Merge pull request #94 from damienbod/base64code

damienbod · web-flow · commit 6524c06b45c5 · 2020-08-08T16:54:22.000+02:00
Base64-code
diff --git a/Changelog.md b/Changelog.md
@@ -2,6 +2,11 @@
 
 [Readme](https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate/blob/master/README.md) 
 
+2020-08-08 5.0.2
+- Encode PasswordResetToken and EmailConfirmationToken to base64URL enhancement
+- updated nuget packages
+- updated npm packages
+
 2020-07-03 5.0.1
 - Updated to IdentityServer4 V4, updated packages
 - Updated FIDO2 packages and code
diff --git a/README.md b/README.md
@@ -53,7 +53,7 @@ dotnet new -i IdentityServer4AspNetCoreIdentityTemplate
 Locally built nupkg:
 
 ```
-dotnet new -i IdentityServer4AspNetCoreIdentityTemplate.5.0.1.nupkg
+dotnet new -i IdentityServer4AspNetCoreIdentityTemplate.5.0.2.nupkg
 ```
 
 Local folder:
diff --git a/content/IdentityServer4AspNetCoreIdentityTemplate.nuspec b/content/IdentityServer4AspNetCoreIdentityTemplate.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
 	<metadata>
 		<id>IdentityServer4AspNetCoreIdentityTemplate</id>
-		<version>5.0.1</version>
+		<version>5.0.2</version>
 		<title>IdentityServer4.Identity.Template</title>
 		<license type="file">LICENSE</license>
 		<description>
@@ -17,7 +17,7 @@
 		<requireLicenseAcceptance>false</requireLicenseAcceptance>
 		<copyright>2020 damienbod</copyright>
 		<summary>This template provides a simle getting started for IdentityServer4 with Identity. Identity is Localized and the UI uses Bootstrap 4, Remove AllowAnonymous from the logout</summary>
-		<releaseNotes>Updated to IdentityServer4 V4, updated packages</releaseNotes>
+		<releaseNotes>Encode PasswordResetToken and EmailConfirmationToken to base64URL enhancement, updated nuget packages, updated npm packages</releaseNotes>
 		<repository type="git" url="https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate" />
 		<packageTypes>
 			<packageType name="Template" />
diff --git a/content/StsServerIdentity/Controllers/AccountController.cs b/content/StsServerIdentity/Controllers/AccountController.cs
@@ -19,6 +19,9 @@
 using StsServerIdentity.Resources;
 using System.Reflection;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.WebUtilities;
+using System.Text;
+using System.Text.Encodings.Web;
 
 namespace StsServerIdentity.Controllers
 {
@@ -266,9 +269,10 @@ public async Task<IActionResult> Register(RegisterViewModel model, string return
                 if (result.Succeeded)
                 {
                     //var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
+                    // WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
                     //var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, protocol: HttpContext.Request.Scheme);
                     //await _emailSender.SendEmailAsync(model.Email, "Confirm your account",
-                    //    $"Please confirm your account by clicking this link: <a href='{callbackUrl}'>link</a>");
+                    //    $"Please confirm your account by clicking this link: <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>link</a>");
                     //await _signInManager.SignInAsync(user, isPersistent: false);
                     //_logger.LogInformation(3, "User created a new account with password.");
                     return RedirectToLocal(returnUrl);
@@ -408,6 +412,7 @@ public async Task<IActionResult> ConfirmEmail(string userId, string code)
             {
                 return View("Error");
             }
+            code = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(code));
             var result = await _userManager.ConfirmEmailAsync(user, code);
             return View(result.Succeeded ? "ConfirmEmail" : "Error");
         }
@@ -442,11 +447,12 @@ public async Task<IActionResult> ForgotPassword(ForgotPasswordViewModel model)
                 // For more information on how to enable account confirmation and password reset please visit http://go.microsoft.com/fwlink/?LinkID=532713
                 // Send an email with this link
                 var code = await _userManager.GeneratePasswordResetTokenAsync(user);
+                code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
                 var callbackUrl = Url.Action("ResetPassword", "Account", new { userId = user.Id, code = code }, protocol: HttpContext.Request.Scheme);
                 await _emailSender.SendEmail(
                    model.Email, 
                    "Reset Password",
-                   $"Please reset your password by clicking here: {callbackUrl}", 
+                   $"Please reset your password by clicking here: {HtmlEncoder.Default.Encode(callbackUrl)}", 
                    "Hi Sir");
 
