Reset password implementation

.gitignore

@@ -166,3 +166,4 @@ pip-log.txt
 */Logs/
 *.log
 *.log.*
+Notes/papercut/*.eml

Notes/papercut/Papercut.exe.config

@@ -0,0 +1,50 @@
+<configuration>
+
+	<configSections>
+		<section name="log4net" type="System.Configuration.IgnoreSectionHandler" />
+		<sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
+			<section name="Papercut.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />
+		</sectionGroup>
+	</configSections>
+
+	<log4net>
+		<appender name="RollingFileAppender" type="log4net.Appender.RollingFileAppender">
+			<file value="smtp.log" />
+			<appendToFile value="true" />
+			<rollingStyle value="Size" />
+			<maxSizeRollBackups value="0" />
+			<maximumFileSize value="50KB" />
+			<staticLogFileName value="true" />
+			<layout type="log4net.Layout.PatternLayout">
+				<conversionPattern value="%date [%thread] %-5level %message%newline" />
+			</layout>
+		</appender>
+		<root>
+			<level value="ALL" />
+			<appender-ref ref="RollingFileAppender" />
+		</root>
+	</log4net>
+
+	<userSettings>
+		<Papercut.Properties.Settings>
+   <setting name="IP" serializeAs="String">
+    <value>Any</value>
+   </setting>
+   <setting name="Port" serializeAs="String">
+    <value>25</value>
+   </setting>
+   <setting name="StartMinimized" serializeAs="String">
+    <value>False</value>
+   </setting>
+   <setting name="ForwardServer" serializeAs="String">
+    <value />
+   </setting>
+   <setting name="ForwardFrom" serializeAs="String">
+    <value />
+   </setting>
+   <setting name="ForwardTo" serializeAs="String">
+    <value />
+   </setting>
+  </Papercut.Properties.Settings>
+	</userSettings>
+</configuration>

Web/Content/Account.Login.css

@@ -38,6 +38,10 @@ h2 {
     margin-bottom: 20px;
 }
 
+.rememberMe label.checkbox {
+    padding-left: 10px;
+}
+
 legend {
     border-bottom: 0;
     margin-bottom: 0;

Web/Controllers/AccountController.cs

@@ -2,6 +2,8 @@
 using System.Web.Mvc;
 using System.Web.Security;
 using MileageTraker.Web.DAL;
+using MileageTraker.Web.Email;
+using MileageTraker.Web.Utility;
 using MileageTraker.Web.ViewModels.Account;
 
 namespace MileageTraker.Web.Controllers
@@ -10,10 +12,10 @@ namespace MileageTraker.Web.Controllers
     public class AccountController : ControllerBase
     {
 		[AllowAnonymous]
-		public ActionResult Login(string returnUrl)
+		public ActionResult Login(string returnUrl, string username)
 		{
 			ViewBag.ReturnUrl = returnUrl;
-			return View();
+			return View(new LoginViewModel{Username = username});
 		}
 
 		[HttpPost]
@@ -40,7 +42,12 @@ namespace MileageTraker.Web.Controllers
 				}
 				catch (UserLockedOutException)
 				{
-					ModelState.AddModelError("", "Too many failed password attempts for " + model.Username + ". Account is locked.");
+					ModelState.AddModelError("",
+						"Too many failed password attempts for " + 
+						model.Username + ". Account is locked. " +
+						@"Use 'Forgot Password' or contact " +
+						"administrator to unlock."
+						);
 				}
 			}
 
