Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IdentityApiEndpointRouteBuilderExtensions should not create the ConfirmationLink #60195

Open
JJong-nl opened this issue Feb 4, 2025 · 1 comment
Open

IdentityApiEndpointRouteBuilderExtensions should not create the ConfirmationLink #60195

JJong-nl opened this issue Feb 4, 2025 · 1 comment
Labels
area-identity Includes: Identity and providers

Comments

@JJong-nl
Copy link

JJong-nl commented Feb 4, 2025
edited
Loading

The IdentityApiEndpointRouteBuilderExtensions should never create a ConfirmationLink but must be dealing with codes only.

When we see the implementation of IEmailSender<TUser>
We see SendConfirmationLinkAsync, SendPasswordResetCodeAsync and SendPasswordResetLinkAsync

Here the SendPasswordResetLinkAsync and the SendConfirmationLinkAsync should be removed and a SendConfirmationCodeAsync should be added.

The SendPasswordResetCodeAsync is used in the ApiEndpoint but SendPasswordResetLinkAsync is never used in the Api.
Only in the UI implementation.

When we want to generate a link instead of using the code, we should generating the link inside the IEmailSender<TUser> implementation.

So only SendConfirmationCodeAsync and SendPasswordResetCodeAsync sould be sufficient in the IEmailSender<TUser> interface

IdentityApiEndpointRouteBuilderExtensions.cs

aspnetcore/src/Identity/Core/src/IdentityApiEndpointRouteBuilderExtensions.cs

Lines 214 to 217 in 65f485e

var code = await userManager.GeneratePasswordResetTokenAsync(user);
code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
await emailSender.SendPasswordResetCodeAsync(user, resetRequest.Email, HtmlEncoder.Default.Encode(code));

ForgotPassword.cshtml.cs

aspnetcore/src/Identity/UI/src/Areas/Identity/Pages/V5/Account/ForgotPassword.cshtml.cs

Lines 75 to 83 in 65f485e

var code = await _userManager.GeneratePasswordResetTokenAsync(user);
code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
var callbackUrl = Url.Page(
"/Account/ResetPassword",
pageHandler: null,
values: new { area = "Identity", code },
protocol: Request.Scheme)!;
await _emailSender.SendPasswordResetLinkAsync(user, Input.Email, HtmlEncoder.Default.Encode(callbackUrl));

The ForgotPassword.cshtml.cs should also be using the SendPasswordResetCodeAsync inside the implementation of the emailsender we sould generate the callbackUrl.
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-identity Includes: Identity and providers label Feb 4, 2025
@JJong-nl
Copy link
Author

JJong-nl commented Feb 5, 2025

Maybe,
Rename the IEmailSender<TUser> to the following

public interface IIdentityCoreEventHandler<TUser> where TUser : class
{
    Task UserLogedInAsync(TUser user);
    Task UserLogedOutAsync(TUser user);
    Task EmailConfirmedAsync(TUser user);
    Task EmailChangedAsync(TUser user, string oldEmail, string newEmail);
    Task PasswordChangedAsync(TUser user, string oldPassword, string newPassword);
    Task EmailChangedAsync(TUser user, string oldEmail, string newEmail);
    Task SendConfirmationCodeAsync(TUser user, string email, string confirmationCode);
    Task SendPasswordResetCodeAsync(TUser user, string email, string resetCode);
    . . .
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-identity Includes: Identity and providers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JJong-nl