Closed kylegalbraith closed 8 years ago
MR stores a hash of the key. So when you're looking up the account you need to also hash the incoming key (which MR does internally when using the various APIs to find an account by key). If these return a non=null account, then it's valid./
When a reset password is initiated will an email be sent as well with a similar token on the end of the url?
yes
Thanks for the quick response @brockallen I think I got enough to run with for now.
I want to validate the key within the url of the confirm email. My question is whether or not the key in this url
/UserAccount/ChangeEmail/Confirm/XXXX_key_XXXX
is the VerificationKey stashed in MembershipReboot. So if I send the user to my own url with this key tacked on the end can I then make an API request that passes along this key and callEssentially is the key in the url used to confirm that account. I would then want to have the user provide a password for the account and update that via the API as well. However, I want to make sure that the key in the url is the right one to confirm the account with.