@@ -58,37 +65,7 @@ namespace MileageTraker.Web.Controllers
 
 			return RedirectToAction("Index", "CreateLog");
 		}
-
-		//[AllowAnonymous]
-		//public ActionResult Register()
-		//{
-		//	return View();
-		//}
-
-		//[HttpPost]
-		//[AllowAnonymous]
-		//[ValidateAntiForgeryToken]
-		//public ActionResult Register(RegisterModel model)
-		//{
-		//	if (ModelState.IsValid)
-		//	{
-		//		// Attempt to register the user
-		//		try
-		//		{
-		//			WebSecurity.CreateUserAndAccount(model.UserName, model.Password);
-		//			WebSecurity.Login(model.UserName, model.Password);
-		//			return RedirectToAction("Login");
-		//		}
-		//		catch (MembershipCreateUserException e)
-		//		{
-		//			ModelState.AddModelError("", ErrorCodeToString(e.StatusCode));
-		//		}
-		//	}
-
-		//	// If we got this far, something failed, redisplay form
-		//	return View(model);
-		//}
-
+		
 		public ActionResult Manage(ManageMessageId? message)
 		{
 			ViewBag.StatusMessage =
@@ -130,7 +107,7 @@ namespace MileageTraker.Web.Controllers
 			// If we got this far, something failed, redisplay form
 			return View(model);
 		}
-
+		
 		private ActionResult RedirectToLocal(string returnUrl)
 		{
 			if (Url.IsLocalUrl(returnUrl))
@@ -145,5 +122,98 @@ namespace MileageTraker.Web.Controllers
 			ChangePasswordSuccess,
 			SetPasswordSuccess,
 		}
+
+		#region Reset Password
+
+		/// <summary>
+		/// View the Reset Password form
+		/// </summary>
+		[AllowAnonymous]
+		[AcceptVerbs(HttpVerbs.Get)]
+		public ViewResult ResetPassword(string username)
+		{
+			return View(new ResetPasswordViewModel{Username = username});
+		}
+
+		/// <summary>
+		/// Begins the Reset Password process
+		/// </summary>
+		[AllowAnonymous]
+		[AcceptVerbs(HttpVerbs.Post)]
+		[ValidateAntiForgeryToken]
+		public ActionResult ResetPassword(ResetPasswordViewModel viewModel)
+		{
+			var user = DataService.FindUserByUsername(viewModel.Username);
+			if (user != null && Request.Url != null)
+			{
+				var passwordResetToken = Algorithms.GenerateToken();
+				var url = Request.Url.Scheme + 
+					@"://" +
+					Request.Url.Authority +
+					Url.Action("NewPassword", "Account",
+						new NewPasswordViewModel
+						{
+							UserId = user.UserId,
+							PasswordResetToken = passwordResetToken
+						});
+				user.PasswordResetToken = passwordResetToken;
+				DataService.UpdateUser(user);
+				var email = new EmailNotificationService();
+				email.NotifyResetPassword(user,url);
+			}
+
+			TempData["StatusMessage"] = "Please check your email - we have sent a request for you to reset the password.";
+			// even when if not successful, let the user think they're getting a cookie
+			return RedirectToAction("Login");
+		}
+
+		/// <summary>
+		/// Action users are sent to when they reset their password.
+		/// </summary>
+		[AllowAnonymous]
+		[AcceptVerbs(HttpVerbs.Get)]
+		public ActionResult NewPassword(Guid userId, string passwordResetToken)
+		{
+			var user = DataService.GetUser(userId);
+			if (user != null && user.PasswordResetToken == passwordResetToken)
+			{
+				var newPasswordViewModel
+					= new NewPasswordViewModel
+					{
+						UserId = user.UserId,
+						Username = user.Username,
+						PasswordResetToken = passwordResetToken
+					};
+				return View(newPasswordViewModel);
+			}
+
+			return HttpNotFound();
+		}
+
+		/// <summary>
+		/// Set a new password.
+		/// </summary>
+		/// <param name="viewModel">The view model.</param>
+		[AllowAnonymous]
+		[AcceptVerbs(HttpVerbs.Post)]
+		[ValidateAntiForgeryToken]
+		public ActionResult NewPassword(NewPasswordViewModel viewModel)
+		{
+			if (ModelState.IsValid)
+			{
+				var user = DataService.GetUser(viewModel.UserId);
+				if (user != null && user.PasswordResetToken == viewModel.PasswordResetToken)
+				{
+					DataService.UpdateUserPassword(viewModel.UserId, viewModel.NewPassword);
+					TempData["StatusMessage"] = "Password set for " + viewModel.Username;
+					return RedirectToAction("Login", new {username = viewModel.Username});
+				}
+			}
+
+			// If we got this far, something failed, redisplay form
+			return View(viewModel);
+		}
+
+		#endregion
     }
 }

Web/Controllers/UserController.cs

@@ -132,9 +132,8 @@ namespace MileageTraker.Web.Controllers
 		{
 			var user = Membership.GetUser(id);
 			if (user == null)
-			{
 				return HttpNotFound();
-			}
+
 			var viewModel = new SetPasswordViewModel {UserId = id, Username = user.UserName};
 			return View(viewModel);
 		}
@@ -144,16 +143,9 @@ namespace MileageTraker.Web.Controllers
 		{
 			if (ModelState.IsValid)
 			{
-				try
-				{
-					DataService.UpdateUserPassword(viewModel.UserId, viewModel.NewPassword);
-					TempData["StatusMessage"] = "Password set for " + viewModel.Username;
-					return RedirectToAction("Details", new { id = viewModel.UserId});
-				}
-				catch (Exception)
-				{
-					ModelState.AddModelError("", "The new password is invalid.");
-				}
+				DataService.UpdateUserPassword(viewModel.UserId, viewModel.NewPassword);
+				TempData["StatusMessage"] = "Password set for " + viewModel.Username;
+				return RedirectToAction("Details", new { id = viewModel.UserId});
 			}
 
