Skip to content

Add new email/confirmation flows #8577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Apr 2, 2019
Merged

Add new email/confirmation flows #8577

merged 16 commits into from
Apr 2, 2019

Conversation

@HaoK
Copy link
Member

@HaoK HaoK commented Mar 15, 2019
edited
Loading

Part of #8356

Still working on fixing/adding tests, for the default confirmation page, we generate a new confirmation link and display it only when in development.

@ajcvickers @blowdart

@HaoK
Copy link
Member Author

HaoK commented Mar 15, 2019

For this new requireConfirmedAccount setting, are we planning on setting it explicitly in the templates or just turn it on in AddDefaultIdentity?

@Eilon Eilon added the area-identity Includes: Identity and providers label Mar 16, 2019
@HaoK
Copy link
Member Author

HaoK commented Mar 19, 2019

Tests added/updated and are green again, removing WIP label

@HaoK HaoK marked this pull request as ready for review March 19, 2019 08:30
@HaoK HaoK changed the title [WIP] Add new email/confirmation flows Add new email/confirmation flows Mar 19, 2019
javiercn
javiercn reviewed Mar 19, 2019
View reviewed changes
Copy link
Member

@javiercn javiercn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good.

The only real issue I have is with the way we do the confirmation link for development.

javiercn
javiercn approved these changes Mar 26, 2019
View reviewed changes
Copy link
Member

@javiercn javiercn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@HaoK HaoK mentioned this pull request Apr 2, 2019
Merged
@HaoK HaoK merged commit 555b506 into master Apr 2, 2019
@HaoK HaoK mentioned this pull request Apr 2, 2019
Closed
@natemcmaster natemcmaster deleted the haok/confirm branch May 3, 2019 06:22
@MarcAir
Copy link

MarcAir commented Aug 12, 2020
edited
Loading

There may be a logical error in the confirmation of email.

'OnPostChangeEmailAsync' inside 'Email.cshtml.cs' does not check to see if the email is used by another user prior to sending confirmation.
or should we consider this something the 'ConfirmEmail.cshtml.cs' page is to do, since someone could potentially have either errored while entering the new email, or someone trying to exploit the change email function to see if someone is registered with that email?
either way, should we not be checking for email existing in the identity store prior to emailing a request for confirmation?

something like this?
basically if email exists, do not send email. But notify user of email sent (for potential nefarious actors)

public async Task<IActionResult> OnPostChangeEmailAsync()
        {
///removed for brevity 
if (Input.NewEmail != email)
{
            var emailExists = await _userManager.FindByEmailAsync(Input.NewEmail);
            if(emailExists == null)//not notifying if email sent or not.
            {
                        var userId = await _userManager.GetUserIdAsync(user);
                        var code = await _userManager.GenerateChangeEmailTokenAsync(user, Input.NewEmail);
                        var callbackUrl = Url.Page(
                                    "/Account/ConfirmEmailChange",
                                    pageHandler: null,
                                    values: new { userId = userId, email = Input.NewEmail, code = code },
                                    protocol: Request.Scheme);

                        await _emailSender.SendEmailAsync(
                                    Input.NewEmail,
                                    "Confirm your email",
                                    $"Please confirm your account by <a href=\"{HtmlEncoder.Default.Encode(callbackUrl)}\">clicking here</a>.");
            }
            StatusMessage = "Confirmation link to change email sent. Please check your email";
            return RedirectToPage();
}
///removed for brevity 
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@javiercn javiercn javiercn approved these changes

@blowdart blowdart Awaiting requested review from blowdart

+1 more reviewer

@ajcvickers ajcvickers ajcvickers approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area-identity Includes: Identity and providers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@HaoK @MarcAir @ajcvickers @javiercn @Eilon