Member VerifyUserTokenAsync
g
gad2359
10/27/2023, 12:27 AMHey there!
I'm using Umbraco 12 and I wanted to provide a "forgot password" mechanism to frontend members.
I'm currently asking for the e-mail to get the MemberIdentityUser member and then using the MemberManager.GeneratePasswordResetTokenAsync(member) to get the token. I then encode it and send the e-mail with the encoded token.
After clicking the link in the e-mail, a controller is called with the encoded token and the user. A token validation is performed using MemberManager.VerifyUserTokenAsync(member, _options.Tokens.PasswordResetTokenProvider, UserManager.ResetPasswordTokenPurpose, token)
I've also tried MemberManager.VerifyUserTokenAsync(member, "Default", "ResetPassword", token)
Both return false. I've debugged it and can confirm the token sent (before encoding) matches the received token.
What am I missing here?
Thank you 🙂
d
D_Inventor
10/27/2023, 5:09 AMHi there! Just to be sure: you say you encoded your token, but do you also need to decode it before you call
VerifyUserTokenAsyncm
Maarten
10/27/2023, 7:13 AMI assume you're not calling ResetPasswordAsync before you're verifying the token?
h
huwred
10/27/2023, 7:25 AMIn your Startup.cs - ConfigureServices(IServiceCollection services) method, ensure that:
services.AddAuthentication
Appears BEFORE
services.AddIdentity
g
gad2359
10/27/2023, 9:03 AMI do not need to decode it, the controller does (I've checked the token before encoding and when it gets to the controller and it matches)
gad2359
10/27/2023, 9:04 AMCorrect. I was trying to validate the token prior to letting the user set a new password. If the token is not valid, I'd show an error of some sorts; if the token is valid, then I let the user set the password
gad2359
10/27/2023, 9:29 AMI'm not setting any of them.. are you saying I should force it to ensure?
h
huwred
10/27/2023, 9:33 AMdoesn't look like it for 12.
In my reset code I use the changepassword method and pass it the token, I don't check it first
Copy code
cs
var changePasswordResult =
await _memberManager.ChangePasswordWithResetAsync(user.Id, token, changePassword.Password);g
gad2359
10/27/2023, 2:29 PMWell, I was hoping to check the token before showing the form to the user, but oh well 😦
h
huwred
10/27/2023, 2:43 PMWhen you generate the token, you could store it on the member record and check that matches the token instead
g
gad2359
10/29/2023, 6:31 PMWell, the tokens should have a expire date (which I believe to be 24h default) and the token storage in member's record would not have that info (I know I could code it as well, but I think the VerifyUserTokenAsync should be doing).
I'll ignore this step for the time being and open a bug report.
Thank you all for your inputs 🙂
h
huwred
10/30/2023, 9:47 AMthis will tell you it has expired or not ChangePasswordWithResetAsync(user.Id, token, changePassword.Password);
219 Views
Umbraco
A hub and casual space for you to interact with fellow community members and learn more about Umbraco!
Powered by