I managed to pull it off! I got lucky with a dummy e-mail address of gary@bikinibottom.org
Here I will demonstrate activation of a new user account. Below is the token from the database and associated e-mail address with its “pending” status.
+---------+--------------------------------------------------------------------------------------------------------------+------------------------+
| status | token | email |
+---------+--------------------------------------------------------------------------------------------------------------+------------------------+
| pending | MTU4NjIwNjA1ODE2MXx2b2xkZW1vcnRAaG9nd2FydHMub3JnfHh6NTVXbi9sNmZ4ZnNpY1BPK1ppaysyQXFuVzJrT2lhWFQrdS85bk9ITGc9 | voldemort@hogwarts.org |
+---------+--------------------------------------------------------------------------------------------------------------+------------------------+
The pending status needs to be cleared before proceeding to the next step. Here we see what happens if we fail to do so. So this is what the activation URL might look like.
https://example.com/ghost/signup/MTU4NjIwNjA1ODE2MXx2b2xkZW1vcnRAaG9nd2FydHMub3JnfHh6NTVXbi9sNmZ4ZnNpY1BPK1ppaysyQXFuVzJrT2lhWFQrdS85bk9ITGc9/
If we use this URL without first clearing the token status – that is updating it to “sent” – we get the following message.
The invitation does not exist or is no longer valid.
So we need to clear that first, and we can do that with the following SQL command.
update invites set status='sent' where status='pending';
The pending status has now been cleared…
+--------+--------------------------------------------------------------------------------------------------------------+------------------------+
| status | token | email |
+--------+--------------------------------------------------------------------------------------------------------------+------------------------+
| sent | MTU4NjIwNjA1ODE2MXx2b2xkZW1vcnRAaG9nd2FydHMub3JnfHh6NTVXbi9sNmZ4ZnNpY1BPK1ppaysyQXFuVzJrT2lhWFQrdS85bk9ITGc9 | voldemort@hogwarts.org |
+--------+--------------------------------------------------------------------------------------------------------------+------------------------+
So if we use the same URL again…
https://example.com/ghost/signup/MTU4NjIwNjA1ODE2MXx2b2xkZW1vcnRAaG9nd2FydHMub3JnfHh6NTVXbi9sNmZ4ZnNpY1BPK1ppaysyQXFuVzJrT2lhWFQrdS85bk9ITGc9/
We are greeted with a page for creating a new user account.
Create your account
Once we have provided our details we are signed in and welcomed to Ghost…
Welcome to Ghost (lord Voldemort)!
If we inspect the invites table, we can see that it’s empty now…
Empty set (0.00 sec)
All invitation tokens have been consumed.
Note that the token strings are of variable length. So 104, 106, 108, more or less, it’s all good. Also, more importantly, if the token string has any equal signs at the end, either double equal signs ==
or a single equal sign =
, you will have to remove them before using the token in your URL.
Here is an example of such token that I used to activate my (lucky) Gary user account.
MTU4NjE5ODIxNTg4NHxnYXJ5QGJpa2luaWJvdHRvbS5vcmd8MnJrU0pIcCt3ejN2akVWTVlXQ1RzV1NBRjJQMFpkSTVHdXFqbkxiYzdKRT0=
The URL for this one would be (was)…
https://example.com/ghost/signup/MTU4NjE5ODIxNTg4NHxnYXJ5QGJpa2luaWJvdHRvbS5vcmd8MnJrU0pIcCt3ejN2akVWTVlXQ1RzV1NBRjJQMFpkSTVHdXFqbkxiYzdKRT0/
That’s all Folks! Happy ghosting!