Member VerifyUserTokenAsync | Umbraco | Page 1

soft mulch Oct 27, 2023, 12:27 AM

#

Hey there!

I'm using Umbraco 12 and I wanted to provide a "forgot password" mechanism to frontend members.

I'm currently asking for the e-mail to get the MemberIdentityUser member and then using the MemberManager.GeneratePasswordResetTokenAsync(member) to get the token. I then encode it and send the e-mail with the encoded token.

After clicking the link in the e-mail, a controller is called with the encoded token and the user. A token validation is performed using MemberManager.VerifyUserTokenAsync(member, _options.Tokens.PasswordResetTokenProvider, UserManager<MemberIdentityUser>.ResetPasswordTokenPurpose, token)

I've also tried MemberManager.VerifyUserTokenAsync(member, "Default", "ResetPassword", token)

Both return false. I've debugged it and can confirm the token sent (before encoding) matches the received token.

What am I missing here?

Thank you 🙂

reef hill Oct 27, 2023, 5:09 AM

#

Hi there! Just to be sure: you say you encoded your token, but do you also need to decode it before you call VerifyUserTokenAsync?

floral lantern Oct 27, 2023, 7:13 AM

#

I assume you're not calling ResetPasswordAsync before you're verifying the token?

opaque sage Oct 27, 2023, 7:25 AM

#

reef hill Hi there! Just to be sure: you say you encoded your token, but do you also need ...

In your Startup.cs - ConfigureServices(IServiceCollection services) method, ensure that:

services.AddAuthentication
Appears BEFORE
services.AddIdentity

soft mulch Oct 27, 2023, 9:03 AM

#

reef hill Hi there! Just to be sure: you say you encoded your token, but do you also need ...

I do not need to decode it, the controller does (I've checked the token before encoding and when it gets to the controller and it matches)

soft mulch Oct 27, 2023, 9:04 AM

#

floral lantern I assume you're not calling ResetPasswordAsync before you're verifying the token...

Correct. I was trying to validate the token prior to letting the user set a new password. If the token is not valid, I'd show an error of some sorts; if the token is valid, then I let the user set the password

soft mulch Oct 27, 2023, 9:29 AM

#

opaque sage In your Startup.cs - ConfigureServices(IServiceCollection services) method, ensu...

I'm not setting any of them.. are you saying I should force it to ensure?

opaque sage Oct 27, 2023, 9:33 AM

#

soft mulch I'm not setting any of them.. are you saying I should force it to ensure?

doesn't look like it for 12.
In my reset code I use the changepassword method and pass it the token, I don't check it first

var changePasswordResult =
    await _memberManager.ChangePasswordWithResetAsync(user.Id, token, changePassword.Password);

soft mulch Oct 27, 2023, 2:29 PM

#

opaque sage doesn't look like it for 12. In my reset code I use the changepassword method an...

Well, I was hoping to check the token before showing the form to the user, but oh well 😦

opaque sage Oct 27, 2023, 2:43 PM

#

When you generate the token, you could store it on the member record and check that matches the token instead

soft mulch Oct 29, 2023, 6:31 PM

#

opaque sage When you generate the token, you could store it on the member record and check t...

Well, the tokens should have a expire date (which I believe to be 24h default) and the token storage in member's record would not have that info (I know I could code it as well, but I think the VerifyUserTokenAsync should be doing).

I'll ignore this step for the time being and open a bug report.

Thank you all for your inputs 🙂

#Member VerifyUserTokenAsync