ASP NET Identity reset password

Question

How can I get the password of a user in the new ASP NET Identity system  Or how can I reset without knowing the current one  user forgot password

User · Answer

In case of password reset  it is recommended to reset it through sending password reset token to registered user email and ask user to provide new password  If have created a easily usable  NET library over Identity framework with default configuration settins  You can find details at blog link and source code at github

User · Answer

Create method in UserManager lt TUser  TKey gt   public Task lt IdentityResult gt  ChangePassword int userId  string newPassword         var user   Users FirstOrDefault u   gt  u Id    userId        if  user    null            return new Task lt IdentityResult gt       gt  IdentityResult Failed           var store   Store as IUserPasswordStore lt User  int gt        return base UpdatePassword store  user  newPassword

User · Answer

I did a little investigation and the solution that works for me was a mix of a few solutions founded in this post    I m basically compiling this solution and I m posting what works for me  In my case  I m don t want to use any token from  net core    public async Task ResetPassword string userId  string password        var user   await  userManager FindByIdAsync userId       var hashPassword   userManager PasswordHasher HashPassword user  password       user PasswordHash   passwordHash      await  userManager UpdateAsync user

User · Answer

On your UserManager  first call GeneratePasswordResetTokenAsync  Once the user has verified his identity  for example by receiving the token in an email   pass the token to ResetPasswordAsync

User · Answer

In current release  Assuming you have handled the verification of the request to reset the forgotten password  use following code as a sample code steps   ApplicationDbContext  new ApplicationDbContext   String userId     lt YourLogicAssignsRequestedUserId gt    String newPassword     lt PasswordAsTypedByUser gt    ApplicationUser cUser   UserManager FindById userId   String hashedNewPassword   UserManager PasswordHasher HashPassword newPassword   UserStore lt ApplicationUser gt  store   new UserStore lt ApplicationUser gt                 store SetPasswordHashAsync cUser  hashedNewPassword     In AspNet Nightly Build  The framework is updated to work with Token for handling requests like ForgetPassword  Once in release  simple code guidance is expected   Update   This update is just to provide more clear steps   ApplicationDbContext context   new ApplicationDbContext    UserStore lt ApplicationUser gt  store   new UserStore lt ApplicationUser gt  context   UserManager lt ApplicationUser gt  UserManager   new UserManager lt ApplicationUser gt  store   String userId   User Identity GetUserId       lt YourLogicAssignsRequestedUserId gt    String newPassword    test 123       lt PasswordAsTypedByUser gt    String hashedNewPassword   UserManager PasswordHasher HashPassword newPassword                       ApplicationUser cUser   await store FindByIdAsync userId   await store SetPasswordHashAsync cUser  hashedNewPassword   await store UpdateAsync cUser

User · Answer

Or how can I reset without knowing the current one  user forgot password     If you want to change a password using the UserManager but you do not want to supply the user s current password  you can generate a password reset token and then use it immediately instead   string resetToken   await UserManager GeneratePasswordResetTokenAsync model Id   IdentityResult passwordChangeResult   await UserManager ResetPasswordAsync model Id  resetToken  model NewPassword

User · Answer

string message   null    reset the password var result   await IdentityManager Passwords ResetPasswordAsync model Token  model Password   if  result Success        message    The password has been reset        return RedirectToAction  PasswordResetCompleted   new   message   message       else       AddErrors result       This snippet of code is taken out of the AspNetIdentitySample project available on github

