Back

In Laravel, how would one encrypt email address of users? Like, it should be only be decrypted by users credentials e.g password etc (which only he knows). But then question arise, how would then app send important emails to that user..?

2

775

If your DB is on the same server as your application, encrypt the EMAIL also has mostly zero benifit as you would store encryption codes also on the same server.

What are in your case "important emails"? For login, password reset you only require a HASH no encryption, storing hashes is the best for the enduser. As in case of matching hash you can get the the email from the request and send a email then.

You only require the email for notifications which you may want in your app make it possible to loginEmail != notificationEmail of a user and so only store that as clear text.

Still want toe encrypt something, have a look at: laraveldaily.com/post/laravel-encrypt-models-data-with-casts


1

76

They said "it should be only be decrypted by users credentials e.g password etc (which only he knows)"

2

175

Then "async" notfications are not a thing then. Which leads back my the original question: What are in that case "important emails"?

1

114

Not password resets, obviously. No longer possible because the user forgot their password and now the email can't be decrypted. I'm not sure what problem the original question is trying to solve but it introduces so many new problems it doesn't sound like it would be worth any effort spent on this. I would love to know more about the problem vs the proposed solution of encrypting the user email.

If you don't need to ever send emails then you could just hash the email just like you do with the passwords. If you want to still email these users you could put the hashmap on another server but still nothing secure about this. Just more complex.

What is the goal here?

2

170

You don't require decrypt the email for Password Reset if you just hash the email with a known application secret. This way you not require save plain email adress or even a decryptable Email adresses you just need find the matching user by a emailHash.

Pseude Code:

$submittedResetEmail = $request->query->get('email');
$hashEmail = SHA1($submittedResetEmail . $appSecretSalt);

$users = SELECT * FROM users WHERE emailHash = :hashEmail

if (count($users)) { // userHash found send reset email to:
sendEmail($submittedResetEmail);
}


This way you can create login, password resets without knowing any personal information about your users.

2

190

In response to @alex_s_

Thank you so much for letting me know about this possible way. Keeping users emails as private as possible can keep them save from many unwanted activities.

55

  • No matching results...
  • Searching...

/ 1000