public void CheckSecurityAnswers_Fail_ExpiredToken() { //Arrange var emailAddress = "*****@*****.**"; var expected = new BadRequestObjectResult("The password reset link has expired, please create a new link."); var tokens = rs.GetTokensByUserId(uas.ReadUserFromDBUsingEmail(emailAddress).UserAccountId); // Clears all previously created tokens foreach (var token in tokens) { rs.DeleteToken(token.Token); } uam.GenerateResetPasswordToken(emailAddress); // Generates a "fresh" token tokens = rs.GetTokensByUserId(uas.ReadUserFromDBUsingEmail(emailAddress).UserAccountId); var tokensAsList = tokens.ToList <PasswordResetToken>(); var generatedToken = tokensAsList[0]; generatedToken.DateCreated = DateTime.UtcNow.AddMinutes(-60); // Updates the token creation time to be 1 hour previous from now rs.UpdateToken(generatedToken); var request = tu.CreateSecurityAnswersRequest(); request.PasswordResetToken = generatedToken.Token; //Act var actual = uam.CheckSecurityAnswers(request); //Assert Assert.AreEqual(expected, actual); }
public void UpdateToken() { var attempts = 3; var user = uas.ReadUserFromDBUsingEmail("*****@*****.**"); List <PasswordResetToken> tokens = rs.GetTokensByUserId(user.UserAccountId).ToList <PasswordResetToken>(); var firstToken = tokens[0]; firstToken.Attempts = attempts; rs.UpdateToken(firstToken); var retrievedToken = rs.GetToken(firstToken.Token); Assert.AreEqual(attempts, retrievedToken.Attempts); }
public ActionResult CheckSecurityAnswers(SecurityAnswerRequest request) { // List of steps: // Check if password reset is valid (exists in DB) [*] // Check how many attempts are left on the token [*] // Check creation time of token [*] // Check if security answers are valid [*] // Update the token (increment attempts, invalidate token if too many attempts etc) [*] // Reset the password [*] // Send an email notifying user [] PasswordResetToken token = _resetService.GetToken(request.PasswordResetToken); if (token == null) { return(new BadRequestObjectResult("Invalid password reset link")); } if (token.Attempts >= 3) { return(new BadRequestObjectResult("Too many attempts have been attempted with this link, please create a new link.")); } if (token.DateCreated.AddMinutes(10) > DateTime.UtcNow) { return(new BadRequestObjectResult("The password reset link has expired, please create a new link.")); } var user = _userAccountService.ReadUserFromDBUsingId(token.UserId); if (user.SecurityAnswer1 != request.SecurityAnswer1 || user.SecurityAnswer2 != request.SecurityAnswer2 || user.SecurityAnswer3 != request.SecurityAnswer3) { token.Attempts++; _resetService.UpdateToken(token); return(new BadRequestObjectResult("Security answer(s) are not correct")); } return(new OkObjectResult("Able to reset password")); }