Verify & check SecurityStamp

This commit is contained in:
Warren Buckley
2020-02-10 14:27:54 +00:00
parent d285d40578
commit c5e0ef90c3
2 changed files with 15 additions and 4 deletions
@@ -301,7 +301,7 @@ namespace Umbraco.Web.Editors
if (user != null)
{
var code = await UserManager.GeneratePasswordResetTokenAsync(identityUser.Id);
var callbackUrl = ConstructCallbackUrl(identityUser.Id, code);
var callbackUrl = ConstructCallbackUrl(identityUser.Id, code, identityUser.SecurityStamp.GenerateHash());
var message = Services.TextService.Localize("resetPasswordEmailCopyFormat",
// Ensure the culture of the found user is used for the email!
@@ -506,7 +506,7 @@ namespace Umbraco.Web.Editors
return response;
}
private string ConstructCallbackUrl(int userId, string code)
private string ConstructCallbackUrl(int userId, string code, string userSecurityStamp)
{
// Get an mvc helper to get the url
var http = EnsureHttpContext();
@@ -516,7 +516,8 @@ namespace Umbraco.Web.Editors
{
area = GlobalSettings.GetUmbracoMvcArea(),
u = userId,
r = code
r = code,
s = userSecurityStamp
});
// Construct full URL using configured application URL (which will fall back to request)
@@ -296,11 +296,21 @@ namespace Umbraco.Web.Editors
}
[HttpGet]
public async Task<ActionResult> ValidatePasswordResetCode([Bind(Prefix = "u")]int userId, [Bind(Prefix = "r")]string resetCode)
public async Task<ActionResult> ValidatePasswordResetCode([Bind(Prefix = "u")]int userId, [Bind(Prefix = "r")]string resetCode, [Bind(Prefix = "s")]string stampHash)
{
var user = UserManager.FindById(userId);
if (user != null)
{
// Check security stamp that has been generated in forgotten password email link is the same we have stored for user
// ie the user has not been marked inactive or password changed by an admin etc
if(user.SecurityStamp.GenerateHash() != stampHash)
{
// Password, email or something changed to the user since the password reset email requested
// Add error and redirect for it to be displayed
TempData[ViewDataExtensions.TokenPasswordResetCode] = new[] { Services.TextService.Localize("login/resetCodeExpired") };
return RedirectToLocal(Url.Action("Default", "BackOffice"));
}
var result = await UserManager.UserTokenProvider.ValidateAsync("ResetPassword", resetCode, UserManager, user);
if (result)
{