                 return View("ForgotPasswordConfirmation");
@@ -491,7 +497,8 @@ public async Task<IActionResult> ResetPassword(ResetPasswordViewModel model)
                 // Don't reveal that the user does not exist
                 return RedirectToAction(nameof(AccountController.ResetPasswordConfirmation), "Account");
             }
-            var result = await _userManager.ResetPasswordAsync(user, model.Code, model.Password);
+            var code = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(model.Code));
+            var result = await _userManager.ResetPasswordAsync(user, code, model.Password);
             if (result.Succeeded)
             {
                 return RedirectToAction(nameof(AccountController.ResetPasswordConfirmation), "Account");
@@ -550,6 +557,7 @@ public async Task<IActionResult> SendCode(SendCodeViewModel model)
             // Email used
             // Generate the token and send it
             var code = await _userManager.GenerateTwoFactorTokenAsync(user, model.SelectedProvider);
+            code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
             if (string.IsNullOrWhiteSpace(code))
             {
                 return View("Error");
diff --git a/content/StsServerIdentity/Controllers/ManageController.cs b/content/StsServerIdentity/Controllers/ManageController.cs
@@ -16,6 +16,7 @@
 using System.Reflection;
 using System.Collections.Generic;
 using Newtonsoft.Json;
+using Microsoft.AspNetCore.WebUtilities;
 
 namespace StsServerIdentity.Controllers
 {
@@ -135,12 +136,13 @@ public async Task<IActionResult> SendVerificationEmail(IndexViewModel model)
             }
 
             var code = await _userManager.GenerateEmailConfirmationTokenAsync(user);
+            code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
 
             var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, protocol: HttpContext.Request.Scheme);
             await _emailSender.SendEmail(
                model.Email,
                "StsServerIdentity Verification Email",
-               $"Please verify by clicking here: {callbackUrl}",
+               $"Please verify by clicking here: {HtmlEncoder.Default.Encode(callbackUrl)}",
                "Hi Sir");
 
             StatusMessage = _sharedLocalizer["STATUS_UPDATE_PROFILE_EMAIL_SEND"];
diff --git a/content/StsServerIdentity/StsServerIdentity.csproj b/content/StsServerIdentity/StsServerIdentity.csproj
@@ -1,14 +1,14 @@
 ﻿<Project Sdk="Microsoft.NET.Sdk.Web">
   <PropertyGroup>
     <TargetFramework>netcoreapp3.1</TargetFramework>
-    <Version>5.0.1</Version>
+    <Version>5.0.2</Version>
     <Description>IdentityServer4 template with ASP.NET Core 3.1 and ASP.NET Core Identity</Description>
     <PackageProjectUrl>https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate</PackageProjectUrl>
     <PackageIconUrl>http://www.gravatar.com/avatar/61d005637f57b5c3da8ba662cf04a9d6.png</PackageIconUrl>
     <RepositoryUrl>https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate</RepositoryUrl>
     <PackageLicenseFile>LICENSE</PackageLicenseFile>
     <PackageTags>oidc identityserver4 identity aspnetcore</PackageTags>
-    <PackageReleaseNotes>Updated FIDO2, nuget packages, npm packages</PackageReleaseNotes>
+    <PackageReleaseNotes>Updated nuget packages, npm packages, Encode PasswordResetToken and EmailConfirmationToken to base64URL enhancement</PackageReleaseNotes>
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="BuildBundlerMinifier" Version="3.2.449" />
diff --git a/content/StsServerIdentity/Views/Account/ResetPasswordConfirmation.cshtml b/content/StsServerIdentity/Views/Account/ResetPasswordConfirmation.cshtml
@@ -7,6 +7,3 @@
 <p>
     @SharedLocalizer.GetLocalizedHtmlString("RESET_PASSWORD_YOUR_PASSWORD_HAS_BEEN_RESET") <a asp-controller="Account" asp-action="Login">@SharedLocalizer.GetLocalizedHtmlString("RESET_PASSWORD_CLICK_HERE_TO_LOGIN")</a>.
 </p>
-<p>
-    @SharedLocalizer.GetLocalizedHtmlString("RESET_PASSWORD_CONFIRMATION_TEXT1")<a asp-controller="Account" asp-action="Login">@SharedLocalizer.GetLocalizedHtmlString("RESET_PASSWORD_CONFIRMATION_CLICK_HERE")</a>.
-</p>
