19

Is it possible to test whether a confirm email token is expired using Identity Framework's UserManager? No matter what the error is, from the following:

var result = await UserManager.ConfirmEmailAsync(userId, code);

I get a generic "Invalid Token" error.

Nkosi
  • 235,767
  • 35
  • 427
  • 472
Carel
  • 2,063
  • 8
  • 39
  • 65

4 Answers4

8

I get around this by keeping/storing a copy of the generated token 

public class ApplicationUser : IdentityUser {
    public string EmailConfirmationToken { get; set; }
    public string ResetPasswordToken { get; set; }
}

and associating it with the user in derived UserManager<ApplicationUser>. 

public override async System.Threading.Tasks.Task<string> GenerateEmailConfirmationTokenAsync(string userId) {
    /* NOTE:
        * The default UserTokenProvider generates tokens based on the users's SecurityStamp, so until that changes
        * (like when the user's password changes), the tokens will always be the same, and remain valid. 
        * So if you want to simply invalidate old tokens, just call manager.UpdateSecurityStampAsync().
        */
    //await base.UpdateSecurityStampAsync(userId);

    var token = await base.GenerateEmailConfirmationTokenAsync(userId);
    if (!string.IsNullOrEmpty(token)) {
        var user = await FindByIdAsync(userId);
        user.EmailConfirmationToken = token; //<<< Last issued token
        //Note: If a token is generated then the current email is no longer confirmed.
        user.EmailConfirmed = false;
        await UpdateAsync(user);
    }
    return token;
}

When the token is provided for confirmation, a search for the user via the token is done.

public static class ApplicationUserManagerExtension {
    public static Task<string> FindIdByEmailConfirmationTokenAsync(this UserManager<ApplicationUser> manager, string confirmationToken) {
        string result = null;
        ApplicationUser user = manager.Users.SingleOrDefault(u => u.EmailConfirmationToken != null && u.EmailConfirmationToken == confirmationToken);
        if (user != null) {
            result = user.Id;
        }
        return Task.FromResult(result);
    }
}

If the token matches a known user that indicates that it was a validly issued token.

Will then attempt to confirm token with User manager.

If confirmation fails then token has expired and an appropriate action is taken.

Else if the token confirmed, it is removed from associated user and thus invalidating the reuse of that token.

public override async System.Threading.Tasks.Task<IdentityResult> ConfirmEmailAsync(string userId, string token) {
    var user = await FindByIdAsync(userId);
    if (user == null) {
        return IdentityResult.Failed("User Id Not Found");
    }
    var result = await base.ConfirmEmailAsync(userId, token);
    if (result.Succeeded) {
        user.EmailConfirmationToken = null;
        return await UpdateAsync(user);
    } else if (user.EmailConfirmationToken == token) {
        //Previously Issued Token expired
        result = IdentityResult.Failed("Expired Token");
    }
    return result;
}

A similar approach was implemented for password reset as well.

Nkosi
  • 235,767
  • 35
  • 427
  • 472
  • I did consider similar approach many times and implemented it in a system where Identity was not available. However, every time I wonder if there are hidden security implications that I don't see. – trailmax Jun 23 '18 at 22:43
  • 1
    @trailmax after digging up in the repo to get a better understanding of how the underlying framework operates I've safely been able to apply this when I wanted the same functionality https://github.com/aspnet/AspNetIdentity/blob/master/src/Microsoft.AspNet.Identity.Core/UserManager.cs#L1153 – Nkosi Jun 23 '18 at 22:47
8

I found a way to parse the token for the date issued, which you can then check to see if is within the allowed timespan (default of 24hours if not specified).

Identity.cs

ApplicationUserManager

public IDataProtector Protector { get; set; }

public TimeSpan TokenLifespan { get; set; }

ApplicationUserManager Create()

// Explicitly set token expiration to 24 hours. 
manager.TokenLifespan = TimeSpan.FromHours(24);
var dataProtectionProvider = options.DataProtectionProvider;
manager.Protector = dataProtectionProvider.Create("ASP.NET Identity");

if (dataProtectionProvider != null)
{
    manager.UserTokenProvider =
        new DataProtectorTokenProvider<ApplicationUser>(dataProtectionProvider.Create("ASP.NET Identity"))
        {
            TokenLifespan = manager.TokenLifespan
        };
}

AccountController.cs

public async Task<ActionResult> ConfirmEmail(string Code, string UserId)
{
// Try/catch, validation, etc.
var tokenExpired = false;
var unprotectedData = UserManager.Protector.Unprotect(Convert.FromBase64String(Code));
var ms = new MemoryStream(unprotectedData);
using (BinaryReader reader = new BinaryReader(ms))
{
    var creationTime = new DateTimeOffset(reader.ReadInt64(), TimeSpan.Zero);
    var expirationTime = creationTime + UserManager.TokenLifespan;
    if (expirationTime < DateTimeOffset.UtcNow)
    {
        tokenExpired = true;
    }
 }
 // Do something if token is expired, else continue with confirmation
}

I found this blog post and Nkosi's answer to be extremely helpful, and if you want to go through the Identity source code, Microsoft has it here (The previous versions of Identity for MVC5 and lower here). Also, I apologize if its in poor form to answer a question that you, yourself put a bounty on, but I couldn't help but continue looking for a better solution.

