我正在使用 ASP.NET Identity,并且具有基本的忘记密码/重置密码功能。
当您填写忘记密码的表单时,它会使用以下命令创建一个重置令牌_userManager.GeneratePasswordResetTokenAsync(user)
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> ForgotPassword(ForgotPasswordViewModel model)
{
if (ModelState.IsValid)
{
var user = await _userManager.FindByNameAsync(model.Email);
if (user == null || !(await _userManager.IsEmailConfirmedAsync(user)))
{
return View("ForgotPasswordConfirmation");
}
var code = await _userManager.GeneratePasswordResetTokenAsync(user);
var callbackUrl = Url.Action("ResetPassword", "Account", new { userId = user.Id, code = code }, protocol: HttpContext.Request.Scheme);
await _emailSender.SendEmailAsync(model.Email, "Reset Password",
$"Please reset your password by clicking here: <a href='{callbackUrl}'>link</a>");
return View("ForgotPasswordConfirmation");
}
// If we got this far, something failed, redisplay form
return View(model);
}
我注意到重置密码页面的唯一验证是检查代码是否为空,而不是检查它是否仍然有效或未过期。
[HttpGet]
[AllowAnonymous]
public IActionResult ResetPassword(string code = null)
{
if (code == null)
{
throw new Exception("A code must be supplied for password reset.");
}
var model = new ResetPasswordViewModel { Code = code };
return View(model);
}
它实际上不会检查令牌是否有效,直到您尝试重置密码并调用_userManager.ResetPasswordAsync(user, model.Code, model.Password)
我希望能够验证当他们点击“重置密码”页面向用户显示消息时代码仍然有效,而不是在他们尝试重置密码后。
有没有办法检查是否有效?