User · Answer

Best way to Reset Password in Asp Net Core Identity use for Web API  Note    Error   and Result   are created for internal use  You can return you want           HttpPost           Route  quot reset-password quot            public async Task lt IActionResult gt  ResetPassword ResetPasswordModel model                        if   ModelState IsValid                  return BadRequest ModelState               try                               if  model is null                      return Error  quot No data found  quot                      var user   await  userManager FindByIdAsync AppCommon ToString GetUserId                      if  user    null                      return Error  quot No user found  quot                     Microsoft AspNetCore Identity SignInResult checkOldPassword                       await  signInManager PasswordSignInAsync user UserName  model OldPassword  false  false                    if   checkOldPassword Succeeded                      return Error  quot Old password does not matched  quot                     string resetToken   await  userManager GeneratePasswordResetTokenAsync user                   if  string IsNullOrEmpty resetToken                       return Error  quot Error while generating reset token  quot                     var result   await  userManager ResetPasswordAsync user  resetToken  model Password                    if  result Succeeded                      return Result                    else                     return Error                              catch  Exception ex                                return Error ex

User · Answer

Deprecated  This was the original answer  It does work  but has a problem  What if AddPassword fails  The user is left without a password   The original answer  we can use three lines of code   UserManager lt IdentityUser gt  userManager        new UserManager lt IdentityUser gt  new UserStore lt IdentityUser gt       userManager RemovePassword userId    userManager AddPassword userId  newPassword     See also  http   msdn microsoft com en-us library dn457095 v vs 111  aspx  Now Recommended  It s probably better to use the answer that EdwardBrey proposed and then DanielWright later elaborated with a code sample

