Default Password and Redirect

Background: I have 2 systems on 1 database, CB powered Joomla is one and the other is a PHP-MySQL web app with its own users table. When someone signs up for my subscription plan they must be added to this other users table as well. I use the SQL integration to achieve this and that works. The problem is the password - I have no way of knowing how the password is hashed on the other system so I have created a workaround. I have a number of default passwords whose hashes I got from manually signing up on the other system. I set cb to generate passwords and then I use an auto action to set the password and also set the corresponding hash to a field cb_spook during registration. This is the auto action so far;

Global
Triggers: onStartSaveUserRegistration
Type: Code
User: Automatic
Access: Everybody

Action
Mode: PHP
{
$password = '523641';
$spook = '89cfe56872b9051c68dd0e29bcb6990488047881';
$variables->set( 'password', $password);
$variables->set( 'cb_spook', $spook);
}

The result of this is that an email with the following details is sent to the user;

Name: Test Person1
Username: Test Person1
Password: $2y$10$646yaxmm.onnHWOvWOxgM.Nzl196k5SW1eqt6JAhg7xI6T/ocYU/a

I need to adjust the auto action firstly so the correct password is sent to the user and secondly so that instead of having a single default password the auto action chooses the default randomly from an array of password - hash values.

I would recommend finding out what hashing method your web app is using so you can properly generate their passwords.

The onStartSaveUserRegistration trigger doesn't have any user data at this point. I suggest instead using the following triggers.

Registration
Backend: onAfterNewUser
Frontend: onAfterUserRegistration

You'll be able to get the users plaintext password during those using [password]. You can then hash it based off the web apps hashing behavior so their password is consistent across both systems. You can update the password during profile edit as well. So to cover those cases you'll need the below triggers.

Profile Edit
Backend: onAfterUpdateUser
Frontend: onAfterUserUpdate

For those you'll want to create a condition to check var1_password against var2_password to make sure the password changed. This should allow you to properly keep the systems in sync.

The better way to usually do this is extending the authentication process of your web app. So if the user tries to login and that user doesn't exist in the web app database try to login to your Joomla database with the credentials they supplied and if that was a success create them in the web app database and log them in. This is doable using the Login / Logout auto action as it can be used as an API endpoint. Example as follows.

Global
Triggers: None
Type: Login / Logout
User: Automatic
Access: Everybody
Action
Mode: Login
Method: Username
Username: [post_username]
Password: [post_password]
Force Login: Yes
Redirect: none
Output
Display: JSON
Layout:

Method: PHP
Substitutions: Yes

Your web app would just send a POST to this auto action and it'd return the JSON from the Layout. You can add as much user information as you need there. Since they've submitted a POST to the webapp with their plaintext password you'll be able to push that, hashed of course, into the web app database as well.

If you still want to just have it pick from some random passwords then simply add that to your PHP. You can call $user->getRandomPassword() for CB to generate a random password for you as well.

I have disabled all auto actions I have just cb subs running with the random password generation on but I am still getting passwords like this $2y$10$clTH7exBsXxWD8pPDdQXt.MkxGeHqcCrBLSO.FHjETyDCnLR4PDMu

Passwords are encrypted. You can't get plaintext passwords except at very specific times in CB. That would be right when they're logging in, right after registration (see registration triggers in my above reply), and right after profile edit if their password was changed (see profile edit triggers in my above reply).

This is why you'd need to synchronize them specifically at those times to your web app so you can send the plaintext password for encryption to your web app. I assume your web app has an API endpoint to deal with registrations and you'd just use that.

It's unclear to me what you're even doing in your code action for me to really suggest anything further.

To clarify I am getting these passwords in the registration email sent after sign up;

Your account with the following details:
Email: CENSORED
Name: Test Person1
Username: Test Person1
Password: $2y$10$clTH7exBsXxWD8pPDdQXt.MkxGeHqcCrBLSO.FHjETyDCnLR4PDMu
has been activated.
We welcome you to our online community and trust that together
we will grow.
Enjoy the experience!
Kind Regards,
Website Administration Team

I have deleted all auto actions. I have only set CB to generate passwords and I am signing up on CB Subs plans.

Is that your Welcome or Pending email in CB > Configuration > Registration? Do you have email confirmation or registration approval enabled?