When Updating account with same password, it doesn't restrict me

[akash0234]

[HttpPost] public async Task ForgotPasswordSubmit(string token, string newpassword) { try { //Check If Old Password

       await _advancedContentRepository
                     .Users()
                     .AccountRecovery()
                      .CompleteAsync(new CompleteUserAccountRecoveryViaEmailCommand()
                      {
                          NewPassword = newpassword,
                          UserAreaCode = MemberUserArea.Code,
                          Token = token
                      });

     TempData["ResetSuccess"] = "Password Reset Successful";
     return RedirectToAction("UserLoginRegister");
 }
 catch (Exception ex)
 {
     TempData["ResetSuccess"] = "Account Recovery Already Completed";
     return RedirectToAction("UserLoginRegister");
 }

} https://www.cofoundry.org/docs/user-areas/data-apis/account-recovery As per documentation, it should show error , also I want to understand the last point which says "The token will be automatically re-validated, throwing a validation exception if it is invalid."

How to handle the revalidated status.

[HeyJoel]

If the token has already been used or is invalid then executing CompleteUserAccountRecoveryViaEmailCommand will throw a ValidationErrorException with the relevant error code and message. The user areas sample repository includes an example of this in the AuthenticationSample project. That project uses Razor Pages but the other project in that solution uses MVC if you want to see examples of calling similar auth APIs from MVC.

Your code looks like it would show an error, however you are catching a non-specific Exception, whereas you may be better off handling only ValidationErrorException, or using the built-in WithModelState extension to bind validation errors to model state as documented in the content repository docs. Doing this will populate ModelState with the correct message associated with the error, which you can show in your UI using the standard ASP.NET mechanisms.

[HeyJoel]

Just looking at the title of the issue again rather than your description, are you expecting the user not to be able to use the same password to complete a reset? That's not a feature of the user password policy system, we don't store password histories and that is not mentioned in the documentation. The CompleteUserAccountRecoveryViaEmailCommand does handle validation of the password reset authorization token, and will not let you re-use the token more than once; all tokens will also be marked as invalid if the user signs in or updates their password before the account recovery request is completed.

[akash0234]

Thanks for the info.. I understood the workings of auth token. It led me to find other way to solve it.. I'm sending the encoded email id as parameter in email . and validating with AuthenticateUserCredentialsQuery //Check If Old Password

var ress = await _advancedContentRepository .Users().Authentication().AuthenticateCredentials(new AuthenticateUserCredentialsQuery () { UserAreaCode = MemberUserArea.Code, Username = email, Password = newpassword }).ExecuteAsync();

if(!ress.IsSuccess) await _advancedContentRepository .Users() .AccountRecovery() .CompleteAsync(new CompleteUserAccountRecoveryViaEmailCommand() { NewPassword = newpassword, UserAreaCode = MemberUserArea.Code, Token = token });

[akash0234]

Although I Would Suggest to Add Module to validate old password. In Upcoming update.. Thanks for always helping and swift replies. Appreciate your work