Merge commit from fork

kjac · web-flow · commit d8f68d2c40f8 · 2025-06-24T08:39:17.000+02:00
diff --git a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
@@ -132,12 +132,17 @@ public AuthenticationController(
         AuthorizationPolicies.BackOfficeAccess)] // Needed to enforce the principle set on the request, if one exists.
     public IDictionary<string, object> GetPasswordConfig(int userId)
     {
+        if (HttpContext.HasActivePasswordResetFlowSession(userId))
+        {
+            return _passwordConfiguration.GetConfiguration();
+        }
+
         Attempt<int> currentUserId =
             _backofficeSecurityAccessor.BackOfficeSecurity?.GetUserId() ?? Attempt<int>.Fail();
-        return _passwordConfiguration.GetConfiguration(
-            currentUserId.Success
-                ? currentUserId.Result != userId
-                : true);
+
+        return currentUserId.Success
+            ? _passwordConfiguration.GetConfiguration(currentUserId.Result != userId)
+            : new Dictionary<string, object>();
     }
 
     /// <summary>
@@ -345,6 +350,8 @@ public async Task<bool> IsAuthenticated()
     [Authorize(Policy = AuthorizationPolicies.DenyLocalLoginIfConfigured)]
     public async Task<ActionResult<UserDetail?>> PostLogin(LoginModel loginModel)
     {
+        HttpContext.EndPasswordResetFlowSession();
+
         // Start a timed scope to ensure failed responses return is a consistent time
         await using var timedScope = new TimedScope(GetLoginDuration(), CancellationToken.None);
 
@@ -440,6 +447,8 @@ public async Task<IActionResult> PostRequestPasswordReset(RequestPasswordResetMo
             return BadRequest();
         }
 
+        HttpContext.EndPasswordResetFlowSession();
+
         BackOfficeIdentityUser? identityUser = await _userManager.FindByEmailAsync(model.Email);
 
         await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500)); // To randomize response time preventing user enumeration
@@ -593,6 +602,8 @@ public async Task<IActionResult> PostSend2FACode([FromBody] string provider)
     [AllowAnonymous]
     public async Task<IActionResult> PostSetPassword(SetPasswordModel model)
     {
+        HttpContext.EndPasswordResetFlowSession();
+
         BackOfficeIdentityUser? identityUser =
             await _userManager.FindByIdAsync(model.UserId.ToString(CultureInfo.InvariantCulture));
 
diff --git a/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs b/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
@@ -370,6 +370,8 @@ public async Task<IActionResult> ValidatePasswordResetCode([Bind(Prefix = "u")]
             var result = await _userManager.VerifyUserTokenAsync(user, "Default", "ResetPassword", resetCode);
             if (result)
             {
+                HttpContext.StartPasswordResetFlowSession(userId);
+
                 //Add a flag and redirect for it to be displayed
                 TempData[ViewDataExtensions.TokenPasswordResetCode] =
                     _jsonSerializer.Serialize(
diff --git a/src/Umbraco.Web.BackOffice/Extensions/HttpContextExtensions.cs b/src/Umbraco.Web.BackOffice/Extensions/HttpContextExtensions.cs
@@ -5,9 +5,20 @@ namespace Umbraco.Extensions;
 
 public static class HttpContextExtensions
 {
+    private const string PasswordResetFlowSessionKey = nameof(PasswordResetFlowSessionKey);
+
     public static void SetExternalLoginProviderErrors(this HttpContext httpContext, BackOfficeExternalLoginProviderErrors errors)
         => httpContext.Items[nameof(BackOfficeExternalLoginProviderErrors)] = errors;
 
     public static BackOfficeExternalLoginProviderErrors? GetExternalLoginProviderErrors(this HttpContext httpContext)
         => httpContext.Items[nameof(BackOfficeExternalLoginProviderErrors)] as BackOfficeExternalLoginProviderErrors;
+
+    internal static void StartPasswordResetFlowSession(this HttpContext httpContext, int userId)
+        => httpContext.Session.SetInt32(PasswordResetFlowSessionKey, userId);
+
+    internal static void EndPasswordResetFlowSession(this HttpContext httpContext)
+        => httpContext.Session.Remove(PasswordResetFlowSessionKey);
+
+    internal static bool HasActivePasswordResetFlowSession(this HttpContext httpContext, int userId)
+        => httpContext.Session.GetInt32(PasswordResetFlowSessionKey) == userId;
 }

Original file line number	Diff line number	Diff line change
`@@ -370,6 +370,8 @@ public async Task<IActionResult> ValidatePasswordResetCode([Bind(Prefix = "u")]`
`370`	`370`	`var result = await _userManager.VerifyUserTokenAsync(user, "Default", "ResetPassword", resetCode);`
`371`	`371`	`if (result)`
`372`	`372`	`{`
	`373`	`+ HttpContext.StartPasswordResetFlowSession(userId);`
	`374`	`+`
`373`	`375`	`//Add a flag and redirect for it to be displayed`
`374`	`376`	`TempData[ViewDataExtensions.TokenPasswordResetCode] =`
`375`	`377`	`_jsonSerializer.Serialize(`