 			// If we got this far, something failed, redisplay form

Web/DAL/DataService.cs

@@ -477,6 +477,7 @@ namespace MileageTraker.Web.DAL
 			user.LastPasswordChangedDate = DateTime.Now;
 			user.IsLockedOut = false;
 			user.PasswordFailuresSinceLastSuccess = 0;
+			user.PasswordResetToken = null;
 			UpdateUser(user);
 		}
 

Web/Email/EmailNotification.cs

@@ -0,0 +1,45 @@
+using System.Configuration;
+using System.Net.Mail;
+using MileageTraker.Web.Models;
+using log4net;
+
+namespace MileageTraker.Web.Email
+{
+	/// <summary>
+	/// Email Notification
+	/// </summary>
+	public class EmailNotificationService
+	{
+		//private static readonly ILog _logger = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType);
+
+		private readonly string _resetPasswordBody;
+		private readonly string _resetPasswordFromAddress;
+		private readonly string _resetPasswordSubject;
+		
+		private readonly SmtpClient _smtpClient;
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="T:System.Object"/> class.
+		/// </summary>
+		/// <param name="smtpClient">The SMTP client.</param>
+		public EmailNotificationService()
+		{
+			_smtpClient = new SmtpClient();
+
+			_resetPasswordBody = ConfigurationManager.AppSettings["ResetPasswordBody"];
+			_resetPasswordFromAddress = ConfigurationManager.AppSettings["ResetPasswordFromAddress"];
+			_resetPasswordSubject = ConfigurationManager.AppSettings["ResetPasswordSubject"];
+		}
+
+		/// <summary>
+		/// Sends the reset password email.
+		/// </summary>
+		/// <param name="user">To this user.</param>
+		/// <param name="url">Reset url</param>
+		public void NotifyResetPassword(User user, string url)
+		{
+			var body = string.Format(_resetPasswordBody, url);
+			_smtpClient.Send(new MailMessage(_resetPasswordFromAddress, user.Email, _resetPasswordSubject, body));
+		}
+	}
+}

Web/ViewModels/Account/NewPasswordViewModel.cs

@@ -0,0 +1,32 @@
+using System;
+using System.ComponentModel.DataAnnotations;
+using System.Web.Mvc;
+
+namespace MileageTraker.Web.ViewModels.Account
+{
+	/// <summary>
+	/// ViewModel for Verifying a Reset Password
+	/// </summary>
+	public class NewPasswordViewModel
+	{
+		[HiddenInput]
+		public Guid UserId { get; set; }
+
+		[HiddenInput]
+		public string PasswordResetToken { get; set; }
+
+		[HiddenInput]
+		public string Username { get; set; }
+
+		[Required]
+		[StringLength(100, ErrorMessage = "The {0} must be at least {2} characters long.", MinimumLength = 6)]
+		[DataType(DataType.Password)]
+		[Display(Name = "New password")]
+		public string NewPassword { get; set; }
+
+		[DataType(DataType.Password)]
+		[Display(Name = "Confirm new password")]
+		[Compare("NewPassword", ErrorMessage = "The new password and confirmation password do not match.")]
+		public string ConfirmPassword { get; set; }
+	}
+}

Web/ViewModels/Account/ResetPasswordViewModel.cs

@@ -0,0 +1,11 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace MileageTraker.Web.ViewModels.Account
+{
+	public class ResetPasswordViewModel
+	{
+		[Required]
+		[RegularExpression("[^@]*", ErrorMessage = "Enter just your username, not your email")]
+		public string Username { get; set; }
+	}
+}

Web/Views/Account/Login.cshtml

@@ -24,5 +24,6 @@
         <legend></legend>
         @Html.EditorForModel()
         <input type="submit" value="Log in" class="btn btn-primary" />
+        @Html.ActionLink("Forgot Password?", "ResetPassword", new { Model.Username }, new { @class = "pull-right" })
     </fieldset>
 }

Web/Views/Account/NewPassword.cshtml

@@ -0,0 +1,28 @@
+@model MileageTraker.Web.ViewModels.Account.NewPasswordViewModel
+
+@{
+    ViewBag.Title = "New Password";
+    Layout = "~/Views/Shared/_Layout.login.cshtml";
+}
+
+@section Styles
+{
+    <link href="@Url.Content("~/Content/Account.Login.css")" rel="stylesheet" type="text/css" />
+}
+
+@using (Html.BeginForm("NewPassword", "Account", FormMethod.Post, new {@class = "form-login"})) {
+
+    <div class="header"></div>
+    
+    <h2>@ViewBag.Title</h2>
+    
+    @Html.AntiForgeryToken()
+    @Html.Partial("_ValidationSummary")
+
+    <fieldset>
+        <legend></legend>
+        @Html.EditorForModel()
+        <input type="submit" value="Set Password" class="btn btn-primary" />
+    </fieldset>
+}
+

