// [AllowAnonymous]
// [ValidateAntiForgeryToken]
public async Task <IActionResult> ResetPassword([FromBody] ResetPasswordBindings bindings)
{
var id = bindings.Id;
var resetFormURL = bindings.resetFormURL ?? "";
// TODO: validate model here or with a filter ?
// TODO: do we really need the email confirmation ?
var user = await _userManager.FindByIdAsync(id);
if (user == null) // || !(await _userManager.IsEmailConfirmedAsync(user))
{
_logger.LogWarning("Invalid forgot password attempt.");
// Don't reveal that the user does not exist or is not confirmed
return(Ok(ApiModel.AsError <string>(null, "user does not exist")));
}
// For more information on how to enable account confirmation and password reset please
// visit https://go.microsoft.com/fwlink/?LinkID=532713
var code = await _userManager.GeneratePasswordResetTokenAsync(user);
var values = new { id = user.Id, code = code };
var callbackUrl = Url.Action(
action: nameof(AccountController.ResetPassword),
controller: nameof(AccountController).ToLowerInvariant().Replace("controller", ""),
values: values,
protocol: Request.Scheme,
host: Request.Host.Value);
var encodedCallback = WebUtility.UrlEncode(callbackUrl);
var link = $"{resetFormURL}?action={encodedCallback}";
var result = new ResetPasswordResult {
Id = id, Code = code, Link = link, Username = user.UserName
};
result.sent = bindings.email && await _emailSender.SendEmailAsync(user.Email, "Reset Password",
$"Please reset your password by clicking here: <a href='{link}'>link</a>");
return(Ok(ApiModel.AsSuccess <ResetPasswordResult>(result)));
}
public Task <IActionResult> ResetPasswordPost(
[FromBody] ResetPasswordBindings bindings
)
{
return(ResetPassword(bindings.id, bindings.code, bindings.password));
}
