如何检查密码重置令牌是否已过期? [英] How can I check if a password reset token is expired?

问题描述

我正在使用ASP.NET Identity，并且具有基本的忘记密码/重置密码"功能.

I'm using ASP.NET Identity, and I have the basic Forgot Password/Reset Password functionality in place.

当您填写忘记密码的表格时，它会使用_userManager.GeneratePasswordResetTokenAsync(user)

When you fill out the form that you forgot your password, it creates a reset token using _userManager.GeneratePasswordResetTokenAsync(user)

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> ForgotPassword(ForgotPasswordViewModel model)
{
    if (ModelState.IsValid)
    {
        var user = await _userManager.FindByNameAsync(model.Email);
        if (user == null || !(await _userManager.IsEmailConfirmedAsync(user)))
        {
            return View("ForgotPasswordConfirmation");
        }

        var code = await _userManager.GeneratePasswordResetTokenAsync(user);
        var callbackUrl = Url.Action("ResetPassword", "Account", new { userId = user.Id, code = code }, protocol: HttpContext.Request.Scheme);
        await _emailSender.SendEmailAsync(model.Email, "Reset Password",
               $"Please reset your password by clicking here: <a href='{callbackUrl}'>link</a>");
        return View("ForgotPasswordConfirmation");
    }

    // If we got this far, something failed, redisplay form
    return View(model);
}

我注意到，重置密码"页面的唯一验证是检查代码是否为空，而不是检查代码是否仍然有效.

I noticed that the only validation the Reset Password page has is to check if the code is null, rather than also checking to see if it's still valid or not expired.

[HttpGet]
[AllowAnonymous]
public IActionResult ResetPassword(string code = null)
{
    if (code == null)
    {
        throw new Exception("A code must be supplied for password reset.");
    }
    var model = new ResetPasswordViewModel { Code = code };
    return View(model);
}

在您尝试重置密码并调用_userManager.ResetPasswordAsync(user, model.Code, model.Password)

It doesn't actually check to see if the token is valid until you attempt to reset your password and it calls _userManager.ResetPasswordAsync(user, model.Code, model.Password)

我希望能够验证代码在他们单击重置密码"页面以向用户显示消息时(而不是在他们尝试重置密码之后)仍然有效.

I'd like to be able to validate that the code is still valid when they hit the Reset Password page to display a message to the user, and not after they attempt to reset their password.

有没有办法检查它是否有效?

Is there a way to check if it's valid?

推荐答案

以下代码可用于验证重置令牌是否有效:

Following code works to verify if the reset token is valid:

1.创建代码并将其发送给用户

var code = await this._userManager.GeneratePasswordResetTokenAsync(user);

2.验证令牌

[HttpGet]
public async Task<IActionResult> ResetPassword(string UserId, string token)
{
    ...

    ApplicationUser user = //get user;


    if(!await this._userManager.VerifyUserTokenAsync(user,this._userManager.Options.Tokens.PasswordResetTokenProvider, "ResetPassword", token)){
        ViewBag.Message = this._localizer["tokenNotValid"].Value;
    }

    ...
}

请参阅UserManager代码: https://github.com/aspnet/Identity/blob/rel/2.0.0/src/Microsoft.Extensions.Identity.Core/UserManager.cs#L29

See UserManager code: https://github.com/aspnet/Identity/blob/rel/2.0.0/src/Microsoft.Extensions.Identity.Core/UserManager.cs#L29

这篇关于如何检查密码重置令牌是否已过期?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！