Diligent.WebAPI.Business/Services/AuthenticationService.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
 using System.Net;
+using System.Web;
 
 namespace Diligent.WebAPI.Business.Services
 {
@@ -356,7 +357,7 @@ namespace Diligent.WebAPI.Business.Services
             await _databaseContext.SaveChangesAsync();
         }
 
-        public async Task<ServiceResponseDTO<object>> GetEmailConfirmationUrlAsync(string email)
+        public async Task<ServiceResponseDTO<object>> GetForgotPasswordUrlAsync(string email)
         {
             var user = await _userManager.FindByEmailAsync(email);
             if (user == null)
@@ -368,12 +369,11 @@ namespace Diligent.WebAPI.Business.Services
                 };
             }
 
-            var token = await _userManager.GenerateEmailConfirmationTokenAsync(user);
+            var token = await _userManager.GeneratePasswordResetTokenAsync(user);
             token = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(token));
+
             await _emailer.SendEmailAndWriteToDbAsync(email, "Reset password", HTMLHelper.RenderForgotPasswordPage($"{_frontEndSettings.BaseUrl}/reset-password?token={token}&email={email}"), isHtml: true);
 
-            user.PasswordResetToken = token;
-            await _databaseContext.SaveChangesAsync();
             return new ServiceResponseDTO<object>
             {
                 Data = new { code = token, email = email }
@@ -391,27 +391,19 @@ namespace Diligent.WebAPI.Business.Services
                     ErrorMessage = "Email did not find."
                 };
             }
-            // FOR SOME REASON USERMANAGER.RESETPASSWORDASYNC returns InvalidToken. In future change this
-            //var passwordResetToken = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(code));
-
-            //IdentityResult resetResult = await _userManager.ResetPasswordAsync(user, passwordResetToken, password);
-            //if (resetResult.Succeeded)
-            await _userManager.RemovePasswordAsync(user);
-            await _userManager.AddPasswordAsync(user, password);
-            if (user.PasswordResetToken == code)
+            var passwordResetToken = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(code));
+
+            IdentityResult resetResult = await _userManager.ResetPasswordAsync(user, passwordResetToken, password);
+            if (resetResult.Succeeded)
             {
-                if (await _userManager.IsLockedOutAsync(user))
-                {
-                    await _userManager.SetLockoutEndDateAsync(user, DateTimeOffset.UtcNow);
-                }
                 return new ServiceResponseDTO<object> { Data = true };
             }
 
-            //var errors = resetResult.Errors.Select(x => x.Description);
+            var errors = resetResult.Errors.Select(x => x.Description);
             return new ServiceResponseDTO<object>
             {
                 IsError = true,
-                ErrorMessage = "Invalid reset password token"
+                ErrorMessage = errors.First()
             };
         }
     }

Diligent.WebAPI.Business/Services/Interfaces/IAuthenticationService.cs

@@ -14,7 +14,7 @@
 
         Task<ServiceResponseDTO<string>> DeleteRefreshToken(int userId);
 
-        Task<ServiceResponseDTO<object>> GetEmailConfirmationUrlAsync(string email);
+        Task<ServiceResponseDTO<object>> GetForgotPasswordUrlAsync(string email);
 
         Task<ServiceResponseDTO<object>> PasswordResetAsync(string email, string code, string password);
     }

Diligent.WebAPI.Data/Entities/User.cs

@@ -6,7 +6,6 @@ public class User : IdentityUser<int>
 {
     public string FirstName { get; set; }
     public string LastName { get; set; }
-    public string? PasswordResetToken { get; set; }
     public List<Comment> Comments { get; set; }
     public bool? IsEnabled { get; set; }
     public List<SelectionProcess> Processes { get; set; } = new();

Diligent.WebAPI.Data/Migrations/20221125105024_RemovedResetPasswordToken.cs

@@ -0,0 +1,25 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Diligent.WebAPI.Data.Migrations
+{
+    public partial class RemovedResetPasswordToken : Migration
+    {
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "PasswordResetToken",
+                table: "AspNetUsers");
+        }
+
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<string>(
+                name: "PasswordResetToken",
+                table: "AspNetUsers",
+                type: "nvarchar(max)",
+                nullable: true);
+        }
+    }
+}

Diligent.WebAPI.Data/Migrations/DatabaseContextModelSnapshot.cs

@@ -595,9 +595,6 @@ namespace Diligent.WebAPI.Data.Migrations
                     b.Property<string>("PasswordHash")
                         .HasColumnType("nvarchar(max)");
 
-                    b.Property<string>("PasswordResetToken")
-                        .HasColumnType("nvarchar(max)");
-
                     b.Property<string>("PhoneNumber")
                         .HasColumnType("nvarchar(max)");
 

Diligent.WebAPI.Host/Controllers/V1/AuthenticationsController.cs

@@ -15,7 +15,7 @@
         [HttpGet("ForgotPassword")]
         public async Task<IActionResult> ForgotPassword(string email)
         {
-            var response = await _service.GetEmailConfirmationUrlAsync(email);
+            var response = await _service.GetForgotPasswordUrlAsync(email);
 
             if (response.IsError is true)
                 return BadRequest(new { message = response.ErrorMessage });