Web/Views/Account/ResetPassword.cshtml

@@ -0,0 +1,34 @@
+@model MileageTraker.Web.ViewModels.Account.ResetPasswordViewModel
+
+@{
+    ViewBag.Title = "Forgot password?";
+    Layout = "~/Views/Shared/_Layout.login.cshtml";
+}
+@section Styles
+{
+    <link href="@Url.Content("~/Content/Account.Login.css")" rel="stylesheet" type="text/css" />
+}
+
+@using (Html.BeginForm("ResetPassword", "Account", FormMethod.Post, new {@class = "form-login"})) {
+
+    @Html.Partial("_StatusMessage")
+        
+    <div class="header"></div>
+    
+    <h2>@ViewBag.Title</h2>
+    
+    <p>Enter your username to 
+        begin resetting your password. An email will
+        be sent to you with instructions for completing the process.
+    </p>
+
+    @Html.AntiForgeryToken()
+    @Html.Partial("_ValidationSummary")
+
+    <fieldset>
+        <legend></legend>
+        @Html.EditorForModel()
+        <input type="submit" value="Submit" class="btn btn-primary" />
+        @Html.ActionLink("Login", "Login", new { Model.Username }, new { @class = "pull-right" })
+    </fieldset>
+}

Web/Web.Release.config

@@ -33,4 +33,11 @@
       <file xdt:Transform="SetAttributes" value="..\Logs\MileageTraker.log" />
     </appender>
   </log4net>
+  <system.net>
+    <mailSettings>
+      <smtp>
+        <network xdt:Transform="SetAttributes" host="Exchange2010.ethra.org" />
+      </smtp>
+    </mailSettings>
+  </system.net>
 </configuration>

Web/Web.config

@@ -13,7 +13,17 @@
     <add key="ClientValidationEnabled" value="true" />
     <add key="UnobtrusiveJavaScriptEnabled" value="true" />
     <add key="enableSimpleMembership" value="false" />
+    <add key="ResetPasswordBody" value="Please open this link to set a new password: {0}" />
+    <add key="ResetPasswordFromAddress" value="Mileage Traker &lt;noreply@ethra.org&gt;" />
+    <add key="ResetPasswordSubject" value="New Password Request" />
   </appSettings>
+  <system.net>
+    <mailSettings>
+      <smtp deliveryMethod="Network" from="Mileage Traker &lt;roreply@ethra.org&gt;">
+        <network host="localhost" />
+      </smtp>
+    </mailSettings>
+  </system.net>
   <system.web>
     <customErrors mode="RemoteOnly" />
     <compilation debug="true" targetFramework="4.0">

Web/Web.csproj

@@ -126,6 +126,7 @@
     <Compile Include="DAL\CodeFirstRoleProvider.cs" />
     <Compile Include="DAL\UserAccountDisabledException.cs" />
     <Compile Include="DAL\UserLockedOutException.cs" />
+    <Compile Include="Email\EmailNotification.cs" />
     <Compile Include="Migrations\201204181847082_InitialMigration.cs" />
     <Compile Include="Migrations\201204181847082_InitialMigration.Designer.cs">
       <DependentUpon>201204181847082_InitialMigration.cs</DependentUpon>
@@ -139,11 +140,13 @@
       <DependentUpon>201212261822498_AddMembership.cs</DependentUpon>
     </Compile>
     <Compile Include="Migrations\Configuration.cs" />
+    <Compile Include="ViewModels\Account\ResetPasswordViewModel.cs" />
     <Compile Include="Models\Role.cs" />
     <Compile Include="Models\User.cs" />
     <Compile Include="Utility\Crypto.cs" />
     <Compile Include="ViewModels\Account\ChangePasswordViewModel.cs" />
     <Compile Include="ViewModels\Account\LoginViewModel.cs" />
+    <Compile Include="ViewModels\Account\NewPasswordViewModel.cs" />
     <Compile Include="ViewModels\Account\RegisterModel.cs" />
     <Compile Include="ViewModels\EmployeeMileageItem.cs" />
     <Compile Include="ViewModels\EmployeeMileageViewModel.cs" />
@@ -280,6 +283,8 @@
     <Content Include="Views\User\SetPassword.cshtml" />
     <Content Include="Views\Shared\_StatusMessage.cshtml" />
     <Content Include="Views\User\_UserStatusLabels.cshtml" />
+    <Content Include="Views\Account\ResetPassword.cshtml" />
+    <Content Include="Views\Account\NewPassword.cshtml" />
   </ItemGroup>
   <ItemGroup>
     <Content Include="packages.config">