public string GeneratePasswordResetToken(GeneratePasswordResetTokenParameters parameters)
{
if (parameters == null)
{
throw new ClientException("It is not allowed to call this authentication service method with no parameters provided.");
}
_logger.Trace(() => "GeneratePasswordResetToken: " + parameters.UserName);
CheckPermissions(AuthenticationServiceClaims.GeneratePasswordResetTokenClaim);
parameters.Validate();
return(GeneratePasswordResetTokenInternal(parameters));
}
public void SendPasswordResetToken(SendPasswordResetTokenParameters parameters)
{
if (parameters == null)
{
throw new ClientException("It is not allowed to call this authentication service method with no parameters provided.");
}
_logger.Trace("SendPasswordResetToken " + parameters.UserName);
parameters.Validate();
const string logErrorFormat = "SendPasswordResetToken failed for {0}: {1}";
try
{
string passwordResetToken;
try
{
var tokenParameters = new GeneratePasswordResetTokenParameters
{
UserName = parameters.UserName,
TokenExpirationInMinutesFromNow = Int32.Parse(ConfigUtility.GetAppSetting("AspNetFormsAuth.SendPasswordResetToken.ExpirationInMinutes") ?? "1440")
};
passwordResetToken = GeneratePasswordResetTokenInternal(tokenParameters);
}
// Providing an error information to the client might be a security issue, because this method allows anonymous access.
catch (UserException ex)
{
_logger.Trace(logErrorFormat, parameters.UserName, ex);
return;
}
catch (ClientException ex)
{
_logger.Info(logErrorFormat, parameters.UserName, ex);
return;
}
// The plugin may choose it's own client error messages (UserException and ClientException will not be suppressed).
_sendPasswordResetTokenPlugin.Value.SendPasswordResetToken(parameters.UserName, parameters.AdditionalClientInfo, passwordResetToken);
}
catch (Exception ex)
{
if (ex is UserException || ex is ClientException)
{
ExceptionsUtility.Rethrow(ex);
}
// Don't return an internal error to the client. Log it and return a generic error message:
_logger.Error(logErrorFormat, parameters.UserName, ex);
throw new FrameworkException(FrameworkException.GetInternalServerErrorMessage(_localizer, ex));
}
}
private string GeneratePasswordResetTokenInternal(GeneratePasswordResetTokenParameters parameters)
{
if (!WebSecurity.UserExists(parameters.UserName)) // Providing this information is not a security issue, because this method requires admin credentials (GeneratePasswordResetTokenClaim).
{
throw new UserException("User '{0}' is not registered.", new[] { parameters.UserName }, null, null);
}
if (!IsAccountCreated(parameters.UserName))
{
_logger.Trace(() => "GeneratePasswordResetTokenInternal creating security account: " + parameters.UserName);
WebSecurity.CreateAccount(parameters.UserName, Guid.NewGuid().ToString());
}
return(parameters.TokenExpirationInMinutesFromNow != 0
? WebSecurity.GeneratePasswordResetToken(parameters.UserName, parameters.TokenExpirationInMinutesFromNow)
: WebSecurity.GeneratePasswordResetToken(parameters.UserName, GeneratePasswordResetTokenParameters.DefaultTokenExpirationInMinutes));
}
public void SendPasswordResetToken(SendPasswordResetTokenParameters parameters)
{
if (parameters == null)
throw new ClientException("It is not allowed to call this authentication service method with no parameters provided.");
_logger.Trace("SendPasswordResetToken " + parameters.UserName);
parameters.Validate();
const string logErrorFormat = "SendPasswordResetToken failed for {0}: {1}";
try
{
string passwordResetToken;
try
{
var tokenParameters = new GeneratePasswordResetTokenParameters
{
UserName = parameters.UserName,
TokenExpirationInMinutesFromNow = Int32.Parse(ConfigUtility.GetAppSetting("AspNetFormsAuth.SendPasswordResetToken.ExpirationInMinutes") ?? "1440")
};
passwordResetToken = GeneratePasswordResetTokenInternal(tokenParameters);
}
// Providing an error information to the client might be a security issue, because this method allows anonymous access.
catch (UserException ex)
{
_logger.Trace(logErrorFormat, parameters.UserName, ex);
return;
}
catch (ClientException ex)
{
_logger.Info(logErrorFormat, parameters.UserName, ex);
return;
}
// The plugin may choose it's own client error messages (UserException and ClientException will not be suppressed).
_sendPasswordResetTokenPlugin.Value.SendPasswordResetToken(parameters.UserName, parameters.AdditionalClientInfo, passwordResetToken);
}
catch (Exception ex)
{
if (ex is UserException || ex is ClientException)
ExceptionsUtility.Rethrow(ex);
_logger.Error(logErrorFormat, parameters.UserName, ex);
throw new FrameworkException("Internal server error occurred. See RhetosServer.log for more information.");
}
}
private string GeneratePasswordResetTokenInternal(GeneratePasswordResetTokenParameters parameters)
{
if (!WebSecurity.UserExists(parameters.UserName)) // Providing this information is not a security issue, because this method requires admin credentials (GeneratePasswordResetTokenClaim).
throw new UserException("User '" + parameters.UserName + "' is not registered.");
if (!IsAccountCreated(parameters.UserName))
{
_logger.Trace(() => "GeneratePasswordResetTokenInternal creating security account: " + parameters.UserName);
WebSecurity.CreateAccount(parameters.UserName, Guid.NewGuid().ToString());
}
return parameters.TokenExpirationInMinutesFromNow != 0
? WebSecurity.GeneratePasswordResetToken(parameters.UserName, parameters.TokenExpirationInMinutesFromNow)
: WebSecurity.GeneratePasswordResetToken(parameters.UserName, GeneratePasswordResetTokenParameters.DefaultTokenExpirationInMinutes);
}
public string GeneratePasswordResetToken(GeneratePasswordResetTokenParameters parameters)
{
if (parameters == null)
throw new ClientException("It is not allowed to call this authentication service method with no parameters provided.");
_logger.Trace(() => "GeneratePasswordResetToken: " + parameters.UserName);
CheckPermissions(AuthenticationServiceClaims.GeneratePasswordResetTokenClaim);
parameters.Validate();
return GeneratePasswordResetTokenInternal(parameters);
}
public async Task <string> GeneratePasswordResetToken([FromBody] GeneratePasswordResetTokenParameters parameters)
{
ValidateForEmptyParameters(parameters);
return(await _authenticationService.GeneratePasswordResetTokenAsync(parameters.UserName));
}