Search code examples
asp.net-identity-2

Using 2FA for password reset

My application uses Asp.Net Identity and sends a Two Factor code to my Auth app on login. This is pretty standard (as there lots of examples on the net) and uses the SendCode() method. My understanding is that the 'magic' is done by this line:

// Generate the token and send it
if (!await SignInManager.SendTwoFactorCodeAsync(model.SelectedProvider))
{
  View("Error");
}

My requirement is to ensure the user goes through the same process of 2FA when they want to change their password after they have logged in.

My issue is that when the code to send the 2FA code is executed:

if (!await SignInManager.SendTwoFactorCodeAsync(model.SelectedProvider))
{
  View("Error");
}

I receive the error 'UserID not found':

enter image description here

Server Error in '/MSPortal' Application.
UserId not found.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.InvalidOperationException: UserId not found.

Source Error: 


Line 555:
Line 556:            // Generate the token and send it
Line 557:            if (!await SignInManager.SendTwoFactorCodeAsync(model.SelectedProvider))
Line 558:            {
Line 559:                return View("Error");

I know SendTwoFactorCodeAsync() calls GetVerifiedUserIdAsync() but my understanding is that the user is verified now that I have already logged in using 2FA.

Does anyone know why I would be getting this error?

Thanks.

Solution

  • I've worked around this by overriding SendTwoFactorCodeAsync() in IdentityConfig.cs. In this override, I first call GetVerifiedUserIdAsync() as per usual but then if that is 0 I get the User's ID from the Current HttpContext.

    I am not stating this is the best way but it's what I have done thus far and its got me moving ahead in my aim of having 2FA for login, change password and forgot password.

    The code (likely to go through some refactoring if I get feedback) is:

    public override async Task<bool> SendTwoFactorCodeAsync(string provider)
{
    int userId = 0;
    try
    {
        userId = await GetVerifiedUserIdAsync();
        if (userId == 0)
        {
            userId = Convert.ToInt32(HttpContext.Current.User.Identity.GetUserId());
        }

        if (userId == 0)
            return false;
    }
    catch
    {
        return false;
    }

    var token = await UserManager.GenerateTwoFactorTokenAsync(userId, provider);

    // See IdentityConfig.cs to plug in Email/SMS services to actually send the code
    await UserManager.NotifyTwoFactorTokenAsync(userId, provider, token);
    return true;

    //return base.SendTwoFactorCodeAsync(provider);
}