c# - ASP.Net Identity “Invalid token” on password reset with * in password -
we invalid token error messages when user tries reset password on reset password screen after entering new password. works fine special character #. have case puts in * in new password on reset pw screen, gets error message because of special character.
i've tried hours of research find solution why happens no luck. i've found this solution here has issue special characters in username don't have issue. there issue special character in password. in production can't disallow character in passwords.
someone got clue?
generating token controller method:
[httppost] [allowanonymous] public async task<actionresult> forgotpassword(forgotpasswordviewmodel model) { if (modelstate.isvalid) { var user = await _usermanager.findbynameasync(model.email.tolower()); if (user == null || !(await _usermanager.isemailconfirmedasync(user.username))) { // don't reveal user not exist or not confirmed return view("forgotpasswordconfirmation"); } // more information on how enable account confirmation , password reset please visit http://go.microsoft.com/fwlink/?linkid=320771 // send email link var code = await _usermanager.generatepasswordresettokenasync(user.username); code = httputility.urlencode(code); var callbackurl = url.action("resetpassword", "account", new { userid = user.username, code = code }, protocol: request.url.scheme); await _emailservice.createresetpasswordemailasync(user, callbackurl); return redirecttoaction("forgotpasswordconfirmation", "account"); } // if got far, failed, redisplay form return view(model); }
reset password controller method:
[httppost] [allowanonymous] public async task<actionresult> resetpassword(resetpasswordviewmodel model) { if (!modelstate.isvalid) { return view(model); } var user = await _usermanager.findbynameasync(model.email.tolower()); if (user == null) { // don't reveal user not exist return redirecttoaction("resetpasswordconfirmation", "account"); } var result = await _usermanager.resetpasswordasync(user.username, httputility.urldecode(model.code), model.password); if (result.succeeded) { return redirecttoaction("resetpasswordconfirmation", "account"); } adderrors(result); return view(); }
the problem double encoding reset token. here:
var code = await _usermanager.generatepasswordresettokenasync(user.username); code = httputility.urlencode(code); //<--problem line var callbackurl = url.action("resetpassword", "account", new { userid = user.username, code = code }, protocol: request.url.scheme);
you encode token , url.action
again. solution not encode manually , let mvc handle - remove second line here.
also, on other end, there's no need decode again, code there be:
var result = await _usermanager.resetpasswordasync(user.username, model.code, model.password);
Comments
Post a Comment