dimanche 29 mars 2015

ASP.NET Identity 2.0 , Confirm Email address on Password Reset


Vote count:

0




I have two questions regarding ASP.NET Identity 2. A client's website uses user email addresses as the unique user name. When a user forgot their password, a reset token is sent to an email address that they type in.


1 . Is there any security considerations, if the entered email address is not linked to a user in the database, to notify the user of such a problem ?



     [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<ActionResult> ForgotPassword(ForgotPasswordViewModel model)
    {
        if (!ModelState.IsValid) return View("Error",ModelState);

        var user = await UserManager.FindByNameAsync(model.Email);

        if (user == null)
        {
            // Don't reveal that the user does not exist or is not confirmed
            ModelState.AddModelError("", "That user does not exist");
            return View();
        }

        if (user.Logins.Count > 0)
        {
            foreach (IdentityUserLogin linkedAccount in user.Logins)
            {
                TempData.Add("InfoMessage", "It looks like you have already signed up using " + linkedAccount.LoginProvider + ", try to log in with that account");
                model.Email = "";
            }
            return View("Login");
        }
        else
        {
            var code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);
            var callbackUrl = Url.Action("ResetPassword", "Account", new { Code = code, Email = user.Email }, protocol: Request.Url.Scheme);

            /* Postal Message Start */
            dynamic email = new Postal.Email("ResetPassword");
            email.To = user.Email;
            email.callbackUrl = callbackUrl;
            email.UserName = user.Email;
            await email.SendAsync();
            /* Postal Message End */

            TempData.Add("InfoMessage", "An email has been sent to " + user.Email + " with password reset instructions");
            return View("Login");
        }
    }


2 . If the user does reply on the password reset email, is it safe to assume that the email address is also verified (and as such mark the email address as verified in the database)?



    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<ActionResult> ResetPassword(ResetPasswordViewModel model)
    {
        var user = await UserManager.FindByEmailAsync(model.Email);            
        if (user != null)
        {
            var result = await UserManager.ResetPasswordAsync(user.Id, model.Code, model.Password);

            if (result.Succeeded)
            {
                await this.SignInAsync(user, isPersistent:false);
                ConfirmEmail(model.Email);
                TempData.Add("InfoMessage", "Your password has been reset");
                return RedirectToAction("Index","Home");
            }
            else
            {
                this.AddErrors(result);
            }              
        }
        else
        {           

        }

        return View(model);
    }


asked 28 secs ago

Gabriel

1






ASP.NET Identity 2.0 , Confirm Email address on Password Reset
Publié par à
Libellés : , ,

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)