All geek questions in one place

Allow user to login using Email or UserName (AspNet.Identity)

I am wondering if there is a more efficient route for this. Using AspNet.Identity , I would like to allow the user to enter a single text field using either UserName or Email . I went further and addressed this issue in AccountController Login ActionResult . I run a check before calling:

 var result = await SignInManager.PasswordSignInAsync(model.UserName, model.Password, model.RememberMe, shouldLockout: true);

Verification:

 //TODO: determine if there is a more efficient way to allow user to login either with Email || UserName if (model.UserName.Contains("@")) { using (var context = new ApplicationDbContext()) { model.UserName = (context.Users.Any(p => p.Email == model.UserName)) ? context.Users.SingleOrDefault(p => p.Email == model.UserName).UserName : model.UserName; } }

My problems here are twofold:

  • Is their a more effective practical way to do this.
  • Do I pose any new security or performance risks by doing so this way?

Below is the ActionResult link for the link.

 // // POST: /Account/Login [HttpPost] [AllowAnonymous] [ValidateAntiForgeryToken] public async Task<ActionResult> Login(LoginViewModel model, string returnUrl) { if (!ModelState.IsValid) { return View(model); } //TODO: determine if there is a more efficient way to allow user to login either with Email || UserName if (model.UserName.Contains("@")) { using (var context = new ApplicationDbContext()) { model.UserName = (context.Users.Any(p => p.Email == model.UserName)) ? context.Users.SingleOrDefault(p => p.Email == model.UserName).UserName : model.UserName; } } // This doesn't count login failures towards account lockout // To enable password failures to trigger account lockout, change to shouldLockout: true var result = await SignInManager.PasswordSignInAsync(model.UserName, model.Password, model.RememberMe, shouldLockout: true); switch (result) { case SignInStatus.Success: return RedirectToLocal(returnUrl); case SignInStatus.LockedOut: return View("Lockout"); case SignInStatus.RequiresVerification: return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe }); case SignInStatus.Failure: default: ModelState.AddModelError("", "Invalid login attempt."); return View(model); } }

github # 2 and # 4 related issue

+5
source share
1 answer

There will be one security issue. You can get the username of another user if you know his email address:

  • write your email address and wrong password
  • then the system loads the appropriate username, performs a password check that fails, and returns the model with the rewritten username

I would declare a new variable instead of reusing model.UserName. And your query will be a little more efficient if you use FirstOrDefault:

  var userName = model.UserName; using (var context = new ApplicationDbContext()) { var user = context.Users.FirstOrDefault(p => p.Email == model.UserName); if (user != null) { userName = user.UserName; } } var result = await SignInManager.PasswordSignInAsync(userName, model.Password, model.RememberMe, shouldLockout: true);
+8
source

Source: https://habr.com/ru/post/1203277/

More articles:


All Articles