User · Answer

I think Microsoft guide for ASP NET Identity is a good start   https   docs microsoft com en-us aspnet identity overview features-api account-confirmation-and-password-recovery-with-aspnet-identity  Note   If you do not use AccountController and wan t to reset your password  use Request GetOwinContext   GetUserManager lt ApplicationUserManager gt      If you dont have the same OwinContext you need to create a new DataProtectorTokenProvider like the one OwinContext uses  By default look at App Start - gt  IdentityConfig cs  Should look something like new DataProtectorTokenProvider lt ApplicationUser gt  dataProtectionProvider Create  ASP NET Identity       Could be created like this   Without Owin    HttpGet   AllowAnonymous   Route  testReset    public IHttpActionResult TestReset         var db   new ApplicationDbContext        var manager   new ApplicationUserManager new UserStore lt ApplicationUser gt  db        var provider   new DpapiDataProtectionProvider  SampleAppName        manager UserTokenProvider   new DataProtectorTokenProvider lt ApplicationUser gt           provider Create  SampleTokenName          var email    test test com        var user   new ApplicationUser     UserName   email  Email   email         var identityUser   manager FindByEmail email        if  identityUser    null                manager Create user           identityUser   manager FindByEmail email              var token   manager GeneratePasswordResetToken identityUser Id       return Ok HttpUtility UrlEncode token        HttpGet   AllowAnonymous   Route  testReset    public IHttpActionResult TestReset string token        var db   new ApplicationDbContext        var manager   new ApplicationUserManager new UserStore lt ApplicationUser gt  db        var provider   new DpapiDataProtectionProvider  SampleAppName        manager UserTokenProvider   new DataProtectorTokenProvider lt ApplicationUser gt           provider Create  SampleTokenName         var email    test test com       var identityUser   manager FindByEmail email       var valid   Task Run      gt  manager UserTokenProvider ValidateAsync  ResetPassword   token  manager  identityUser   Result      var result   manager ResetPassword identityUser Id  token   TestingTest1         return Ok result       With Owin    HttpGet   AllowAnonymous   Route  testResetWithOwin    public IHttpActionResult TestResetWithOwin         var manager   Request GetOwinContext   GetUserManager lt ApplicationUserManager gt          var email    test test com        var user   new ApplicationUser     UserName   email  Email   email         var identityUser   manager FindByEmail email        if  identityUser    null                manager Create user           identityUser   manager FindByEmail email              var token   manager GeneratePasswordResetToken identityUser Id       return Ok HttpUtility UrlEncode token        HttpGet   AllowAnonymous   Route  testResetWithOwin    public IHttpActionResult TestResetWithOwin string token        var manager   Request GetOwinContext   GetUserManager lt ApplicationUserManager gt          var email    test test com       var identityUser   manager FindByEmail email       var valid   Task Run      gt  manager UserTokenProvider ValidateAsync  ResetPassword   token  manager  identityUser   Result      var result   manager ResetPassword identityUser Id  token   TestingTest1         return Ok result       The DpapiDataProtectionProvider and DataProtectorTokenProvider needs to be created with the same name for a password reset to work  Using Owin for creating the password reset token and then creating a new DpapiDataProtectionProvider with another name won t work    Code that I use for ASP NET Identity   Web Config    lt add key  AllowedHosts  value  example com example2 com    gt    AccountController cs    Route  RequestResetPasswordToken  email       HttpGet   AllowAnonymous  public async Task lt IHttpActionResult gt  GetResetPasswordToken  FromUri string email        if   ModelState IsValid          return BadRequest ModelState        var user   await UserManager FindByEmailAsync email       if  user    null                Logger Warn  Password reset token requested for non existing email               Don t reveal that the user does not exist         return NoContent                 Prevent Host Header Attack - gt  Password Reset Poisoning         If the IIS has a binding to accept connections on 80 443 the host parameter can be changed        See https   security stackexchange com a 170759 67046     if   ConfigurationManager AppSettings  AllowedHosts   Split      Contains Request RequestUri Host                 Logger Warn   Non allowed host detected for password reset  Request RequestUri Scheme     Request Headers Host                 return BadRequest               Logger Info  Creating password reset token for user id  0    user Id        var host      Request RequestUri Scheme     Request Headers Host        var token   await UserManager GeneratePasswordResetTokenAsync user Id       var callbackUrl      host  resetPassword  HttpContext Current Server UrlEncode user Email    HttpContext Current Server UrlEncode token          var subject    Client - Password reset        var body     lt html gt  lt body gt                      lt h2 gt Password reset lt  h2 gt                       lt p gt Hi  user FullName    lt a href    callbackUrl    gt  please click this link to reset your password  lt  a gt  lt  p gt                      lt  body gt  lt  html gt         var message   new IdentityMessage               Body   body          Destination   user Email          Subject   subject             await UserManager EmailService SendAsync message        return NoContent        HttpPost   Route  ResetPassword      AllowAnonymous  public async Task lt IHttpActionResult gt  ResetPasswordAsync ResetPasswordRequestModel model        if   ModelState IsValid          return NoContent         var user   await UserManager FindByEmailAsync model Email       if  user    null                Logger Warn  Reset password request for non existing email            return NoContent                           if   await UserManager UserTokenProvider ValidateAsync  ResetPassword   model Token  UserManager  user                 Logger Warn  Reset password requested with wrong token            return NoContent               var result   await UserManager ResetPasswordAsync user Id  model Token  model NewPassword        if  result Succeeded                Logger Info  Creating password reset token for user id  0    user Id            const string subject    Client - Password reset success            var body     lt html gt  lt body gt                          lt h1 gt Your password for Client was reset lt  h1 gt                           lt p gt Hi  user FullName   lt  p gt                          lt p gt Your password for Client was reset  Please inform us if you did not request this change  lt  p gt                          lt  body gt  lt  html gt             var message   new IdentityMessage                       Body   body              Destination   user Email              Subject   subject                     await UserManager EmailService SendAsync message              return NoContent       public class ResetPasswordRequestModel        Required       Display Name    Token        public string Token   get  set          Required       Display Name    Email        public string Email   get  set          Required       StringLength 100  ErrorMessage    The  0  must be at least  2  characters long    MinimumLength   10        DataType DataType Password        Display Name    New password        public string NewPassword   get  set          DataType DataType Password        Display Name    Confirm new password         Compare  NewPassword   ErrorMessage    The new password and confirmation password do not match         public string ConfirmPassword   get  set

[asp.net] ASP.NET Identity reset password

Examples related to asp.net

Examples related to asp.net-identity