/// <summary> /// Process the request for a forgotten password from the main forgot password screen. This will lookup the /// user and if found email them a link to reset their password. /// </summary> /// <param name="model"></param> public SendInstructionsToResetPasswordResponse SendInstructionsToResetPassword(SendInstructionsToResetPasswordRequest request) { // //Validate the parameters // if (request == null || String.IsNullOrWhiteSpace(request.UserNameOrEmail)) { return(new SendInstructionsToResetPasswordResponse() { IsSuccessful = false, Message = "An invalid user name or email address was specified." }); } SecurityUser securityUser = null; ADUser adUser = null; // //See if we can reset this users active directory account. We only need to do this //if active directory auth is enabled, if AD users are allowed to reset their password, //and we are not storing the users in the SecurityUser table. // if (ApplicationService.Instance.FormsAuthenticationADEnabled && ApplicationService.Instance.ForgotPasswordResetAllowedForADUser && adUser == null && securityUser == null ) { // //Try to find by username first // adUser = new ADUser(request.UserNameOrEmail); // //If not found, try to find by email address // if (!adUser.ValidUser) { var searchFilter = adUser.GetUserSearchFilterByEmailAddress(request.UserNameOrEmail); adUser.PopulateUserInformation(searchFilter); } //Ensure we clear the record if we dont have a valid AD user if (!adUser.ValidUser) { adUser = null; } // //Get the security user record if we have security user records for AD users // else { if (ApplicationService.Instance.FormsAuthenticationCreateSecurityUserRecordOnADAuth) { securityUser = _repository.GetAll <SecurityUser>() .FirstOrDefault(p => p.ActiveDirectoryGuid == adUser.ObjectGuid); } } } // //Then try to find the user by their SecurityUser table record // if (ApplicationService.Instance.FormsAuthenticationSecurityUserTableEnabled && adUser == null && securityUser == null) { // //First try lookup only by userid //Check the security user table first // var securityUsers = _repository.GetAll <SecurityUser>().Where(p => p.UserName.Equals(request.UserNameOrEmail)); //If no match found, try lookup by email address if (!securityUsers.Any()) { securityUsers = _repository.GetAll <SecurityUser>() .Where(p => p.EmailAddress.Equals(request.UserNameOrEmail)); } // //If there is more than one result, we cannot reset the password // if (securityUsers.Count() > 1) { return(new SendInstructionsToResetPasswordResponse() { IsSuccessful = false, Message = "Multiple records were found with the supplied username or email, your password cannot be reset. Please contact support to have your password reset." }); } securityUser = securityUsers.FirstOrDefault(); } // //Now ensure we can continue with the password reset // // var canUserPasswordBeChangedRequest = new CanUserPasswordBeChangedRequest() { SecurityUser = securityUser, ADUser = adUser }; var canUserPasswordBeChangedResponse = _passwordService.CanUserPasswordBeChanged(canUserPasswordBeChangedRequest); if (!canUserPasswordBeChangedResponse.IsSuccessful) { return(new SendInstructionsToResetPasswordResponse() { IsSuccessful = false, Message = "That username or email address cannot have it's password reset. Please contact support to have your password reset." }); } // //Ensure the user has an email address // if ((securityUser == null || String.IsNullOrWhiteSpace(securityUser.EmailAddress)) && (adUser == null || String.IsNullOrWhiteSpace(adUser.EmailAddress))) { return(new SendInstructionsToResetPasswordResponse() { IsSuccessful = false, Message = "That username or email address cannot have it's password reset as it has no email on file. Please contact support to have your password reset." }); } // //Create the password reset entry // var passwordResetRequest = CreateSecurityPasswordResetRequestEntry(request, securityUser, adUser); // //Send the password reset email // var sendForgotPasswordEmailRequest = new SendForgotPasswordEmailRequest() { SecurityUser = securityUser, ADUser = adUser, SecurityPasswordResetRequest = passwordResetRequest }; var sendForgotPasswordEmailResponse = SendForgotPasswordEmail(sendForgotPasswordEmailRequest); if (!sendForgotPasswordEmailResponse.IsSuccessful) { return(new SendInstructionsToResetPasswordResponse() { IsSuccessful = false, Message = sendForgotPasswordEmailResponse.Message }); } // //Request was successful // return(new SendInstructionsToResetPasswordResponse() { IsSuccessful = true, Message = null }); }
