Search code examples
c#asp.net-coreasp.net-identityrazor-pages

Verify login credentials before notifying that email address needs to be confirmed

I'm using Asp.Net Core Razor Pages with Identity. At the moment I have RequireConfirmedAccount set to true in the ConfigureServices method of the Startup class, and I check for a confirmed email address as follows:

            ApplicationUser user = await userManager.FindByEmailAsync(Email);

            if (user != null)
            {
                bool emailConfirmed = await userManager.IsEmailConfirmedAsync(user);

                if (emailConfirmed != true)
                {
                    return RedirectToPage("/Account/ConfirmEmail");
                }
                else
                {
                    var result = await signInManager.PasswordSignInAsync(Email, Password,
                            RememberMe, lockoutOnFailure: true);

                    if (result.IsLockedOut)
                    {
                        return RedirectToPage("/Account/Lockout");
                    }

                    if (result.Succeeded)
                    {
                        // etc

The issue is that a malicious user could detect there's an account for this email address in the database without knowing the password. Ideally I'd like to be able to confirm the user knew the password before telling them the account email needs to be confirmed, i.e. something like:

                    if (result.SucceededButEmailNotConfirmed)
                    {
                        return RedirectToPage("/Account/ConfirmEmail");

Is there a good way to do this? The only solution I've come up with so far is to set RequireConfirmedAccount to false, then check in the code after a successful login whether the email address is confirmed, and log the user back out if not confirmed. Is there a better way to do this, or am I missing something? Thanks

Solution

  • Troy Hunt, Microsoft MVP has a great post that talks about how to make a secure password reset page (which has some similarities to your scenario):

    https://www.troyhunt.com/everything-you-ever-wanted-to-know/

    If you read the section titled "Username enumeration and the impact on anonymity," the recommendation would be not to display a message on your page that changes depending on whether or not you have a user account associated with that email in the database. Rather, you will send the information to the email address on what to do next. The next step could be they need to register (as they do not have an account), or it could be a link to confirm their email.

    Also, here is a follow-up post further discussing disclosure of website data via enumeration:

    https://www.troyhunt.com/website-enumeration-insanity-how-our-personal-data-is-leaked/