如何 revoke/invalidate/cancel 旧电子邮件确认令牌(身份)
how to revoke/invalidate/cancel old email confirmation token (identity)
我允许知道密码但尚未确认的新创建用户更改他们的注册电子邮件(只要它未在我的数据库中注册)
问题是,如果他们更改了电子邮件,我会生成新的电子邮件确认令牌,但旧令牌仍然可以验证它们(我在注册时发出的那个),这很可能意味着人们可以使用他们的注册首先邮件,将其更改为他们无法访问的其他邮件,并从旧邮件进行验证,这是一个很大的安全漏洞,我只能离开
有什么方法可以 remove/revoke 旧令牌吗? (从技术上讲,我可以创建一个新用户并删除旧用户,旧令牌不适用于新用户,但我认为应该有更好的解决方案)
我将以下属性添加到我的 ApplicationUser class
public class ApplicationUser : IdentityUser {
public string EmailConfirmationToken { get; set; }
public string ResetPasswordToken { get; set; }
}
这保留了确认电子邮件令牌时要验证的确认令牌。
然后我将以下内容添加到我的 ApplicationUserManager 中,这是 UserManager<ApplicationUser> 派生的 class。
public override async System.Threading.Tasks.Task<string> GenerateEmailConfirmationTokenAsync(string userId) {
/* NOTE:
* The default UserTokenProvider generates tokens based on the users's SecurityStamp, so until that changes
* (like when the user's password changes), the tokens will always be the same, and remain valid.
* So if you want to simply invalidate old tokens, just call manager.UpdateSecurityStampAsync().
*/
//await base.UpdateSecurityStampAsync(userId);
var token = await base.GenerateEmailConfirmationTokenAsync(userId);
if (!string.IsNullOrEmpty(token)) {
var user = await FindByIdAsync(userId);
user.EmailConfirmationToken = token;
user.EmailConfirmed = false;
await UpdateAsync(user);
}
return token;
}
public override async System.Threading.Tasks.Task<string> GeneratePasswordResetTokenAsync(string userId) {
var token = await base.GeneratePasswordResetTokenAsync(userId);
if (!string.IsNullOrEmpty(token)) {
var x = await FindByIdAsync(userId);
x.ResetPasswordToken = token;
await UpdateAsync(x);
}
return token;
}
public override async System.Threading.Tasks.Task<IdentityResult> ConfirmEmailAsync(string userId, string token) {
var result = await base.ConfirmEmailAsync(userId, token);
if (result.Succeeded) {
var x = await FindByIdAsync(userId);
x.EmailConfirmationToken = null;
await UpdateAsync(x);
}
return result;
}
public override async System.Threading.Tasks.Task<IdentityResult> ResetPasswordAsync(string userId, string token, string newPassword) {
var result = await base.ResetPasswordAsync(userId, token, newPassword);
if (result.Succeeded) {
var x = await FindByIdAsync(userId);
x.ResetPasswordToken = null;
await UpdateAsync(x);
}
return result;
}
添加了以下扩展,以便能够根据用户存储的令牌找到用户。
public static class ApplicationUserManagerExtension {
public static Task<string> FindIdByEmailConfirmationTokenAsync(this UserManager<ApplicationUser> manager, string confirmationToken) {
string result = null;
ApplicationUser user = manager.Users.SingleOrDefault(u => u.EmailConfirmationToken != null && u.EmailConfirmationToken == confirmationToken);
if (user != null) {
result = user.Id;
}
return Task.FromResult(result);
}
public static Task<string> FindIdByResetPasswordTokenAsync(this UserManager<ApplicationUser> manager, string token) {
string result = null;
ApplicationUser user = manager.Users.SingleOrDefault(u => u.ResetPasswordToken != null && u.ResetPasswordToken == token);
if (user != null) {
result = user.Id;
}
return Task.FromResult(result);
}
}
我允许知道密码但尚未确认的新创建用户更改他们的注册电子邮件(只要它未在我的数据库中注册)
问题是,如果他们更改了电子邮件,我会生成新的电子邮件确认令牌,但旧令牌仍然可以验证它们(我在注册时发出的那个),这很可能意味着人们可以使用他们的注册首先邮件,将其更改为他们无法访问的其他邮件,并从旧邮件进行验证,这是一个很大的安全漏洞,我只能离开
有什么方法可以 remove/revoke 旧令牌吗? (从技术上讲,我可以创建一个新用户并删除旧用户,旧令牌不适用于新用户,但我认为应该有更好的解决方案)
我将以下属性添加到我的 ApplicationUser class
public class ApplicationUser : IdentityUser {
public string EmailConfirmationToken { get; set; }
public string ResetPasswordToken { get; set; }
}
这保留了确认电子邮件令牌时要验证的确认令牌。
然后我将以下内容添加到我的 ApplicationUserManager 中,这是 UserManager<ApplicationUser> 派生的 class。
public override async System.Threading.Tasks.Task<string> GenerateEmailConfirmationTokenAsync(string userId) {
/* NOTE:
* The default UserTokenProvider generates tokens based on the users's SecurityStamp, so until that changes
* (like when the user's password changes), the tokens will always be the same, and remain valid.
* So if you want to simply invalidate old tokens, just call manager.UpdateSecurityStampAsync().
*/
//await base.UpdateSecurityStampAsync(userId);
var token = await base.GenerateEmailConfirmationTokenAsync(userId);
if (!string.IsNullOrEmpty(token)) {
var user = await FindByIdAsync(userId);
user.EmailConfirmationToken = token;
user.EmailConfirmed = false;
await UpdateAsync(user);
}
return token;
}
public override async System.Threading.Tasks.Task<string> GeneratePasswordResetTokenAsync(string userId) {
var token = await base.GeneratePasswordResetTokenAsync(userId);
if (!string.IsNullOrEmpty(token)) {
var x = await FindByIdAsync(userId);
x.ResetPasswordToken = token;
await UpdateAsync(x);
}
return token;
}
public override async System.Threading.Tasks.Task<IdentityResult> ConfirmEmailAsync(string userId, string token) {
var result = await base.ConfirmEmailAsync(userId, token);
if (result.Succeeded) {
var x = await FindByIdAsync(userId);
x.EmailConfirmationToken = null;
await UpdateAsync(x);
}
return result;
}
public override async System.Threading.Tasks.Task<IdentityResult> ResetPasswordAsync(string userId, string token, string newPassword) {
var result = await base.ResetPasswordAsync(userId, token, newPassword);
if (result.Succeeded) {
var x = await FindByIdAsync(userId);
x.ResetPasswordToken = null;
await UpdateAsync(x);
}
return result;
}
添加了以下扩展,以便能够根据用户存储的令牌找到用户。
public static class ApplicationUserManagerExtension {
public static Task<string> FindIdByEmailConfirmationTokenAsync(this UserManager<ApplicationUser> manager, string confirmationToken) {
string result = null;
ApplicationUser user = manager.Users.SingleOrDefault(u => u.EmailConfirmationToken != null && u.EmailConfirmationToken == confirmationToken);
if (user != null) {
result = user.Id;
}
return Task.FromResult(result);
}
public static Task<string> FindIdByResetPasswordTokenAsync(this UserManager<ApplicationUser> manager, string token) {
string result = null;
ApplicationUser user = manager.Users.SingleOrDefault(u => u.ResetPasswordToken != null && u.ResetPasswordToken == token);
if (user != null) {
result = user.Id;
}
return Task.FromResult(result);
}
}