Approve/refuse new user via email using one time URIs

[MarGraz]

Hi,

I'm writing APIs for a headless CMS project using Orchard Core 1.8.3. I have used the UserManager (Microsoft.AspNetCore.Identity) to provide basic functions that allow the Admin to manage user roles via APIs.

Now, I'm adding a new feature: when a new user registers on the website, an email is sent to the Admin with two URIs: one to approve (enable) the user, and the other to refuse (leave the user disabled, or delete it. We still decide what to do).
What I'm looking for is a way to make those URIs usable only once, and only for that specific purpose.

1. Would it be a good idea to use the GenerateUserTokenAsync and VerifyUserTokenAsync method (here is the GenerateUserTokenAsync, and here the VerifyUserTokenAsync implementation) to achieve the one-time-use URIs behavior described above?

2. From what I have seen in the Orchard Core RegistrationController (here), Orchard Core doesn't provide the ability to approve or refuse a new user via email. If the Users Registration feature is turned on, and the setting "Users must be approved before they can log in" is checked, the new user is registered as disabled, and the approval (enabling) is done by the Admin directly from the backoffice. There's no email that the Admin receives to perform the approve/refuse action, right?

Any suggestions or best practices for implementing this?

Thank you so much

[Piedone]

1. I'd start with these too. However, I have no experience building such a feature so I'm not sure.
2. Yep, there's no such feature built-in.

That being said, if it's already admins who approve/refuse users, then I don't really see the point of adding a token to the URL (unless you want only the recipients of the e-mail to be able to manage these users, not any admin with the necessary permissions, what I'd instead recommend). Instead, I'd only include GET links in the e-mail, pointing to an admin UI where they have the two operations as two buttons (or just link to the given user's built-in edit screen on the OC admin).

Otherwise, you're binding a state-changing operation to a GET request, what should otherwise be a POST or something else.

[MarGraz]

@Piedone I have the same problem that @MikeAlhayek had in this issue.

Basically, I'm not able to add a DataProtectorTokenProvider. When I look into the UserManager after the app starts, the only two available token providers added by Orchard Core, are Email and Phone, as shown in the screenshot below. But what if I want to add another token provider?

I don't know how to add a DataProtectorTokenProvider, because every normal procedure I try to apply in the Program.cs that usually works in .NET, returns errors in OC. For example, doing this:

services.AddIdentity<User, Role>()
            .AddTokenProvider<DataProtectorTokenProvider<User>>(TokenOptions.DefaultProvider); // TokenOptions.DefaultProvider is a string that has value "Default"

Return an exception that involve YesSql:

InvalidOperationException: Cannot consume scoped service 'Microsoft.AspNetCore.Identity.ILookupNormalizer' from singleton 'YesSql.Indexes.IIndexProvider'.
Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteValidator.VisitScopeCache(ServiceCallSite scopedCallSite, CallSiteValidatorState state)

Questions:

• Could this exception be a bug in YesSql? 🤔
• What if I pass Email as token provider in my two handler "GenerateToken" and "VerifyToken" methods, here?

Thank you

[Piedone]

I don't have a ready answer for this, sorry. Maybe others will be able to help.

[MikeAlhayek]

@MarGraz if you upgrade to 2.0.0-previews, we register a Default provider by default.

OrchardCore/src/OrchardCore.Modules/OrchardCore.Users/Startup.cs

Line 168 in 7b4120e

.AddTokenProvider<DataProtectorTokenProvider<IUser>>(TokenOptions.DefaultProvider);

Alternatively, you register a default provider yourself. However, in 2.0.0-preview there are improvements around the token providers which can improve security and allow you to configure them. more on that can found in the 2.0.0 release notes,

[MarGraz]

@Piedone @MikeAlhayek @weirdyang sorry for the late reply, I totally forgot to update this discussion 😅

@MikeAlhayek, unfortunately, I can't use the 2.0.0-previews because I'm going into production soon. I'm not comfortable using an unstable release for production.

In the end, I created my own token handler and passed it in Dependency Injection as a singleton. Of course, if the server reboots, I will lose the token list, but this is not a problem for my requirements since the tokens are not meant to be permanent.

