Current ASP.NET Identity password reset (through email verification) requires a user to enter e-mail and a new password to be reset. However, in most cases of a password reset, only a new password is required. How could this be done?
I found that the user id is found by getting the email, e.g.:
var user = await UserManager.FindByNameAsync(model.Email);
Is it possible to get the user id directly from the CallbackUrl of the password reset as it contains the user id? or is there any better alternative approach?
How are you going to verify that whoever tries to reset the password is the owner for the account where the password reset is done for? Either username or email is required to know who you are resetting the password for and the password reset link sent to the email is a security requirement, not just a "feature".
Highly recommended reading on the subject (not long, but very useful) Troy Hunt: Everything you ever wanted to know about building a secure password reset feature