I wanted to generate a reset password link to send to the user's email that will open the ResetPassword page. On this page I will fill in the details regarding the new password and then confirm the password.
我想生成一个重置密码链接,发送到用户的电子邮件,打开ResetPassword页面。在本页我将填写有关新密码的详细信息,然后确认密码。
For this I have followed this Link
为此,我遵循了这个链接
But there is a Url.Action method that i am not able to find in my web api project.
但是这里有一个Url。在我的web api项目中找不到的操作方法。
var callbackUrl = Url.Action(
"ConfirmEmail", "Account",
new { userId = user.Id, code = code },
protocol: Request.Url.Scheme);
Hase anybody done the reset password part in the web api? I need some help.
是否有人在web api中重新设置了密码?我需要一些帮助。
5 个解决方案
#1
5
You can use Url.Link
in Web API 2.0
您可以使用Url。链接到Web API 2.0
var callbackUrl = Url.Link("Default", new { Controller = "Account",
Action = "ConfirmEmail", userId = user.Id, code = code });
#2
1
Url.Action does not exist because the Url helper in WebApi doe snot have the Action method. You can use Url.Route instead to generate the same thing but you will need to create a named route in order to use that method. If you are using attribute routing it, you can add a name to the route attribute like so:
Url。操作不存在,因为WebApi中的Url helper不具有操作方法。您可以使用Url。Route相反,您需要创建一个已命名的路由来使用该方法。如果使用属性路由,可以向route属性添加一个名称,如下所示:
[Route(Name="ConfirmEmail")]
and the helper would be
这个助手就是
var callbackUrl = Url.Route("ConfirmEmail", new { userId = user.Id, code = code });
#3
0
Try following :
试一试:
var code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);
var callbackUrl = Url.Action("ResetPassword", "Account",
new { UserId = user.Id, code = code }, protocol: Request.Url.Scheme);
await UserManager.SendEmailAsync(user.Id, "Reset Password",
"Please reset your password by clicking here: <a href=\"" + callbackUrl + "\">link</a>");
return View("ForgotPasswordConfirmation");
For more information refer following link
更多信息请参考以下链接
#4
0
I created a simple "Change Password" form that I managed based on a menu click in my webAPI app. On the update handler for this form I created the following event handler. This simply calls the AccountController web service that comes with the VS2013 WebAPI template. This example has Authentication enabled and note the specific Url to use to include the defined Route in the AccountController method.
我创建了一个简单的“更改密码”表单,它是基于webAPI应用程序中的菜单单击而管理的。这只需调用与VS2013 WebAPI模板一起提供的AccountController web服务。这个示例启用了身份验证,并注意要在AccountController方法中包含已定义的路由的特定Url。
Look for the ChangePassword() method in the AccountController class generated in the WebAPI template to see what is getting called. I think this should answer your basic question.
在WebAPI模板中生成的AccountController类中查找ChangePassword()方法,以查看被调用的内容。我想这应该能回答你的基本问题。
function updateHandler(callback) {
var response;
var targetUrl;
// disabled the login button to avoid multiple events
$("#btnLogin").prop('disabled', true);
var loginData = {
grant_type: 'password',
NewPassword: $("#txtNewPassword").val(),
OldPassword: $("#txtOldPassword").val(),
ConfirmPassword: $("#txtConfirmPassword").val()
};
var token = sessionStorage.getItem(tokenKey);
var headers = {};
if (token) {
headers.Authorization = 'Bearer ' + token;
}
targetUrl = "/api/account/ChangePassword";
$.ajax({
type: 'POST',
url: targetUrl,
data: loginData,
headers: headers,
}).done(function (data) {
closeChangePassword();
}).fail(function (xhr, textStatus, errorThrown) {
passwordErrorHandler(xhr,0);
// re-enable the login button
$("#btnLogin").prop('disabled', false);
});
}
}
#5
0
You should never use Url.Link()
or Url.Action()
to send something to a user in my opinion. You are exposing them to a possible Host Header Attack -> Password Reset Poisoning
.
