public ActionResult <User> ResetPassword(string email, string confirmationToken, string currentPassword, string newPassword) { if (string.IsNullOrEmpty(confirmationToken)) { return(Unauthorized()); } User user = context.Users.Where(u => u.EmailAddress == email).FirstOrDefault(); if (user != null && !user.Locked && user.ConfirmationToken == confirmationToken && user.ConfirmationTokenExpires > DateTime.Now && security.AuthenticatePassword(currentPassword, user.Password)) { user.Authenticated = false; if (security.ValididatePasswordFormat(newPassword) && !PasswordRecentlyUsed(email, security.Hash(newPassword))) { user.Password = security.Hash(newPassword); context.UserPasswordHistory.Add(new UserPasswordHistory { EmailAddress = email, Password = user.Password, DateAdded = System.DateTime.Now }); user.jsonToken = GenerateJSONWebToken(user); user.PasswordExpires = DateTime.Now.AddDays(security.PasswordExpiresDays()); //TODO: make this a setting. user.Locked = false; user.ForcePasswordReset = false; user.ConfirmationToken = ""; user.LoginAttempts = 0; user.LastLogin = DateTime.Now; context.SaveChanges(); user.Authenticated = true; user.message = "Password updated successfully."; } else { user.Authenticated = false; user.message = "Invalid password format."; } return(user); } else { if (user != null) { FailedLoginAttempt(user); } return(Unauthorized()); } }