在ASP.NET标识中手动验证密码重置标记

时间:2020-12-19 03:29:21

I would like to manually validate a password reset token in ASP.NET Identity 2.0. I'm trying to create my own version of UserManager.ResetPasswordAsync(string userId, string token, string newPassword) that takes and IdentityUser instead of userId like this:

我想在ASP.NET Identity 2.0中手动验证密码重置令牌。我正在尝试创建我自己的UserManager.ResetPasswordAsync版本(字符串userId,字符串标记,字符串newPassword)和IdentityUser而不是userId,如下所示:

UserManager.ResetPasswordAsync(IdentityUser user, string token, string newPassword)

Not sure if I am doing this right, but here I am attempting to validate the code that was emailed to the user in an earlier step. I have not modified the code/token that sends the email to the user and generates the code. I am assuming this is the correct method to call, but the purpose argument is incorrect. (I tried passing "ASP.NET Identity" but no dice.)

不确定我是否正确这样做,但在这里我试图验证在之前的步骤中通过电子邮件发送给用户的代码。我没有修改将电子邮件发送给用户并生成代码的代码/令牌。我假设这是正确的调用方法,但目的参数不正确。 (我尝试传递“ASP.NET身份”,但没有骰子。)

if (await userManager.UserTokenProvider.ValidateAsync(purpose: "?", token: code, manager: userManager, user: user))
{
    return IdentityResult.Success;
}
else
{
    return new IdentityResult("Invalid code.");
}

If someone could fill me in on the details of how it works out of the box, or point me at Microsoft's source code for UserManager.ResetPasswordAsync(IdentityUser user, string token, string newPassword) that would be most appreciated!

如果有人可以填写我开箱即用的详细信息,或者指向Microsoft的UserManager.ResetPasswordAsync(IdentityUser用户,字符串标记,字符串newPassword)的源代码,我将不胜感激!

2 个解决方案

#1


3  

It appears that the code for Microsoft.AspNet.Identity has not been Open Sourced according to the Codeplex repository located at:

根据位于以下位置的Codeplex存储库,Microsoft.AspNet.Identity的代码似乎尚未开源。

https://aspnetidentity.codeplex.com/SourceControl/latest#Readme.markdown

https://aspnetidentity.codeplex.com/SourceControl/latest#Readme.markdown

At present, the ASP.NET Identity framework code is not public and therefore will not be published on this site. However, we are planning to change that, and as soon as we are able, the code will be published in this repository.

目前,ASP.NET Identity框架代码不公开,因此不会在此站点上发布。但是,我们计划对其进行更改,一旦我们能够,代码将在此存储库中发布。

However I did find this which might be the source for the UserManager based on the debug symbols:

但是我确实发现了这可能是基于调试符号的UserManager的源:

UserManager Source Code

UserManager源代码

I also found these posts which might help:

我也发现这些帖子可能会有所帮助:

Implementing custom password policy using ASP.NET Identity

使用ASP.NET标识实现自定义密码策略

UserManager Class Documentation

UserManager类文档

IUserTokenProvider Interface Documentation

IUserTokenProvider接口文档

#2


8  

I overcame my problem by setting the purpose to "ResetPassword".

我通过将目的设置为“ResetPassword”克服了我的问题。

Below is a snippet of the final result in case someone wants to do something similar. It is a method in my ApplicationUserManager class. Realize, though, that some of the exception handling that Microsoft implements is missing or not localized because certain private variables, methods, and resources used in their code are inaccessible. It's unfortunate they did not make that stuff protected so that I could have gotten at it. The missing ThrowIfDisposed method call in particular is interesting (and bazaar) to me. Apparently they are anticipating method calls after an instance has been disposed in order to provide a friendlier error message and avoid the unexpected.

