Adding Email Confirmation to ASP.NET Identity in MVC 5

In a previous article I demonstrated how to customize the user profile information in ASP.NET Identity.  Specifically I showed how to add capturing an email address for the user. We will expand on this work and add email confirmation to the registration process.  This process will send an email to the user with a link they can click on to confirm their registration and log in to the system. Prior to confirmation they will not be able to log in.  This process will be similar to the one I described for adding email confirmation to SimpleMembership.

First we need to modify the user information to store a the confirmation token and a flag indicating whether confirmation was completed or not.  So now our ApplicationUser looks like this.

    public class ApplicationUser : IdentityUser
    {
        public string Email { get; set; }
        public string ConfirmationToken { get; set; }
        public bool IsConfirmed { get; set; }
    }

If you have already made changes to the ApplicationUser before you will need to enable migrations and add a migration for these changes to take affect.  Now we can capture this information during the registration process and send the email.

        private string CreateConfirmationToken()
        {
            return ShortGuid.NewGuid();
        }

        private void SendEmailConfirmation(string to, string username, string confirmationToken)
        {
            dynamic email = new Email("RegEmail");
            email.To = to;
            email.UserName = username;
            email.ConfirmationToken = confirmationToken;
            email.Send();
        }

        //
        // POST: /Account/Register
        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public async Task<ActionResult> Register(RegisterViewModel model)
        {
            if (ModelState.IsValid)
            {
                string confirmationToken = CreateConfirmationToken();
                var user = new ApplicationUser()
                {
                    UserName = model.UserName,
                    Email = model.Email,
                    ConfirmationToken = confirmationToken, 
                        IsConfirmed = false };
                var result = await UserManager.CreateAsync(user, model.Password);
                if (result.Succeeded)
                {
                    SendEmailConfirmation(model.Email, model.UserName, confirmationToken);
                    return RedirectToAction("RegisterStepTwo", "Account");
                }
                else
                {
                    AddErrors(result);
                }
            }

            // If we got this far, something failed, redisplay form
            return View(model);
        }

To generate the token I use a class called ShortGuid that takes a GUID and encodes it so that it is shorter and is URL safe. I got the code for this class from this blog.  I add the generated token to the new user and set IsConfirmed to false. Then I send the email.  I use Postal to generate the emails.  Postal uses the Razor engine to create your dynamic email content that can include content such as the user name and the custom URL with the confirmation token.  The redirect to the RegisterStepTwo action just displays a view to the user that tells them to look for the email to complete the registration process.

Once the user gets the email they click on the link that will take us back to the controller action RegisterConfirmation.

        private bool ConfirmAccount(string confirmationToken)
        {
            ApplicationDbContext context = new ApplicationDbContext();
            ApplicationUser user =  context.Users.SingleOrDefault(u => u.ConfirmationToken == confirmationToken);
            if (user != null)
            {
                user.IsConfirmed = true;
                DbSet<ApplicationUser> dbSet = context.Set<ApplicationUser>();
                dbSet.Attach(user);
                context.Entry(user).State = EntityState.Modified;
                context.SaveChanges();

                return true;
            }
            return false;
        }

        [AllowAnonymous]
        public ActionResult RegisterConfirmation(string Id)
        {
            if (ConfirmAccount(Id))
            {
                return RedirectToAction("ConfirmationSuccess");
            }
            return RedirectToAction("ConfirmationFailure");
        }

The method ConfirmAccount does a query to see if we can find a user with the confirmation token that was passed in the URL. If we find a user we set IsConfirmed to true and return true from the method; otherwise we return false. If the user is confirmed they will be able to log in. To make sure that the user could not log in before confirmation we need to make a small change to the Login action. 

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
        {
            if (ModelState.IsValid)
            {
                var user = await UserManager.FindAsync(model.UserName, model.Password);
                if (user != null && user.IsConfirmed)
                {
                    await SignInAsync(user, model.RememberMe);
                    return RedirectToLocal(returnUrl);
                }
                else
                {
                    ModelState.AddModelError("", "Invalid username or password.");
                }
            }

            // If we got this far, something failed, redisplay form
            return View(model);
        }

All we do is check that if we find a user that the IsConfirmed flag is set to true.  If it is false then we do not log the user in and generate an error message.

That is all there is to setting up email confirmation using ASP.NET Identity in MVC 5.  You can get the source code for this example from the SimpleSecurity Project. You can find it in the AspNetIdentity folder.

One observation is that I had to make low level EF calls using the DbContext to make this work.  The UserManager provided by ASP.NET Identity to encapsulate EF and provide access to ApplicationUser did not provide me with enough control to do what I needed to accomplish.  It makes sense to me to add another layer on top of ASP.NET Identity that makes it easier to use and decouples it from the web application.  I decoupled SimpleMembership from the web application and it worked well. Look for something like this for ASP.NET Identity in the future that will be open source and available in the SimpleSecurity Project.



Comments

Post a Comment

Popular posts from this blog

Using Claims in ASP.NET Identity

Claims can simplify and increase the performance of authentication and authorization processes. I wrote about how you can use the roles stored as claims to eliminate back-end queries every time authorization takes place .  ASP.NET Identity has good support for claims-based identity and it creates several claims for you automatically when you create a new identity.  Here is how we create the identity for a new user during the log-in process UserManager<applicationuser> userManager = new UserManager<applicationuser>(new UserStore<applicationuser>(new SecurityContext())); ClaimsIdentity identity = userManager.CreateIdentity(user, DefaultAuthenticationTypes.ApplicationCookie); If you inspect the Claims property of ClaimsIdentity after calling CreateIdentity you will see that there are there are three or more claims. There is a claim for the user ID, user name, identity provider and one for each role assigned. So what if you want to add some more claims? Here is an ex
Keep reading

Seeding & Customizing ASP.NET MVC SimpleMembership

Image
In ASP.NET MVC 4 Microsoft introduced a new membership provider that is referred to as SimpleMembership.  SimpleMembership makes it easier to customize user profiles and incorporates  OAuth support.  I have seen a lot of questions on StackOverflow on how to customize SimpleMembership and seed it with data and in this post I will discuss some methods for achieving both . SimpleMembership uses Entity Framework (EF) 5 and the code-first model. To initialize the database that contains the users and roles a filter is used called  InitializeSimpleMembershipAttribute.   This attribute is decorated on the AccountController as shown here: [Authorize] [InitializeSimpleMembership] public class AccountController : Controller { ... } This is setup this way so that the initialization code is only called when accessing the actions on the AccountController .  If you look at the code for  InitializeSimpleMembershipAttribute you will see a lot of code to setup initialization which is basically
Keep reading

Customizing Claims for Authorization in ASP.NET Core 2.0

Image
There have been some major changes to ASP.NET Identity with the release of Core 2.0, which you can read about here .  One of the major changes is that it does not rely on using middleware anymore to customize it.  Instead dependency injection is used by configuring via services in the ConfigureServices method of StartUp.cs .   There is not much documentation or examples on how to do this so I am going to explore how to customize ASP.NET Identity and publish some examples in this blog.  First I wanted to look at how you would add custom claims to the identity and then use those claims for authorization. To begin create a new ASP.NET Core Web Application  project in Visual Studio 2017.  Be sure to select . NET Core and ASP.NET Core 2.0 in the two drop downs at the top.  Select the template for Web Application (Model-View-Controller) and Change the Authentication to Individual User Accounts .  When the project is created you are ready to add some code. For this example we are s
Keep reading