search

aspnet / Identity

[Archived] ASP.NET Core Identity is the membership system for building ASP.NET Core web applications, including membership, login, and user data. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.96k stars 870 forks source link

Register users keep login failed in the default scaffolded identity razor pages. #1882

Closed Dolphinsimon closed 6 years ago

Dolphinsimon commented 6 years ago

In the default scaffolded Identity razor page-Login, users can login with email and password.

                <div class="form-group">
                    <label asp-for="Input.Email"></label>
                    <input asp-for="Input.Email" class="form-control" />
                    <span asp-validation-for="Input.Email" class="text-danger"></span>
                </div>
                <div class="form-group">
                    <label asp-for="Input.Password"></label>
                    <input asp-for="Input.Password" class="form-control" />
                    <span asp-validation-for="Input.Password" class="text-danger"></span>
                </div>

However, the OnPostAsync() checks email and password with PasswordSignInAsync() witch sign in users by username and password.

public async Task<IActionResult> OnPostAsync(string returnUrl = null)
        {
            returnUrl = returnUrl ?? Url.Content("~/");

            if (ModelState.IsValid)
            {
                // This doesn't count login failures towards account lockout
                // To enable password failures to trigger account lockout, set lockoutOnFailure: true
                var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: true);
                if (result.Succeeded)
                {
                    _logger.LogInformation("User logged in.");
                    return LocalRedirect(returnUrl);
                }
                if (result.RequiresTwoFactor)
                {
                    return RedirectToPage("./LoginWith2fa", new { ReturnUrl = returnUrl, RememberMe = Input.RememberMe });
                }
                if (result.IsLockedOut)
                {
                    _logger.LogWarning("User account locked out.");
                    return RedirectToPage("./Lockout");
                }
                else
                {
                    ModelState.AddModelError(string.Empty, "Invalid login attempt.");
                    return Page();
                }
            }

            // If we got this far, something failed, redisplay form
            return Page();
        }

It seems that you won't login to your system forever. So, witch situation was by designed? Login with username or email?

blowdart commented 6 years ago

The default implementations assume that, for simplicity, usernames and emails are one and the same. If a user changes email their username needs updating as well. If this doesn't match your use case then you need to start adjusting the code in templates.

Dolphinsimon commented 6 years ago

@blowdart Thanks for your reply. I checked the default Register page, the default register action set the same value to usernames and emails. I missed this page as we had another register action to handle creating users with different usernames and emails. Sorry for my careless.

blowdart commented 6 years ago

Oh it's our fault, not yours, it's badly explained. We have a work item about making it configurable, but it's in the backlog for now. As you're unblocked I'm going to close the issue, feel free to reopen if you have more questions.