/// <summary> /// Send the user the email telling them instructions on how to reset their password /// </summary> /// <param name="request"></param> public SendForgotPasswordEmailResponse SendForgotPasswordEmail(SendForgotPasswordEmailRequest request) { // //Validate parameters // if (request == null || request.SecurityPasswordResetRequest == null || (request.ADUser == null && request.SecurityUser == null)) { return(new SendForgotPasswordEmailResponse() { IsSuccessful = false, Message = "An invalid request was specified to the SendForgotPasswordEmail service." }); } if (String.IsNullOrWhiteSpace(request.SecurityPasswordResetRequest.EmailAddress)) { return(new SendForgotPasswordEmailResponse() { IsSuccessful = false, Message = "An invalid request was specified to the SendForgotPasswordEmail service. The email address to send to is empty." }); } // //Send the email // var adUser = request.ADUser; var securityUser = request.SecurityUser; var passwordResetRequest = request.SecurityPasswordResetRequest; try { _tokenResolver.GetTokenResolutionProvider().ClearTokens(); var tokenValues = new Dictionary <String, String>(); // //Create the URL for the user to reset their password with // String passwordResetId = AESEncryption.Encrypt(passwordResetRequest.SecurityPasswordResetRequestId.ToString()); String passwordResetToken = AESEncryption.Encrypt(passwordResetRequest.Token); // //Setup the values for the Token Resolver so the email parses properly //Override the email address and other attributes since it may come from an AD User, //we cant bank on this always being security user. // var firstName = (adUser != null ? adUser.FirstName : securityUser.FirstName); tokenValues.Add(TokenNames.FirstName.ToString(), firstName); var lastName = (adUser != null ? adUser.LastName : securityUser.LastName); tokenValues.Add(TokenNames.LastName.ToString(), lastName); tokenValues.Add(TokenNames.EmailAddress.ToString(), passwordResetRequest.EmailAddress); //We send both the encrypted ID and token to the user, making it harder for them to hack a reset entry String forgotPasswordUrl = String.Format("{0}Authentication/ForgotPassword/Reset?id={1}&t={2}", DomainApplicationService.Instance.SiteBaseURL, HttpUtility.UrlEncode(passwordResetId), HttpUtility.UrlEncode(passwordResetToken)); tokenValues.Add(TokenNames.ForgotPasswordURL.ToString(), forgotPasswordUrl); // //Process the email template and send it // var emailTemplate = _authenticationContentProvider.GetForgotPasswordEmail(); _sendMail.MessageHtml = emailTemplate.Html; _sendMail.Subject = _tokenResolver.TokenizeString(emailTemplate.EmailSubject, TokenResolutionObjectTypes.SecurityUser.ToString(), passwordResetRequest.SecurityUserId.ToString(), tokenValues); _sendMail.Body = _tokenResolver.TokenizeString(emailTemplate.EmailBody, TokenResolutionObjectTypes.SecurityUser.ToString(), passwordResetRequest.SecurityUserId.ToString(), tokenValues); _sendMail.AddMessageTo(_tokenResolver.TokenizeString(emailTemplate.EmailTo, TokenResolutionObjectTypes.SecurityUser.ToString(), passwordResetRequest.SecurityUserId.ToString(), tokenValues)); _sendMail.AddMessageCC(_tokenResolver.TokenizeString(emailTemplate.EmailCC, TokenResolutionObjectTypes.SecurityUser.ToString(), passwordResetRequest.SecurityUserId.ToString(), tokenValues)); _sendMail.AddMessageBCC(_tokenResolver.TokenizeString(emailTemplate.EmailBCC, TokenResolutionObjectTypes.SecurityUser.ToString(), passwordResetRequest.SecurityUserId.ToString(), tokenValues)); var fromAddress = _tokenResolver.TokenizeString(emailTemplate.EmailFrom, TokenResolutionObjectTypes.SecurityUser.ToString(), passwordResetRequest.SecurityUserId.ToString(), tokenValues); var fromDisplayName = _tokenResolver.TokenizeString(emailTemplate.EmailFromDisplayName, TokenResolutionObjectTypes.SecurityUser.ToString(), passwordResetRequest.SecurityUserId.ToString(), tokenValues); var from = new MailAddress(fromAddress, fromDisplayName); _sendMail.SetMessageFrom(from); _sendMail.Send(); } catch (Exception e) { String errorMessage = String.Format("An error occurred sending the forgot password email to user {0}", (adUser != null ? adUser.UserName : securityUser.UserName)); LogService.Instance.Log.Error(errorMessage, e); return(new SendForgotPasswordEmailResponse() { IsSuccessful = false, Message = errorMessage }); } // //Everything is good if we got hee // return(new SendForgotPasswordEmailResponse() { IsSuccessful = true, Message = null }); }