anderly
commented
11 years ago John,
Thanks for submitting this. Another user actually brought this up on my blog and I felt I should clarify the issue and the sample code.
- The GetUserNameByEmail() method in SimpleMembershipProvider throws a NotSupportedException I think this is because Microsoft assumes that most users use email address as the username. However, in the case where you have username and email as separate fields, what you would need to do is implement a user lookup by email address method. Microsoft doesn’t know what database column you are using for email address if you don’t make it the username (you could be using “Email”, “EmailAddress”, etc.). Note that WebSecurity.InitializeDatabaseConnection() includes a parameter for the user ID (identifier of the user) typically an int or Guid and a param for the username. It doesn’t distinguish between username and email, so SimpleMembershipProvider can’t reliably implement GetUserNameByEmail()
- So, ForgotPassword should really be modified to suit your situation and use either username or email, not both. I’ve had to do the same and provide a user lookup by email and then use the looked up user in the call to GeneratePasswordResetToken
I have this noted as an issue on the project Trello board, but I haven't gotten around to updating it with a generic solution because of the limitations of the underlying provider.
A short-term solution may just be to remove email from ForgotPassword.cshtml to remove any confusion for users of the sample package. Please feel free to submit a patch for this if you have some ideas and I'll be happy to include it.
Thanks again,
Adam
Right now you allow the user to provide an email address to where the password reset email will be sent, but you do not verify that it belongs to the account. Really, the user shouldn't pass in an email address at all. The email address should be the one from the database related to the account with the given username.