Prevent login when EmailConfirmed is false

Question

The newest ASP.NET identity bits (2.0 beta) include the foundation for confirming user email addresses. The NuGet package \"Microsoft Asp.Net Identity Samples\" contains a s

Answer 1

Using the ASP.NET Identity 2.0 Samples.

1. Update the POST Login action in Account controller.

    //
    // POST: /Account/Login
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task Login(LoginViewModel model, string returnUrl)
    {
        if (!ModelState.IsValid)
        {
            return View(model);
        }

        // This doen't count login failures towards lockout only two factor authentication
        // To enable password failures to trigger lockout, change to shouldLockout: true
        var result = await SignInHelper.PasswordSignIn(model.Email, model.Password, model.RememberMe, shouldLockout: false);
        switch (result)
        {
            case SignInStatus.Success:
                return RedirectToLocal(returnUrl);
            case SignInStatus.EmailNotConfirmed:
                return View("EmailNotConfirmed");
            case SignInStatus.LockedOut:
                return View("Lockout");
            case SignInStatus.RequiresTwoFactorAuthentication:
                return RedirectToAction("SendCode", new { ReturnUrl = returnUrl });
            case SignInStatus.Failure:
            default:
                ModelState.AddModelError("", "Invalid login attempt.");
                return View(model);
        }
    }

2. Update the SignInStatus enum in IdentityConfig.cs.

public enum SignInStatus
{
    Success,
    EmailNotConfirmed,
    LockedOut,
    RequiresTwoFactorAuthentication,
    Failure
}

3. Update the PasswordSignIn method in IdentityConfig.cs.

    public async Task PasswordSignIn(string userName, string password, bool isPersistent, bool shouldLockout)
    {
        var user = await UserManager.FindByNameAsync(userName);
        if (user == null)
        {
            return SignInStatus.Failure;
        }
        if (!(await UserManager.IsEmailConfirmedAsync(user.Id)))
        {
            return SignInStatus.EmailNotConfirmed;
        }
        if (await UserManager.IsLockedOutAsync(user.Id))
        {
            return SignInStatus.LockedOut;
        }
        if (await UserManager.CheckPasswordAsync(user, password))
        {
            return await SignInOrTwoFactor(user, isPersistent);
        }
        if (shouldLockout)
        {
            // If lockout is requested, increment access failed count which might lock out the user
            await UserManager.AccessFailedAsync(user.Id);
            if (await UserManager.IsLockedOutAsync(user.Id))
            {
                return SignInStatus.LockedOut;
            }
        }
        return SignInStatus.Failure;
    }

4. Add a new View "EmailNotConfirmed.cshtml".

@{
    ViewBag.Title = "Email not confirmed";
}

You have not confirmed your email.

Please click the link in the email we sent you to confirm your email.

todo: Add a "resend confirmation email" button here.