public void CheckSecurityAnswers_Fail_ExpiredToken()
{
//Arrange
var emailAddress = "*****@*****.**";
var expected = new BadRequestObjectResult("The password reset link has expired, please create a new link.");
var tokens = rs.GetTokensByUserId(uas.ReadUserFromDBUsingEmail(emailAddress).UserAccountId); // Clears all previously created tokens
foreach (var token in tokens)
{
rs.DeleteToken(token.Token);
}
uam.GenerateResetPasswordToken(emailAddress); // Generates a "fresh" token
tokens = rs.GetTokensByUserId(uas.ReadUserFromDBUsingEmail(emailAddress).UserAccountId);
var tokensAsList = tokens.ToList <PasswordResetToken>();
var generatedToken = tokensAsList[0];
generatedToken.DateCreated = DateTime.UtcNow.AddMinutes(-60); // Updates the token creation time to be 1 hour previous from now
rs.UpdateToken(generatedToken);
var request = tu.CreateSecurityAnswersRequest();
request.PasswordResetToken = generatedToken.Token;
//Act
var actual = uam.CheckSecurityAnswers(request);
//Assert
Assert.AreEqual(expected, actual);
}
public void UpdateToken()
{
var attempts = 3;
var user = uas.ReadUserFromDBUsingEmail("*****@*****.**");
List <PasswordResetToken> tokens = rs.GetTokensByUserId(user.UserAccountId).ToList <PasswordResetToken>();
var firstToken = tokens[0];
firstToken.Attempts = attempts;
rs.UpdateToken(firstToken);
var retrievedToken = rs.GetToken(firstToken.Token);
Assert.AreEqual(attempts, retrievedToken.Attempts);
}
public ActionResult CheckSecurityAnswers(SecurityAnswerRequest request)
{
// List of steps:
// Check if password reset is valid (exists in DB) [*]
// Check how many attempts are left on the token [*]
// Check creation time of token [*]
// Check if security answers are valid [*]
// Update the token (increment attempts, invalidate token if too many attempts etc) [*]
// Reset the password [*]
// Send an email notifying user []
PasswordResetToken token = _resetService.GetToken(request.PasswordResetToken);
if (token == null)
{
return(new BadRequestObjectResult("Invalid password reset link"));
}
if (token.Attempts >= 3)
{
return(new BadRequestObjectResult("Too many attempts have been attempted with this link, please create a new link."));
}
if (token.DateCreated.AddMinutes(10) > DateTime.UtcNow)
{
return(new BadRequestObjectResult("The password reset link has expired, please create a new link."));
}
var user = _userAccountService.ReadUserFromDBUsingId(token.UserId);
if (user.SecurityAnswer1 != request.SecurityAnswer1 ||
user.SecurityAnswer2 != request.SecurityAnswer2 ||
user.SecurityAnswer3 != request.SecurityAnswer3)
{
token.Attempts++;
_resetService.UpdateToken(token);
return(new BadRequestObjectResult("Security answer(s) are not correct"));
}
return(new OkObjectResult("Able to reset password"));
}
