DNN-23673: encrypt the verification code with membersip user key.

Author: zyhfish

DNN Platform/Library/Entities/Users/UserController.cs

@@ -2244,13 +2244,14 @@ public static void VerifyUser(string verificationCode)
 
             int portalId;
             int userId;
+            var userIdString = strings[1];
 
-            if (!int.TryParse(strings[0], out portalId) || !int.TryParse(strings[1], out userId))
+            if (!int.TryParse(strings[0], out portalId) || string.IsNullOrWhiteSpace(userIdString))
             {
                 throw new InvalidVerificationCodeException();
             }
 
-            var user = GetUserById(int.Parse(strings[0]), int.Parse(strings[1]));
+            var user = int.TryParse(userIdString, out userId) ? GetUserById(portalId, userId) : GetUserByMembershipUserKey(portalId, userIdString);
 
             if (user == null)
             {
@@ -2315,7 +2316,15 @@ private static string GetDomainName(PortalAliasInfo portalAlias)
             return httpAlias.IndexOf("/", StringComparison.InvariantCulture) != -1 ?
                 httpAlias.Substring(0, httpAlias.IndexOf("/", StringComparison.InvariantCulture)) :
                 httpAlias;
-        }      
+        }
+
+        private static UserInfo GetUserByMembershipUserKey(int portalId, string membershipUserKey)
+        {
+            var masterPortalId = GetEffectivePortalId(portalId);
+            var user = MembershipProvider.Instance().GetUserByProviderUserKey(masterPortalId, membershipUserKey);
+            FixMemberPortalId(user, portalId);
+            return user;
+        }
 
         #endregion
 

DNN Platform/Library/Entities/Users/UserInfo.cs

@@ -31,6 +31,7 @@
 using DotNetNuke.Entities.Profile;
 using DotNetNuke.Entities.Users.Social;
 using DotNetNuke.Security;
+using DotNetNuke.Security.Membership;
 using DotNetNuke.Security.Roles;
 using DotNetNuke.Services.Tokens;
 using DotNetNuke.UI.WebControls;
@@ -304,7 +305,7 @@ public string GetProperty(string propertyName, string format, CultureInfo format
                         return PropertyAccess.ContentLocked;
                     }
                     var ps = PortalSecurity.Instance;
-                    var code = ps.Encrypt(Config.GetDecryptionkey(), PortalID + "-" + UserID);
+                    var code = ps.Encrypt(Config.GetDecryptionkey(), PortalID + "-" + GetMembershipUserId());
                     return code.Replace("+", ".").Replace("/", "-").Replace("=", "_");
                 case "affiliateid":
                     if (internScope < Scope.SystemMessages)
@@ -422,6 +423,11 @@ private bool isAdminUser(ref UserInfo accessingUser)
             return accessingUser.IsInRole(_administratorRoleName) || accessingUser.IsSuperUser;
         }
 
+        private string GetMembershipUserId()
+        {
+            return MembershipProvider.Instance().GetProviderUserKey(this)?.Replace("-", string.Empty) ?? string.Empty;
+        }
+
         #endregion
 
         #region Public Methods

DNN Platform/Library/Security/Membership/AspNetMembershipProvider.cs

@@ -605,9 +605,17 @@ private static MembershipUser GetMembershipUser(string userName)
                                       userName), GetMembershipUserCallBack);
         }
 
-        private static string GetCacheKey(string userName)
+        private static MembershipUser GetMembershipUserByUserKey(string userKey)
         {
-            return String.Format("MembershipUser_{0}", userName);
+            return
+                CBO.GetCachedObject<MembershipUser>(
+                    new CacheItemArgs(GetCacheKey(userKey), DataCache.UserCacheTimeOut, DataCache.UserCachePriority,
+                        userKey), GetMembershipUserByUserKeyCallBack);
+        }
+
+        private static string GetCacheKey(string cacheKey)
+        {
+            return $"MembershipUser_{cacheKey}";
         }
 
         private static object GetMembershipUserCallBack(CacheItemArgs cacheItemArgs)
@@ -617,7 +625,13 @@ private static object GetMembershipUserCallBack(CacheItemArgs cacheItemArgs)
             return System.Web.Security.Membership.GetUser(userName);
         }
 
-       
+        private static object GetMembershipUserByUserKeyCallBack(CacheItemArgs cacheItemArgs)
+        {
+            string userKey = cacheItemArgs.ParamList[0].ToString();
+
+            return System.Web.Security.Membership.GetUser(new Guid(userKey));
+        }
+
         private UserInfo GetUserByAuthToken(int portalId, string userToken, string authType)
         {
             IDataReader dr = _dataProvider.GetUserByAuthToken(portalId, userToken, authType);
@@ -1226,6 +1240,22 @@ public override UserInfo GetUserByPasswordResetToken(int portalId, string resetT
             return user;
         }
 
+        public override string GetProviderUserKey(UserInfo user)
+        {
+            return GetMembershipUser(user).ProviderUserKey?.ToString().Replace("-", string.Empty) ?? string.Empty;
+        }
+
+        public override UserInfo GetUserByProviderUserKey(int portalId, string providerUserKey)
+        {
+            var userName = GetMembershipUserByUserKey(providerUserKey)?.UserName ?? string.Empty;
+            if (string.IsNullOrEmpty(userName))
+            {
+                return null;
+            }
+
+            return GetUserByUserName(portalId, userName);
+        }
+
         /// -----------------------------------------------------------------------------
         /// <summary>
         /// GetUserCountByPortal gets the number of users in the portal

DNN Platform/Library/Security/Membership/MembershipProvider.cs

@@ -119,6 +119,16 @@ public virtual UserInfo GetUserByPasswordResetToken(int portalId, string resetTo
             return null;
         }
 
+        public virtual string GetProviderUserKey(UserInfo user)
+        {
+            return null;
+        }
+
+        public virtual UserInfo GetUserByProviderUserKey(int portalId, string providerUserKey)
+        {
+            return null;
+        }
+
         public virtual ArrayList GetUsers(int portalId, int pageIndex, int pageSize, ref int totalRecords, bool includeDeleted, bool superUsersOnly)
         {
             throw new NotImplementedException();