I used the Purpose value to be able to generate multiple tokens for the same UserId. This could be useful if you need it in multiple parts of your code.

Here is the interface I made for my custom token service:

public interface ITokenService
{
    /// <summary>
    /// Generates a token for a specified user and purpose.
    /// If a token already exists for the specified user and purpose, the existing token is returned.
    /// Otherwise, a new token is generated. Token older that 3 days will be automatically deleted.
    /// </summary>
    /// <param name="userId">The ID of the user for whom the token is being generated.</param>
    /// <param name="purpose">The purpose for which the token is being generated.</param>
    /// <returns>The generated token.</returns>
    string GenerateToken(string userId, string purpose);

    /// <summary>
    /// Validates a token for a specified user and purpose.
    /// The token is considered valid if it matches the specified user and purpose and is not expired.
    /// Once validated, the token is removed from the storage to ensure it is only used once.
    /// </summary>
    /// <param name="token">The token to validate.</param>
    /// <param name="userId">The ID of the user for whom the token was generated.</param>
    /// <param name="purpose">The purpose for which the token was generated.</param>
    /// <returns><c>true</c> if the token is valid; otherwise, <c>false</c>.</returns>
    bool ValidateToken(string token, string userId, string purpose);
}

This is the implementation of my custom TokenService:

  public class OneTimeTokenService : ITokenService
 {
     private class TokenInfo
     {
         public string Token { get; set; }
         public string UserId { get; set; }
         public string Purpose { get; set; }
         public DateTime CreationDate { get; set; }
     }

     // ConcurrentDictionary is used to prevent multiple instances and ensure that the token service is truly a singleton. It is useful for thread-safe operations and make sure the service is registered as a singleton in the DI container
     private readonly ConcurrentDictionary<string, TokenInfo> _tokens = new ConcurrentDictionary<string, TokenInfo>();
     private DateTime _lastCleanupDate = DateTime.MinValue;

     public string GenerateToken(string userId, string purpose)
     {
         CleanupOldTokens();

         // If for a specific userId and purpose a token already exists, it will return it 
         TokenInfo? existingToken = _tokens.Values.FirstOrDefault(t => t.UserId == userId && t.Purpose == purpose);
         if (existingToken != null)
         {
             return existingToken.Token;
         }

         string token = Guid.NewGuid().ToString();
         TokenInfo tokenInfo = new TokenInfo
         {
             Token = token,
             UserId = userId,
             Purpose = purpose,
             CreationDate = DateTime.UtcNow
         };

         _tokens[token] = tokenInfo;
         return token;
     }

     public bool ValidateToken(string token, string userId, string purpose)
     {
         if (_tokens.TryGetValue(token, out var tokenInfo))
         {
             if (tokenInfo.UserId == userId && tokenInfo.Purpose == purpose)
             {
                 _tokens.TryRemove(token, out _);
                 return true;
             }
         }
         return false;
     }

     /// <summary>
     /// Cleans up tokens that are older than 3 days.
     /// This method only executes once per day.
     /// </summary>
     private void CleanupOldTokens()
     {
         DateTime currentDate = DateTime.UtcNow.Date;
         
         if (_lastCleanupDate < currentDate)
         {
             DateTime cutoffDate = currentDate.AddDays(-3);
             List<string> oldTokens = _tokens.Where(t => t.Value.CreationDate < cutoffDate).Select(t => t.Key).ToList();

             foreach (var oldToken in oldTokens)
             {
                 _tokens.TryRemove(oldToken, out _);
             }

             _lastCleanupDate = currentDate;
         }
     }
 }

This is how I register it in the Program.cs to pass it in DI:

var builder = WebApplication.CreateBuilder(args);

builder.Services
    .AddOrchardCms()
 .ConfigureServices( services =>
 {
    // Add custom services
     services.AddSingleton<ITokenService, OneTimeTokenService>();
     
     [...]
 }

Thank you so much 😜

[Piedone]

Thanks for sharing!

[weirdyang]

a possible alternative might be to use ISecurityTokenService to generate a time limited token with a custom payload

OrchardCore/src/OrchardCore.Modules/OrchardCore.Workflows/Services/SecurityTokenService.cs

Line 8 in 52dca20

public class SecurityTokenService : ISecurityTokenService