification email after a guest checkout. Default: No

Link verification lifetime (hours)

How long a verification link stays valid. Default: 5 hours

Resend timer (seconds)

Cooldown between resend requests. Default: 60 seconds

Delete unverified users after (days)

0 = never delete. Orders protect users from deletion. Default: 30 days

Consider existing accounts as verified

Accounts created before addon install get status 2 (EXISTED = trusted). Default: Yes

Don't delete old unverified accounts

Protects pre-install accounts from CRON deletion regardless of status. Default: Yes

Delete verification data on uninstall

Drop tables and column when addon is removed. Default: No

Enable pre-registration OTP

Verify email via OTP popup before the registration form submits. Default: Yes

Skip verification for admin

Admin-area registrations bypass OTP verification. Default: Yes

OTP code length

Number of digits in the OTP (numeric only). Default: 6

CRON Settings

CRON Password

Protects the automated cleanup endpoint. Access via …?cron_password=YOUR_PASS. Default: cron_password

CRON Template

Shows the ready-to-use CRON command string in the settings panel for easy setup.

What CRON does

Deletes unverified users older than N days
Cleans up expired OTP records from zks_email_otp
Skips users who have placed any orders
Respects "don't delete old accounts" setting

File Structure

email_verification/
├── app/addons/zks_email_verification/
│   ├── addon.xml — settings, email_templates ref
│   ├── func.php — all hooks, OTP, 2FA, encryption (1331 lines)
│   ├── config.php / init.php
│   ├── resources/email_templates.xml — 4 CS-Cart email events
│   ├── controllers/backend/ → profiles.post.php, zks_email_verification.php
│   ├── controllers/frontend/ → auth.post, checkout.post, companies.pre, profiles.pre, two_factor.php, zks_email_verification.php
│   ├── controllers/common/ → auth.pre.php
│   ├── schemas/notifications/ — event notification schemas
│   └── Tygh/Addons/EmailVerification/ → Notifications/
├── design/backend/templates/addons/zks_email_verification/
│   ├── hooks/profiles/ → account_info.post.tpl
│   ├── hooks/vendors/ → detailed_content.post.tpl
│   ├── views/two_factor/ → (2FA admin view)
│   └── settings/ → cron_template.tpl
├── design/themes/responsive/templates/addons/zks_email_verification/
│   ├── components/ → 2fa_login_popup.tpl, 2fa_setup_popup.tpl, email.tpl, email_otp_registration.tpl
│   ├── hooks/index/ → login_buttons.post.tpl, scripts, styles
│   ├── hooks/profiles/ → 2fa_settings.post, account_info.override, account_update.post, create_profile.post
│   ├── hooks/vendors/ → apply_fields.post.tpl
│   ├── views/ → guest_verification.tpl, otp_verification.tpl, two_factor/recovery_verify.tpl, two_factor/setup.tpl
│   └── overrides/ — template overrides
└── var/langs/en/ → addons/zks_email_verification.po

Requirements & Notes

Requirements

CS-Cart Multi-Vendor / Ultimate
CS-Cart core version 4.17.1+
Core addon tags must be active
PHP openssl extension (for AES-256 2FA)
InnoDB MySQL engine, utf8mb4 charset

Upgrade Safe

Install function checks for column existence before ALTER TABLE — safe to re-run on upgrade. Secret_key column is auto-extended from varchar(32) → varchar(255) if legacy install is detected. Includes UpgradeCenter integration.

Uninstall Note

By default, uninstall does not drop tables or the zks_email_verified column to preserve data. Enable the "Delete verification data on uninstall" setting first if you want a clean removal.

Tags: Email Verification OTP Two-Factor Auth TOTP / Google Authenticator Security CRON Guest Orders MultiVendor Cart-Power

v1.0 · cart-power.com

Supplement Facts

Amount Per Serving %Daily Value

Compatible

Youpitheme

12%

* Daily Value not established.

Features

Reviews

No reviews found

Sort by

Please sign in to submit an answer.

No customer questions. Be the first to ask a question.

Be the first to ask a question!

Cs-cart Email verification with 2FA

Email Verification

Customer questions & answers.