search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.46k stars 10.03k forks source link

[Feature Request] Invite Only Registration #38902

Open elaine-jackson opened 2 years ago

elaine-jackson commented 2 years ago

Some business applications may only want authorized users to create an account on their ASP.NET Web Application. Identity Roles are a powerful tool to make sure only authorized groups can access a set of data. However this can lead to unwanted users registering in your application. A common solution is to limit /Identity/Account/Register with Web Server rules to have either HTTP Basic Auth or IP Address Allow Listing. I propose the ability to do Invite Only Registrations.

First I want to explain my current workaround

As a work-around in my current application. I add an InviteKey to the Register.cshtml.cs InputModel object. 

[Required]
            [DataType(DataType.Password)]
            [Display(Name = "Invite Key")]
            public string InviteKey { get; set; }

From there I check this on:

public async Task<IActionResult> OnPostAsync(string returnUrl = null)
        {
            returnUrl ??= Url.Content("~/");
            ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList();

            // Using a custom validator would leak the key in client side regex validator
            // To get around this we only check server-side and return an error if the key
            // doesn't match the defined key in appsettings.json!
            if (!Input.InviteKey.Equals(configuration.GetValue<string>("InviteKey")))
            {
                ModelState.AddModelError(string.Empty, "Invalid Invite Key");
                return Page();
            }

            if (ModelState.IsValid)
            {

Using a custom validator (I tried this with a hard coded key) would disclose the invite key in client-side regex so I can only do a server side check.

Here is how I would do this ideally

This is far from a perfect solution however and it is merely a work-around until something better exists. Ideally a database-driven solution would exist with one-time, expiring, invite keys built into ASP.NET Identity. For the initial user registration the startup log would give a one-time registration link with the key in it. From there the initial user would be allowed to create Invite Keys or links to allow other users to register. I am not super familiar with Identity Roles as I haven't worked with them in a while, although a default Inviter role could be given to first user and then only users who have this role could create invite links.

What are the ASP.NET Core community's thoughts on building this type of feature into ASP.NET Identity and the corresponding scaffolders?

adityamandaleeka commented 2 years ago

This is an interesting idea. We'd need a good design for the experience. Putting it in backlog for now.

@blowdart @HaoK

ghost commented 2 years ago

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

RonPeters commented 2 years ago

I completely support this. The vast majority of websites I've built for companies are invite-only. So I've had to implement this myself over and over again over the years. With the latest templates, I've been piggybacking on the reset password flow, utilizing and extending the verification code generation. Also the ability to send new invites if the verification code has expired.

elaine-jackson commented 2 years ago

I completely support this. The vast majority of websites I've been for companies are invite-only. So I've had to implement this myself over and over again over the years. With the latest templates, I've been piggybacking on the reset password flow, utilizing and extending the verification code generation. Also the ability to send new invites if the verification code has expired.

Once we have a solid design plan in place I could potentially help out with a merge request. One of the strengths of ASP and the .NET platform is most code is written for you with the help of the code generator and large library. This pushes the project in that way and I hope to see the support of the broader community.

RonPeters commented 2 years ago

Once we have a solid design plan in place I could potentially help out with a merge request. One of the strengths of ASP and the .NET platform is most code is written for you with the help of the code generator and large library. This pushes the project in that way and I hope to see the support of the broader community.

I'm down to help as well

RonPeters commented 2 years ago

Also, an administrator needs to be able to disable a user's account. This is not accommodated for in the current schema

elaine-jackson commented 2 years ago

Also, an administrator needs to be able to disable a user's account. This is not accommodated for in the current schema

In general you should be using the role system for this so when a user account is enabled it should have a member role, However I agree an account lockout feature would be helpful. That said it is a separate issue which should have its own discussion thread.