AccountController ForgotPassword should check the UserId before ResetPassword
HaoK opened this issue · comments
Moved from: dotnet/aspnetcore#1911 (comment)
Today we are passing in the userId from ForgotPassword: https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Controllers/AccountController.cs#L282
But not using it when we reset: https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Controllers/AccountController.cs#L321
We should check that the User with userId matches the user that is retrieved via FindByEmail as well.
cc @blowdart
This issue was moved to aspnet/Templating#96