下面是最终结果的片段,以防有人想要做类似的事情。它是我的ApplicationUserManager类中的一个方法。但要意识到Microsoft实现的某些异常处理缺失或未本地化,因为其代码中使用的某些私有变量,方法和资源是不可访问的。不幸的是,他们没有保护这些东西,所以我可以得到它。特别缺少的ThrowIfDisposed方法调用对我来说很有趣(和集市)。显然,他们在实例处理后预期方法调用,以便提供更友好的错误消息并避免意外。

public async Task<IdentityResult> ResetPasswordAsync(IdentityUser user,
    string token, string newPassword)
{
    if (user == null)
    {
        throw new ArgumentNullException("user");
    }

    // Make sure the token is valid and the stamp matches.
    if (!await UserTokenProvider.ValidateAsync("ResetPassword", token, 
        this, user))
    {
        return IdentityResult.Failed("Invalid token.");
    }

    // Make sure the new password is valid.
    var result = await PasswordValidator.ValidateAsync(newPassword)
        .ConfigureAwait(false);
    if (!result.Succeeded)
    {
        return result;
    }

    // Update the password hash and invalidate the current security stamp.
    user.PasswordHash = PasswordHasher.HashPassword(newPassword);
    user.SecurityStamp = Guid.NewGuid().ToString();

    // Save the user and return the outcome.
    return await UpdateAsync(user).ConfigureAwait(false);
}

#1


3  

It appears that the code for Microsoft.AspNet.Identity has not been Open Sourced according to the Codeplex repository located at:

根据位于以下位置的Codeplex存储库,Microsoft.AspNet.Identity的代码似乎尚未开源。

https://aspnetidentity.codeplex.com/SourceControl/latest#Readme.markdown

https://aspnetidentity.codeplex.com/SourceControl/latest#Readme.markdown

At present, the ASP.NET Identity framework code is not public and therefore will not be published on this site. However, we are planning to change that, and as soon as we are able, the code will be published in this repository.

目前,ASP.NET Identity框架代码不公开,因此不会在此站点上发布。但是,我们计划对其进行更改,一旦我们能够,代码将在此存储库中发布。

However I did find this which might be the source for the UserManager based on the debug symbols:

但是我确实发现了这可能是基于调试符号的UserManager的源:

UserManager Source Code

UserManager源代码

I also found these posts which might help:

我也发现这些帖子可能会有所帮助:

Implementing custom password policy using ASP.NET Identity

使用ASP.NET标识实现自定义密码策略

UserManager Class Documentation

UserManager类文档

IUserTokenProvider Interface Documentation

IUserTokenProvider接口文档

#2


8  

I overcame my problem by setting the purpose to "ResetPassword".

我通过将目的设置为“ResetPassword”克服了我的问题。

Below is a snippet of the final result in case someone wants to do something similar. It is a method in my ApplicationUserManager class. Realize, though, that some of the exception handling that Microsoft implements is missing or not localized because certain private variables, methods, and resources used in their code are inaccessible. It's unfortunate they did not make that stuff protected so that I could have gotten at it. The missing ThrowIfDisposed method call in particular is interesting (and bazaar) to me. Apparently they are anticipating method calls after an instance has been disposed in order to provide a friendlier error message and avoid the unexpected.

下面是最终结果的片段,以防有人想要做类似的事情。它是我的ApplicationUserManager类中的一个方法。但要意识到Microsoft实现的某些异常处理缺失或未本地化,因为其代码中使用的某些私有变量,方法和资源是不可访问的。不幸的是,他们没有保护这些东西,所以我可以得到它。特别缺少的ThrowIfDisposed方法调用对我来说很有趣(和集市)。显然,他们在实例处理后预期方法调用,以便提供更友好的错误消息并避免意外。

public async Task<IdentityResult> ResetPasswordAsync(IdentityUser user,
    string token, string newPassword)
{
    if (user == null)
    {
        throw new ArgumentNullException("user");
    }

    // Make sure the token is valid and the stamp matches.
    if (!await UserTokenProvider.ValidateAsync("ResetPassword", token, 
        this, user))
    {
        return IdentityResult.Failed("Invalid token.");
    }

    // Make sure the new password is valid.
    var result = await PasswordValidator.ValidateAsync(newPassword)
        .ConfigureAwait(false);
    if (!result.Succeeded)
    {
        return result;
    }

    // Update the password hash and invalidate the current security stamp.
    user.PasswordHash = PasswordHasher.HashPassword(newPassword);
    user.SecurityStamp = Guid.NewGuid().ToString();

    // Save the user and return the outcome.
    return await UpdateAsync(user).ConfigureAwait(false);
}