在我看来,您不应该使用Url.Link()或Url.Action()向用户发送一些东西。您将它们暴露给可能的主机头攻击——>密码重置中毒。
If the IIS has a binding to accept connections on 80/443 the host header can be changed and in turn affecting the Url.Link()
or Url.Action()
methods. If you look at the request I'm making below I'm connecting to http://hostheaderattack
but manipulating the host
header.
如果IIS具有一个绑定,可以在80/443上接受连接,那么可以更改主机头,进而影响Url.Link()或Url.Action()方法。如果查看下面的请求,我将连接到http://hostheaderattack,但是要操作主机头。
Proof of Concept (PoC):
概念验证(PoC):
Url.Link:
Url.Link:
public class TestController : ApiController
{
public IHttpActionResult Get()
{
var callbackUrl = Url.Link("Default", new
{
Controller = "Home",
Action = "Index",
});
return Ok(callbackUrl);
}
}
Url.Action:
Url.Action:
public class HomeController : Controller
{
public ActionResult Index()
{
ViewBag.Title = $"Url Created: {Url.Action("Index", "Home", "", Request.Url.Scheme)}";
return View();
}
}
I have demonstrated it here as well:
我在这里也演示过:
https://security.stackexchange.com/questions/170755/host-header-attack-password-reset-poisoning-asp-net-web-api-2-hosted-as-az/170759 # 170759
Some more reading about host header attack:
关于主机标题攻击的更多信息:
https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
What you should do is never trust a user request and construct the url with host manually.
您应该做的是永远不要信任用户请求并手动使用主机构造url。
Example with manual host name for:
手动主机名示例:
Url.Action: Url.Action("Index", "Home", null, Request.Url.Scheme, "example.com")
Url。行动:Url。操作(“指数”,“家”,null,Request.Url。计划,“example.com”)
For Url.Link it is a bit trickier but it can be done like this:
Url。链接有点棘手,但可以这样做:
public class TestController : ApiController
{
// GET api/<controller>
public IHttpActionResult Get()
{
var callbackUrl = Url.Link("Default", new
{
Controller = "Home",
Action = "Index",
});
callbackUrl = ReplaceHost(callbackUrl, "example.com");
return Ok(callbackUrl);
}
private string ReplaceHost(string original, string newHostName)
{
var builder = new UriBuilder(original);
builder.Host = newHostName;
return builder.Uri.ToString();
}
}
Source for ReplaceHost method:
来源ReplaceHost方法:
https://*.com/a/479812/3850405
https://*.com/a/479812/3850405
#1
5
You can use Url.Link
in Web API 2.0
您可以使用Url。链接到Web API 2.0
var callbackUrl = Url.Link("Default", new { Controller = "Account",
Action = "ConfirmEmail", userId = user.Id, code = code });
#2
1
Url.Action does not exist because the Url helper in WebApi doe snot have the Action method. You can use Url.Route instead to generate the same thing but you will need to create a named route in order to use that method. If you are using attribute routing it, you can add a name to the route attribute like so:
Url。操作不存在,因为WebApi中的Url helper不具有操作方法。您可以使用Url。Route相反,您需要创建一个已命名的路由来使用该方法。如果使用属性路由,可以向route属性添加一个名称,如下所示:
[Route(Name="ConfirmEmail")]
and the helper would be
这个助手就是
var callbackUrl = Url.Route("ConfirmEmail", new { userId = user.Id, code = code });
#3
0
Try following :
试一试:
var code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);
var callbackUrl = Url.Action("ResetPassword", "Account",
new { UserId = user.Id, code = code }, protocol: Request.Url.Scheme);
await UserManager.SendEmailAsync(user.Id, "Reset Password",
"Please reset your password by clicking here: <a href=\"" + callbackUrl + "\">link</a>");
return View("ForgotPasswordConfirmation");
For more information refer following link
更多信息请参考以下链接
#4
0
I created a simple "Change Password" form that I managed based on a menu click in my webAPI app. On the update handler for this form I created the following event handler. This simply calls the AccountController web service that comes with the VS2013 WebAPI template. This example has Authentication enabled and note the specific Url to use to include the defined Route in the AccountController method.
