Skip to content

UserId parameter in IdentitySample.Mvc ResetPassword method #1911

Closed
@PaulRReynolds

Description

@PaulRReynolds

I have a couple of questions regarding the sample AccountController included in the Identity repository:

  1. The sample action: ForgotPassword(ForgotPasswordViewModel model) sends an email with a callbackUrl to ResetPassword which includes a parameter: userId. This parameter is never used, so it might be worth removing from the sample code? In the similar flow for Register/ConfirmEmail it is used however.

  2. The ResetPassword action identifies the user based on the Email address entered in the password change form. For reset, if we do make use of the userId parameter to identify the user, and then verify this identity through the token, is there any security impact from excluding the Email field from this form? The only benefit I can see would be if an attacker obtained a reset Url but had no knowledge of the matching email address.

Thanks,

Paul

Metadata

Metadata

Assignees

No one assigned

    Labels

    ExternalThis is an issue in a component not contained in this repository. It is open for tracking purposes.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions