Forgot password

Note: This documentation has been updated for v6. Please refer to the v6 Security - Forgot password documentation for the latest information.

When working with email addresses as user names we can use this information to provide a forgot password functionality. By implementing the HandleForgotPassword method on the Advanced class you’ll get the “Forgot password?” button on the Sign in screen.

Best practice recommends for generating a random reset password token (ObjectEx.GetSecureRandomPassword can be used), storing the token in the user profile, emailing the user a link that triggers an api method that will verify the token and user combination. At that moment you can use the IUser.ResetPasswordNextLogin() method to trigger a password change on next login and redirecting the user to an existing logged in session.

// In [Schema]Advanced.cs
public override void HandleForgotPassword(ForgotPasswordArgs args)
{
    // NOTE: Always inform for success so that we don't leak information about users
    args.Notification = "An email has been sent with all the information to reset your password.";

    var user = Manager.Current.GetUser(args.UserName);
    if (user == null)
        return;

    var userHostAddress = Manager.Current.RequestMessage.GetClientIpAddress();
    var token = user.Profile["ResetPasswordToken"];
    if (string.IsNullOrEmpty(token))
    {
        token = ObjectEx.GetSecureRandomString(16).Replace("-", null).Replace("_", null);
        user.Profile.SetValue("ResetPasswordToken", token);
    }

    var location = Manager.Current.WebsiteRoot + $"api/ResetPassword?UserName={user.Name}&Token={token}";
    // TODO: Send email to user with information (password change requested, from ip, location to click, ...)
}

// In [Schema]Web.cs
public HttpResponseMessage ResetPassword(ApiArgs args)
{
    var userName = args.Query["UserName"];
    var token = args.Query["Token"];
    if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(token))
        return args.Request.CreateErrorResponse(HttpStatusCode.BadRequest, "Invalid request");

    var user = Manager.Current.GetUser(userName);
    if (user != null && token == user.Profile["ResetPasswordToken"])
    {
        user.Profile.SetValue("ResetPasswordToken", null); // NOTE: Resetting the token can be a problem if the user doesn't complete the change password prompt
        user.ResetPasswordNextLogin();

        var encodedUser = Convert.ToBase64String(Encoding.UTF8.GetBytes(user.Name)).Replace('/', '_');
        var authToken = WebController.GenerateAuthToken(user.Name, DateTimeOffset.Now.AddDays(28), Manager.Current.RequestMessage.GetClientIpAddress()).Replace('/', '_');
        var response = args.Request.CreateResponse(HttpStatusCode.Redirect);
        response.Headers.Location = new Uri(Manager.Current.WebsiteRoot + "#!/SignInWithToken/" + encodedUser + "/" + authToken);
        return response;
    }

    return args.Request.CreateErrorResponse(HttpStatusCode.Forbidden, "Invalid request");
}

PreviousAllow user registration NextBest Practices

Last updated 2 months ago

Was this helpful?