diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml
index df53b543..edb9af7d 100644
--- a/.github/workflows/demo.yml
+++ b/.github/workflows/demo.yml
@@ -1,8 +1,8 @@
 name: deploy to demo site
-on:
-  push:
-    branches: [ "php8" ]
-    
+#on:
+#  push:
+#    branches: [ "php8" ]
+
 # Environment variables available to all jobs and steps in this workflow
 env:
   SSH_KEY: ${{secrets.DEMO_SSH_KEY}}
@@ -35,6 +35,6 @@ jobs:
       run: ssh demo "cd $DEMO_WEB_ROOT && php artisan nexus:update --tag=dev"
     - name: Update
       run: ssh demo "cd $DEMO_WEB_ROOT && php artisan nexus:update"
-      
-        
-  
+
+
+
diff --git a/app/Models/User.php b/app/Models/User.php
index 89e08b43..8e31a86f 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -185,7 +185,7 @@ class User extends Authenticatable implements FilamentUser, HasName
         'username', 'email', 'passhash', 'secret', 'stylesheet', 'editsecret', 'added', 'enabled', 'status',
         'leechwarn', 'leechwarnuntil', 'page', 'class', 'uploaded', 'downloaded', 'clientselect', 'showclienterror', 'last_home',
         'seedbonus', 'downloadpos', 'vip_added', 'vip_until', 'title', 'invites', 'attendance_card',
-        'seed_points_per_hour', 'passkey',
+        'seed_points_per_hour', 'passkey', 'auth_key'
     ];
 
     /**
diff --git a/app/Repositories/UserRepository.php b/app/Repositories/UserRepository.php
index 772f1ef3..71a11b39 100644
--- a/app/Repositories/UserRepository.php
+++ b/app/Repositories/UserRepository.php
@@ -129,6 +129,7 @@ class UserRepository extends BaseRepository
             'username' => $username,
             'email' => $email,
             'secret' => $secret,
+            'auth_key' => mksecret(),
             'editsecret' => '',
             'passhash' => $passhash,
             'stylesheet' => $setting['defstylesheet'],
@@ -165,6 +166,7 @@ class UserRepository extends BaseRepository
         $update = [
             'secret' => $secret,
             'passhash' => $passhash,
+            'auth_key' => mksecret(),
         ];
         $user->update($update);
         return true;
diff --git a/public/recover.php b/public/recover.php
index 7bd32ece..d5ba6976 100644
--- a/public/recover.php
+++ b/public/recover.php
@@ -85,11 +85,10 @@ elseif($_SERVER["REQUEST_METHOD"] == "GET" && $take_recover && isset($_GET["id"]
 
 	$sec = mksecret();
 
-//	$newpasshash = md5($sec . $newpassword . $sec);
-	$newpasshash = hash('sha256', $newpassword);
-	$newpasshash = hash('sha256', $sec.$newpasshash);
+	$newpasshash = hash('sha256', $sec.hash('sha256', $newpassword));
+    $authKey = mksecret();
 
-	sql_query("UPDATE users SET secret=" . sqlesc($sec) . ", editsecret='', passhash=" . sqlesc($newpasshash) . " WHERE id=" . sqlesc($id)." AND editsecret=" . sqlesc($arr["editsecret"])) or sqlerr(__FILE__, __LINE__);
+	sql_query("UPDATE users SET secret=" . sqlesc($sec) . ", editsecret='', passhash=" . sqlesc($newpasshash) . ", auth_key=". sqlesc($authKey) . " WHERE id=" . sqlesc($id)." AND editsecret=" . sqlesc($arr["editsecret"])) or sqlerr(__FILE__, __LINE__);
 
 	if (!mysql_affected_rows())
 	stderr($lang_recover['std_error'], $lang_recover['std_unable_updating_user_data']);