我创建了一个简单的“更改密码”表单,它是基于webAPI应用程序中的菜单单击而管理的。这只需调用与VS2013 WebAPI模板一起提供的AccountController web服务。这个示例启用了身份验证,并注意要在AccountController方法中包含已定义的路由的特定Url。
Look for the ChangePassword() method in the AccountController class generated in the WebAPI template to see what is getting called. I think this should answer your basic question.
在WebAPI模板中生成的AccountController类中查找ChangePassword()方法,以查看被调用的内容。我想这应该能回答你的基本问题。
function updateHandler(callback) {
var response;
var targetUrl;
// disabled the login button to avoid multiple events
$("#btnLogin").prop('disabled', true);
var loginData = {
grant_type: 'password',
NewPassword: $("#txtNewPassword").val(),
OldPassword: $("#txtOldPassword").val(),
ConfirmPassword: $("#txtConfirmPassword").val()
};
var token = sessionStorage.getItem(tokenKey);
var headers = {};
if (token) {
headers.Authorization = 'Bearer ' + token;
}
targetUrl = "/api/account/ChangePassword";
$.ajax({
type: 'POST',
url: targetUrl,
data: loginData,
headers: headers,
}).done(function (data) {
closeChangePassword();
}).fail(function (xhr, textStatus, errorThrown) {
passwordErrorHandler(xhr,0);
// re-enable the login button
$("#btnLogin").prop('disabled', false);
});
}
}
#5
0
You should never use Url.Link()
or Url.Action()
to send something to a user in my opinion. You are exposing them to a possible Host Header Attack -> Password Reset Poisoning
.
在我看来,您不应该使用Url.Link()或Url.Action()向用户发送一些东西。您将它们暴露给可能的主机头攻击——>密码重置中毒。
If the IIS has a binding to accept connections on 80/443 the host header can be changed and in turn affecting the Url.Link()
or Url.Action()
methods. If you look at the request I'm making below I'm connecting to http://hostheaderattack
but manipulating the host
header.
如果IIS具有一个绑定,可以在80/443上接受连接,那么可以更改主机头,进而影响Url.Link()或Url.Action()方法。如果查看下面的请求,我将连接到http://hostheaderattack,但是要操作主机头。
Proof of Concept (PoC):
概念验证(PoC):
Url.Link:
Url.Link:
public class TestController : ApiController
{
public IHttpActionResult Get()
{
var callbackUrl = Url.Link("Default", new
{
Controller = "Home",
Action = "Index",
});
return Ok(callbackUrl);
}
}
Url.Action:
Url.Action:
public class HomeController : Controller
{
public ActionResult Index()
{
ViewBag.Title = $"Url Created: {Url.Action("Index", "Home", "", Request.Url.Scheme)}";
return View();
}
}
I have demonstrated it here as well:
我在这里也演示过:
https://security.stackexchange.com/questions/170755/host-header-attack-password-reset-poisoning-asp-net-web-api-2-hosted-as-az/170759 # 170759
Some more reading about host header attack:
关于主机标题攻击的更多信息:
https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
What you should do is never trust a user request and construct the url with host manually.
您应该做的是永远不要信任用户请求并手动使用主机构造url。
Example with manual host name for:
手动主机名示例:
Url.Action: Url.Action("Index", "Home", null, Request.Url.Scheme, "example.com")
Url。行动:Url。操作(“指数”,“家”,null,Request.Url。计划,“example.com”)
For Url.Link it is a bit trickier but it can be done like this:
Url。链接有点棘手,但可以这样做:
public class TestController : ApiController
{
// GET api/<controller>
public IHttpActionResult Get()
{
var callbackUrl = Url.Link("Default", new
{
Controller = "Home",
Action = "Index",
});
callbackUrl = ReplaceHost(callbackUrl, "example.com");
return Ok(callbackUrl);
}
private string ReplaceHost(string original, string newHostName)
{
var builder = new UriBuilder(original);
builder.Host = newHostName;
return builder.Uri.ToString();
}
}
Source for ReplaceHost method:
来源ReplaceHost方法:
https://*.com/a/479812/3850405
https://*.com/a/479812/3850405