Merge commit from fork

kjac · web-flow · commit b4144564c836 · 2025-06-24T08:39:17.000+02:00
diff --git a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
@@ -131,12 +131,17 @@ public AuthenticationController(
         AuthorizationPolicies.BackOfficeAccess)] // Needed to enforce the principle set on the request, if one exists.
     public IDictionary<string, object> GetPasswordConfig(int userId)
     {
+        if (HttpContext.HasActivePasswordResetFlowSession(userId))
+        {
+            return _passwordConfiguration.GetConfiguration();
+        }
+
         Attempt<int> currentUserId =
             _backofficeSecurityAccessor.BackOfficeSecurity?.GetUserId() ?? Attempt<int>.Fail();
-        return _passwordConfiguration.GetConfiguration(
-            currentUserId.Success
-                ? currentUserId.Result != userId
-                : true);
+
+        return currentUserId.Success
+            ? _passwordConfiguration.GetConfiguration(currentUserId.Result != userId)
+            : new Dictionary<string, object>();
     }
 
     /// <summary>
@@ -417,6 +422,8 @@ public async Task<bool> IsAuthenticated()
     [Authorize(Policy = AuthorizationPolicies.DenyLocalLoginIfConfigured)]
     public async Task<ActionResult<UserDetail?>> PostLogin(LoginModel loginModel)
     {
+        HttpContext.EndPasswordResetFlowSession();
+
         // Start a timed scope to ensure failed responses return is a consistent time
         var loginDuration = Math.Max(_loginDurationAverage ?? _securitySettings.UserDefaultFailedLoginDurationInMilliseconds, _securitySettings.UserMinimumFailedLoginDurationInMilliseconds);
         await using var timedScope = new TimedScope(loginDuration, HttpContext.RequestAborted);
@@ -490,6 +497,8 @@ public async Task<IActionResult> PostRequestPasswordReset(RequestPasswordResetMo
             return BadRequest();
         }
 
+        HttpContext.EndPasswordResetFlowSession();
+
         BackOfficeIdentityUser? identityUser = await _userManager.FindByEmailAsync(model.Email);
 
         await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500)); // To randomize response time preventing user enumeration
@@ -646,6 +655,8 @@ public async Task<IActionResult> PostSend2FACode([FromBody] string provider)
     [AllowAnonymous]
     public async Task<IActionResult> PostSetPassword(SetPasswordModel model)
     {
+        HttpContext.EndPasswordResetFlowSession();
+
         BackOfficeIdentityUser? identityUser =
             await _userManager.FindByIdAsync(model.UserId.ToString(CultureInfo.InvariantCulture));
             if (identityUser is null)
diff --git a/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs b/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
@@ -402,6 +402,11 @@ public async Task<IActionResult> ValidatePasswordResetCode([Bind(Prefix = "u")]
 
         var result = await _userManager.VerifyUserTokenAsync(user, "Default", "ResetPassword", resetCode);
 
+        if (result)
+        {
+            HttpContext.StartPasswordResetFlowSession(userId);
+        }
+
         return result ?
 
             // Redirect to login with userId and resetCode
diff --git a/src/Umbraco.Web.BackOffice/Extensions/HttpContextExtensions.cs b/src/Umbraco.Web.BackOffice/Extensions/HttpContextExtensions.cs
@@ -5,9 +5,20 @@ namespace Umbraco.Extensions;
 
 public static class HttpContextExtensions
 {
+    private const string PasswordResetFlowSessionKey = nameof(PasswordResetFlowSessionKey);
+
     public static void SetExternalLoginProviderErrors(this HttpContext httpContext, BackOfficeExternalLoginProviderErrors errors)
         => httpContext.Items[nameof(BackOfficeExternalLoginProviderErrors)] = errors;
 
     public static BackOfficeExternalLoginProviderErrors? GetExternalLoginProviderErrors(this HttpContext httpContext)
         => httpContext.Items[nameof(BackOfficeExternalLoginProviderErrors)] as BackOfficeExternalLoginProviderErrors;
+
+    internal static void StartPasswordResetFlowSession(this HttpContext httpContext, int userId)
+        => httpContext.Session.SetInt32(PasswordResetFlowSessionKey, userId);
+
+    internal static void EndPasswordResetFlowSession(this HttpContext httpContext)
+        => httpContext.Session.Remove(PasswordResetFlowSessionKey);
+
+    internal static bool HasActivePasswordResetFlowSession(this HttpContext httpContext, int userId)
+        => httpContext.Session.GetInt32(PasswordResetFlowSessionKey) == userId;
 }
