Description
I have a couple of questions regarding the sample AccountController included in the Identity repository:
-
The sample action:
ForgotPassword(ForgotPasswordViewModel model)
sends an email with a callbackUrl toResetPassword
which includes a parameter:userId
. This parameter is never used, so it might be worth removing from the sample code? In the similar flow for Register/ConfirmEmail it is used however. -
The
ResetPassword
action identifies the user based on the Email address entered in the password change form. For reset, if we do make use of theuserId
parameter to identify the user, and then verify this identity through the token, is there any security impact from excluding the Email field from this form? The only benefit I can see would be if an attacker obtained a reset Url but had no knowledge of the matching email address.
Thanks,
Paul