Determine if Confirmation Email link failed because Token expired

aspnet / Identity

[Archived] ASP.NET Core Identity is the membership system for building ASP.NET Core web applications, including membership, login, and user data. Project moved to https://github.com/aspnet/AspNetCore

Apache License 2.0

1.96k stars 870 forks source link

Determine if Confirmation Email link failed because Token expired #1860

Closed egmfrs closed 6 years ago

egmfrs commented 6 years ago

Is there a way to do this? Like an error code that will return when the email confirmation token has expired? For example if the error code was "TokenExpired" I could use the following to return the user to a specific view which gives them advice on a process to follow if their token has expired:

        var result = await _userManager.ConfirmEmailAsync(user, code);
        if (result.Succeeded) return View("ConfirmEmail");

        return View(result.Errors.Any(c => c.Code == "TokenExpired") ? "TokenExpired" : "Error");

blowdart commented 6 years ago

We'd consider this giving away a little too much information to a potential attacker I'm afraid.

egmfrs commented 6 years ago

@blowdart thanks for the confirmation. Could you possibly elaborate on how an attacker could use a "token expired" response to their advantage?

blowdart commented 6 years ago

You'd be confirming the token was once valid, and that it's in the correct format. Think about it like returning an error from a login screen. You don't say "We don't know that login ID" or "That password expired ages ago, you have a new one", we just return "Login is invalid"