This information is still applicable to v6 but the code snippets on [Schema]Web need to be updated to return an IResult instead of HttpResponseMessage and Results.XX methods should be used instead of args.Request.CreateXX, i.e. Results.Problem and Results.Redirect
When working with email addresses as user names we can use this information to provide a forgot password functionality. By implementing the HandleForgotPassword method on the Advanced class you’ll get the “Forgot password?” button on the Sign in screen.
Best practice recommends for generating a random reset password token (ObjectEx.GetSecureRandomPassword can be used), storing the token in the user profile, emailing the user a link that triggers an api method that will verify the token and user combination. At that moment you can use the IUser.ResetPasswordNextLogin() method to trigger a password change on next login and redirecting the user to an existing logged in session.
// In [Schema]Advanced.cs
public override void HandleForgotPassword(ForgotPasswordArgs args)
{
// NOTE: Always inform for success so that we don't leak information about users
args.Notification = "An email has been sent with all the information to reset your password.";
var user = Manager.Current.GetUser(args.UserName);
if (user == null)
return;
var userHostAddress = Manager.Current.RequestMessage.GetClientIpAddress();
var token = user.Profile["ResetPasswordToken"];
if (string.IsNullOrEmpty(token))
{
token = ObjectEx.GetSecureRandomString(16).Replace("-", null).Replace("_", null);
user.Profile.SetValue("ResetPasswordToken", token);
}
var location = Manager.Current.WebsiteRoot + $"api/ResetPassword?UserName={user.Name}&Token={token}";
// TODO: Send email to user with information (password change requested, from ip, location to click, ...)
}
// In [Schema]Web.cs
public HttpResponseMessage ResetPassword(ApiArgs args)
{
var userName = args.Query["UserName"];
var token = args.Query["Token"];
if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(token))
return args.Request.CreateErrorResponse(HttpStatusCode.BadRequest, "Invalid request");
var user = Manager.Current.GetUser(userName);
if (user != null && token == user.Profile["ResetPasswordToken"])
{
user.Profile.SetValue("ResetPasswordToken", null); // NOTE: Resetting the token can be a problem if the user doesn't complete the change password prompt
user.ResetPasswordNextLogin();
var encodedUser = Convert.ToBase64String(Encoding.UTF8.GetBytes(user.Name)).Replace('/', '_');
var authToken = WebController.GenerateAuthToken(user.Name, DateTimeOffset.Now.AddDays(28), Manager.Current.RequestMessage.GetClientIpAddress()).Replace('/', '_');
var response = args.Request.CreateResponse(HttpStatusCode.Redirect);
response.Headers.Location = new Uri(Manager.Current.WebsiteRoot + "#!/SignInWithToken/" + encodedUser + "/" + authToken);
return response;
}
return args.Request.CreateErrorResponse(HttpStatusCode.Forbidden, "Invalid request");
}
