public ActionResult <User> ResetPassword(string email, string confirmationToken, string currentPassword, string newPassword)
{
if (string.IsNullOrEmpty(confirmationToken))
{
return(Unauthorized());
}
User user = context.Users.Where(u => u.EmailAddress == email).FirstOrDefault();
if (user != null &&
!user.Locked &&
user.ConfirmationToken == confirmationToken &&
user.ConfirmationTokenExpires > DateTime.Now &&
security.AuthenticatePassword(currentPassword, user.Password))
{
user.Authenticated = false;
if (security.ValididatePasswordFormat(newPassword) && !PasswordRecentlyUsed(email, security.Hash(newPassword)))
{
user.Password = security.Hash(newPassword);
context.UserPasswordHistory.Add(new UserPasswordHistory {
EmailAddress = email, Password = user.Password, DateAdded = System.DateTime.Now
});
user.jsonToken = GenerateJSONWebToken(user);
user.PasswordExpires = DateTime.Now.AddDays(security.PasswordExpiresDays()); //TODO: make this a setting.
user.Locked = false;
user.ForcePasswordReset = false;
user.ConfirmationToken = "";
user.LoginAttempts = 0;
user.LastLogin = DateTime.Now;
context.SaveChanges();
user.Authenticated = true;
user.message = "Password updated successfully.";
}
else
{
user.Authenticated = false;
user.message = "Invalid password format.";
}
return(user);
}
else
{
if (user != null)
{
FailedLoginAttempt(user);
}
return(Unauthorized());
}
}