WebMatrix.WebData.WebSecurity - How can I get UserName by only having PasswordResetToken

Question

I just wanted to ask for help to get my scenario work? I want to get the UserName using a PasswordResetToken.

This is my scenario.

1. I have a forgot password feature in my website that would send a passwordresettoken email a change password to the user.
2. I wanted to send just the passwordresettoken string only.

3. When the user clicks the link. I will just query the request["token"] to get the username and and then will allow the user to change password and autologin.

   this is my code below:

   public ActionResult ChangePassword()
   {
       ChangePasswordModel model = new ChangePasswordModel();
       string token=string.Empty;
       try
       {
           token = Request["token"].ToString();
           int userId = WebSecurity.GetUserIdFromPasswordResetToken(token);
   
           if (userId > 0)
           {
              //Get the user object by (userid) 
              //???????????????????
              //???????????????????
           }
           else
           {
               throw new Exception("The change password token has expired. Please go to login page and click forgot password again.");
           }
       }
       catch
       {
           model.HasError = true;
           ModelState.AddModelError("", "The change password token has expired. Please go to login page and click forgot password again.");
       }
   
       return View(model);
   }
   

Thank you in advance.

Answer 1

Look at the remark at the end of this article: WebSecurity.GeneratePasswordResetToken Method.

I'll copy the relevant part for your convenience:

If users have forgotten their password, they can request a new one. To provide a new password, do the following:

1. Create a password-reset page that has a field where users can enter their email address.
2. When a user has entered his or her email address in the password-reset page, verify that the email address represents a valid user. If it does, generate a password reset token by calling the GeneratePasswordResetToken(String, Int32) method.
3. Create a hyperlink that points to a confirmation page in your site and that includes the token as a query-string parameter in the link's URL.
4. Send the link to a user in an email message. When the user receives the email message, he or she can click the link to invoke the confirmation page.
5. Create a confirmation page that extracts the token from the URL parameter and that lets the user enter a new password.
6. When the user submits the new password, call the ResetPassword(String, String) method and pass the password reset token and the new password. If the token is valid, the password will be reset. If the token is not valid (for example, it has expired), display an error message.

Highlighting is mine. Basically you do not need the user name. The framework does all the heavy lifting for you.

Addressing your comment, I would not recommend automatically logging the user in. It's a good practice for them to log manually to check that this password changing thingie has actually worked, and not to discover that it did not only next time around.

Anyway, you can do this:

SimpleMembershipProvider provider = (SimpleMembershipProvider)Membership.Provider;
string username = provider.GetUserNameFromId(userId);

Reference: GetUserNameFromId.

Answer 2

I think the WebSecurity.GetUserIdFromPasswordResetToken(string token) method do what you want.

More info here.

Update:

Sorry but I didn't saw that you were already using that method... So if you want get the username and you are using code first migrations of Entity Framework, you can get the username with the following LINQ expression:

string username = yourDbContext.UserProfiles.FirstOrDefault(up=>up.UserId == userId).Username;