How can I check if a password reset token is expired?

Question

I\'m using ASP.NET Identity, and I have the basic Forgot Password/Reset Password functionality in place.

When you fill out the form that you forgot your password, it

Answer 1

If you check the UserManager.ResetPasswordAsync(...) method, tracing throug to the VerifyUserTokenAsync method, which simply does:

// Make sure the token is valid
var result = await _tokenProviders[tokenProvider].ValidateAsync(purpose, token, this, user);

You can just do this yourself as well, knowing that:

• You can ask the DI Framework (e.g. via your controller constructor) for the token provider for your situation;
• The purpose is just the hardcoded "ResetPassword" string;
• The token is the code the user is using;
• The user you should be able to get depending on how your view, e-mail, url, and whatever is set up (the default examples don't cover this I think, but you can easily put the user.Id in the "forgot password url" before the token itself, and extract it when you need it).

Then you can just call ValidateAsync yourself and adjust the view accordingly.

Answer 2

Following code works to verify if the reset token is valid:

1. Create code and send it to user

var code = await this._userManager.GeneratePasswordResetTokenAsync(user);

2. Verify token

[HttpGet]
public async Task<IActionResult> ResetPassword(string UserId, string token)
{
    ...

    ApplicationUser user = //get user;


    if(!await this._userManager.VerifyUserTokenAsync(user,this._userManager.Options.Tokens.PasswordResetTokenProvider, "ResetPassword", token)){
        ViewBag.Message = this._localizer["tokenNotValid"].Value;
    }

    ...
}

See UserManager code: https://github.com/aspnet/Identity/blob/rel/2.0.0/src/Microsoft.Extensions.Identity.Core/UserManager.cs#L29