Pat
  • 2,540
  • 1
  • 21
  • 28
  • 2
    Providing an answer that helps others whether bounty or not is what this site is about. I find this answer interesting and will investigate it further to make sure there are no flaws. It has potential from what I have seen so far. – Nkosi Jun 26 '18 at 21:00
  • Shall i comment on creating two times the IDataProtector? Instead of creating twice i would suggest using the `manager.Protector` in the `UserManagerProvider` as so: `manager.UserTokenProvider = new DataProtectorTokenProvider(manager.Protector);` .Unless there is a reason why it should be created twice, which i doubt. – Giannis Paraskevopoulos Sep 16 '19 at 09:33
0

Here comes an .NET Core 2.1 adaption of the solution provided by @Nkosi :

ApplicationUser class

public class ApplicationUser : IdentityUser 
{
    public string EmailConfirmationToken { get; set; }
    public string ResetPasswordToken { get; set; }
}

Derived UserManager class

public class CustomUserManager : UserManager<ApplicationUser>
{
    public CustomUserManager(IUserStore<ApplicationUser> store, 
        IOptions<IdentityOptions> optionsAccessor, 
        IPasswordHasher<ApplicationUser> passwordHasher, 
        IEnumerable<IUserValidator<ApplicationUser>> userValidators, 
        IEnumerable<IPasswordValidator<ApplicationUser>> passwordValidators, 
        ILookupNormalizer keyNormalizer, 
        IdentityErrorDescriber errors, 
        IServiceProvider services, 
        ILogger<UserManager<ApplicationUser>> logger) 
        : base(store, optionsAccessor, passwordHasher, userValidators, passwordValidators, keyNormalizer, errors, services, logger)
    {

    }

    public override async Task<string> GenerateEmailConfirmationTokenAsync(ApplicationUser user)
    {
        /* NOTE:
            * The default UserTokenProvider generates tokens based on the users's SecurityStamp, so until that changes
            * (like when the user's password changes), the tokens will always be the same, and remain valid. 
            * So if you want to simply invalidate old tokens, just call manager.UpdateSecurityStampAsync().
            */
        //await base.UpdateSecurityStampAsync(userId);

        var token = await base.GenerateEmailConfirmationTokenAsync(user);
        if (!string.IsNullOrEmpty(token))
        {
            user.EmailConfirmationToken = token; //<<< Last issued token
            //Note: If a token is generated then the current email is no longer confirmed.
            user.EmailConfirmed = false;
            await UpdateAsync(user);
        }
        return token;
    }

    public override async Task<IdentityResult> ConfirmEmailAsync(ApplicationUser user, string token)
    {
        if (user == null)
        {
            return IdentityResult.Failed(new IdentityError {Description = "User not found."});
        }
        var result = await base.ConfirmEmailAsync(user, token);
        if (result.Succeeded)
        {
            user.EmailConfirmationToken = null;
            return await UpdateAsync(user);
        }
        else if (user.EmailConfirmationToken == token)
        {
            //Previously Issued Token expired
            result = IdentityResult.Failed(new IdentityError { Description = "Expired token." });
        }
        return result;
    }

}

UserManager Extension

public static class ApplicationUserManagerExtension
{
    public static Task<string> FindIdByEmailConfirmationTokenAsync(this UserManager<ApplicationUser> manager, string confirmationToken)
    {
        string result = null;

        ApplicationUser user = manager.Users
            .SingleOrDefault(u => u.EmailConfirmationToken != null && u.EmailConfirmationToken == confirmationToken);

        if (user != null)
        {
            result = user.Id;
        }
        return Task.FromResult(result);
    }
}

Update: The CustomUserManager has to be added to services in Startup.cs in ConfigureServices Method. 

services.AddTransient<CustomUserManager>();

Without this, DependencyInjection fails.

René
  • 3,413
  • 2
  • 20
  • 34
-1

You can use my controller.It's working mate.

        public IActionResult ForgotPassword()
        {
            return View();
        }

        [HttpPost]
        public async Task<IActionResult> ForgotPassword(string Email)
        {
            if (string.IsNullOrEmpty(Email))
            {
                return View();
            }

            var user = await _userManager.FindByEmailAsync(Email);
            if (user == null)
            {
                return View();
            }

            var code =await _userManager.GeneratePasswordResetTokenAsync(user);

            var callback = Url.Action("ResetPassword", "Account", new
            {
                token=code,
            },Request.Scheme);

            // send email
            await _emailSender.SendEmailAsync(Email, "Confirm Password Reset", $"<a href='{callback}'>If you want to reset your password click please !</a>");

            return RedirectToAction("ForgotPasswordConfirmation", "Account");

        }


        public IActionResult ForgotPasswordConfirmation() => View();


        public IActionResult ResetPassword(string token)
        {
            if (token == null)
            {
                return View();
            }

            var model = new ResetPasswordModel()
            {
                Token = token,
            };
            return View(model);
        }

        [HttpPost]
        public async Task<IActionResult> ResetPassword(ResetPasswordModel model)
        {
            if (!ModelState.IsValid)
            {
                return View(model);
            }

            var user = await _userManager.FindByEmailAsync(model.Email);
            if (user == null)
            {
                return RedirectToAction("Index", "Home");
            }

            var result = await _userManager.ResetPasswordAsync(user, model.Token, model.Password);

            if (result.Succeeded)
            {
                return RedirectToAction("ResetPasswordConfirmation", "Account");
            }

            return View(model);
        }

        public ActionResult ResetPasswordConfirmation() => View();
muhyag
  • 1
  • 5
  • Can you provide details on why it's working? – haydnD Mar 12 '21 at 16:59
  • Hey, I got an error "invalid tokens".When I was searching my problem on here I fixed it. If you want to confirm email and reset password on Identity.Its working on my project. – muhyag Mar 13 '21 at 10:44