XenForo 2.2 / 2.3 [OzzModz] Secret Phrase Account Recovery

  • Auteur du sujet Auteur du sujet Admin
  • Date de début Date de début

Admin

Administrateur
JustCoins
201
This Thread had not been rated yet
Download / Téléchargement:


Description:

🔐 OzzModz: Secret Phrase Recovery Add-on

A secure and bot-resistant account recovery system using a user-defined secret phrase. Ideal for recovering access when password and 2FA are lost.


🧠 Core Features

✅ Secret Phrase Setup

  • Users can enter a secret recovery phrase in their Account Details.
  • Stored securely using:
    • Argon2ID hashing
    • Per-user salt using random_bytes(32) → 256-bit salt (automatically generated when user saves a secret phrase)
    • Per-user pepper, using random_bytes(16) → 128-bit pepper (automatically generated when user saves a secret phrase)

✅ Entropy Validation

  • Secret phrase must meet minimum complexity:
    • At least 16 characters
    • At least 3 words
    • No more than 256 characters


🔑 Account Recovery Flow

✅ Recovery Page

  • Public form with:
    • Username
    • Secret phrase
    • Traps for bots

✅ Recovery Validation

  • Validates the phrase using the user’s salt + pepper
  • If correct:
    • Logs the user in automatically
    • Invalidates the secret (it becomes one-time use)
    • Clears any rate-limiting attempts
    • Logs a success message with IP and username telling them they need to create a new secret phrase

✅ Recovery Limit Protection

  • Tracks failed attempts in a table
  • Locks recovery for 15 minutes after 5 failed attempts per IP or user


🤖 Anti-Bot Honeypot Protection

✅ Bot Traps

  • User Spaminator type code to find bots
  • If bot detected:
    • Blocked silently (no error message shown)
    • Logged in a ACP viewable log

✅ Smart Logging

  • Only logs hits if the user does not have a valid secret phrase
  • Stores:
    • username attempted
    • ip_address (as binary)
    • user_agent
    • field_value (e.g. what caught the bots)
    • Multiple values logged with two line breaks between them for easy viewing


🛠 Admin CP Log Viewer

✅ ACP List of Bot Trap Logs

  • Shows:
    • Username (linked if valid, which should never happen)
    • IP address (linked to WhatIsMyIPAddress)
    • Timestamp
    • User agent (wraps if long)
    • Bot traps hit

✅ ACP List of Successful Recovery Logs

  • Shows:
    • Username (linked to user edit page in Admin CP)
    • IP address (linked to WhatIsMyIPAddress)
    • Timestamp
    • User agent (wraps if long)
  • Each recovery is logged when a secret phrase is successfully used
  • Helpful for auditing real access versus abuse

✅ Admin Tools

  • “Clear log” button in top-right
  • Opens a confirmation overlay
  • Truncates either the honeypot or recovery log table
  • Logs are paginated


🧹 Background Cleanup

✅ Cron Job

  • Cleans out old secret_phrase_attempt entries older than 24 hours


🚫 Bot Filtering Summary

TrapBehavior
Bot trapsBlock silently + log
Rate limiting5 failed attempts → 15-min lock
One-time recoverySecret is invalidated after use



💎 Premium Upgrade

Upgrade to [OzzModz] Premium and unlock access to this add-on plus our entire collection for just $10.00 USD.

Your Premium status grants you unlimited downloads of all [OzzModz] add-ons for a full
six months.

🌐
View the full [OzzModz] Premium collection »
 
This Thread had not been rated yet
Retour
Haut