Password reset

src/Yavsc/Controllers/Accounting/AccountController.cs

@@ -894,8 +894,7 @@ namespace Yavsc.Controllers
                 var code = await _userManager.GeneratePasswordResetTokenAsync(user);
                 var f = this.HttpContext.Features;
                 var callbackUrl = _siteSettings.ExternalUrl + "/Account/ResetPassword/" +
-                    HttpUtility.UrlEncode(user.Id) + "/" + HttpUtility.UrlEncode(code);
+                HttpUtility.UrlEncode(user.Id) + "/" + HttpUtility.UrlEncode(code);
-
 
                 var sent = await _emailSender.SendEmailAsync(user.UserName, user.Email, _localizer["Reset Password"],
                     _localizer["Please reset your password by "] + " <a href=\"" +
@@ -926,8 +925,15 @@ namespace Yavsc.Controllers
             var user = await _userManager.FindByIdAsync(id);
             
             if (user==null) return new BadRequestResult();
+            if (!await _userManager.VerifyUserTokenAsync(user,
+            _userManager.Options.Tokens.PasswordResetTokenProvider,
+            "ResetPassword", code.Replace("%2f","/")))
+            {
+                return BadRequest("code");
+            }
             // We just serve the form to reset here.
-            return View(new ResetPasswordViewModel { 
+            return View(new ResetPasswordViewModel
+            {
                 Id = id,
                 Code = code,
                 Email = user.Email
@@ -952,9 +958,11 @@ namespace Yavsc.Controllers
                 // Don't reveal that the user does not exist
                 return RedirectToAction(nameof(AccountController.ResetPasswordConfirmation), "Account");
             }
-        // code : "CfDJ8DmPlC3R8%2fNMqGlHZHZMwbjaXxgD3GW3H75Ubt+4Sbw%2fn%2fdg9X8Bll+CLIh%2fquI+Z96XEkx7bfrZiB+wpPb+b5%2ffgzgy+cQnKfX9J7%2fLNro+F3uE5JkXSlUc1WqVW2mVQrpWHjx1Dbn2n77TTGym3ttQoECsTR%2foo27dW9U11pmRJuTiwPBJZBOt0ffIRmgDDHh2f0VySTQEwjfRiLdCwctL%2fmh21ympJMKJl5PZnTVs"
+
+            if (user.Id != id) return BadRequest("userid");
+
             var result = await _userManager.ResetPasswordAsync(user,
-            HttpUtility.UrlDecode(code), model.Password);
+            code.Replace("%2f","/"), model.Password);
 
             if (result.Succeeded)
             {

src/Yavsc/Views/Account/ResetPassword.cshtml

@@ -1,7 +1,9 @@
 @model ResetPasswordViewModel
 
 <form asp-route-id="@Model.Id" asp-route-code="@Model.Code">
-    <p>@Model.Email</p>
+    <p>Your email : <code>@Model.Email</code></p>
+    <input type="hidden" name="Email" value="@Model.Email" />
+    @Html.ValidationSummary()
     <div class="form-group">
         <label asp-for="Password"></label>
         <input class="form-control" placeholder="Password" asp-for="Password" autofocus>
@@ -10,6 +12,7 @@
         <label asp-for="ConfirmPassword"></label>
         <input class="form-control" placeholder="ConfirmPassword" asp-for="ConfirmPassword" autofocus>
     </div>
+
     <button class="btn btn-primary" name="button" value="Reset">Reset Password</button>
 
 </form>

src/Yavsc/Views/Account/ResetPasswordConfirmation fr.cshtml

@@ -0,0 +1,7 @@
+@{
+    ViewData["Title"] = "Reset password confirmation";
+}
+
+<h1>@ViewData["Title"].</h1>
+<p>Votre mot de passe a été ré-initialisé. 
+<a href="~/signin">Cliquez ici pour vous connecter</a>.</p>

src/Yavsc/Views/Account/ResetPasswordConfirmation.cshtml

@@ -0,0 +1,8 @@
+@{
+    ViewData["Title"] = "Reset password confirmation";
+}
+
+<h1>@ViewData["Title"].</h1>
+<p>
+    Your password has been reset. Please <a href="~/signin">Click here to log in</a>.
+</p>