Login/Register
Create and Validate Invitation Code / Token
Asked Answered
c#asp.net-core.net-coreasp.net-core-2.2asp.net-core-identity
S

1

6

Using ASP.NET Core I am creating a system to invite users to Join a Group, Get Free Credits, ...

When inviting a User to Join a Group I create an Invitation which is saved in the database:

The token is saved on the database along with other information:

Invitation invitation = new Invitation {
  InvitationType = "JoinGroup",
  Completed = false,
  Expiry = DateTime.Now.AddDays(4),
  Token = some_token,
  Parameters = new List<Parameter> { 
    new Parameter { Name = "GroupId", Value = 22 },
    new Parameter { Name = "RoleId", Value = "Admin" },
    new Parameter { Name = "Email", Value = "[email protected]" },
  }
}

Then I send an email with an url:

/invite?token=some_token

When the user accesses the url I get the record with the given token.

With that information I do whatever I need to do, for example, add User to the Group.

Question

How should I create a unique token?

Which information should I include in the token?

And how should I validate it?

Spotlight answered 29/10, 2019 at 13:6 Comment(7)
primarily opinion-based .... 1. Guid.NewGuid() 2. None 3. By checking if it's in the database (and setting it to expired/used)Ehf
Too broad of a question. There are many ways to go about this.Livy
This is a perfectly valid question. And in fact ASP.NET Core has a specific piece of functionality for this.Priesthood
@Darkonekt Can you specify which which piece of functionality are you talking about?Spotlight
I posted an answer pointing you in the right direction. But I did not post any code since you have no tried anything yet. But if you have trouble implementing the solution I will be glad to help after you try your own code.Priesthood
I added a link to help you get started in the answerPriesthood
@Darkonekt Yes, My initial idea was to use UserManager.GenerateUserTokenAsync ... But what should be in the User argument of the method if I am just inviting someone by email and maybe the user does not exist yet? And where to place the other data? Inside the token?Spotlight
P
3

ASP.NET Core Identity provides functionality for generating tokens for different purposes.

Using the UserManager you can generate tokens for multiple purposes.

One of the methods available is the UserManager.GenerateUserTokenAsync(TUser, String, String).

You can verify the token using the UserManager.VerifyUserTokenAsync(TUser, String, String, String) method.

Reference To Documentation

Here is link that will help you getting started: Identity Tokens

Priesthood answered 29/10, 2019 at 14:53 Comment(6)
Yes, I know and in fact I have a previous question about that (#58606855) ... But what would place in User when user does not exist and you are only inviting someone by email?Spotlight
You could create the user and send the user an invitation email with a password reset link. Since you have the email address you can create the user and based on that new user send the necessary tokens and links in an email.Priesthood
You could also prompt the user to "finish setting up their account" or to "confirm their account"Priesthood
Not sure if that is a good idea ... I mean User A invites Person B by Email and since it does not exist then creates an account in its behalf ... Sound strange.Spotlight
Well the account will not be used unless it is confirmed. So it does not matter. The account does not need to have personal information... only the email. And once they accept the invitation then they are prompted to finish setting up the account. If they dont finish it then it is just an inactive account in your system.Priesthood
The only other option I can think of is to encrypt an arbitrary value and send it in a link. Which can also be done using the data protection functionality from asp.net corePriesthood

© 2022 - 2024 — McMap. All rights reserved.