UserId parameter in IdentitySample.Mvc ResetPassword method

[PaulRReynolds]

I have a couple of questions regarding the sample AccountController included in the Identity repository:

1. The sample action: ForgotPassword(ForgotPasswordViewModel model) sends an email with a callbackUrl to ResetPassword which includes a parameter: userId. This parameter is never used, so it might be worth removing from the sample code? In the similar flow for Register/ConfirmEmail it is used however.

2. The ResetPassword action identifies the user based on the Email address entered in the password change form. For reset, if we do make use of the userId parameter to identify the user, and then verify this identity through the token, is there any security impact from excluding the Email field from this form? The only benefit I can see would be if an attacker obtained a reset Url but had no knowledge of the matching email address.

Thanks,

Paul

[Tratcher]

@HaoK?

[HaoK]

cc @blowdart, perhaps the best thing to do is to ensure that the user with the userId has the email specified in the model before calling ResetPassword?

[blowdart]

Oh heavens yes.

[HaoK]

I'll move this issue over to Templates then

[HaoK]

Moved: aspnet/Templates#804

[PaulRReynolds]

@HaoK Thanks for looking into the userId parameter, I was sure there was a use for it after all!
If the User ID combined with the supplied token verify the identity of the user making the request, would it be possible to exclude the Email field from the reset form completely? This would improve the user experience

[HaoK]

As you see, the app is control of what information you want in the flow, we suggested using the email as a simple confirmation that its the same person who requested the change