I’ve a extremely bizarre downside. Every thing labored in earlier model of .internet core, however now in .internet core 3.1 it doesn’t.
So the factor is, after a consumer registers an account, I ship him activation e-mail with activation code created like this:
var activationCode = await userMan.GenerateEmailConfirmationTokenAsync(su);
Subsequent I generate a http url which is fashioned like that:
http://localhost/api/customers/activate?userId=1234&code=abc+860/def==
Now, notice that userId is a legitimate GUID and my activation code is simply instance, as a result of I actually get an extended one code. However what’s essential on this code – it has plus sings(+), slashes and ends with double equal signal.
Now I get the e-mail with legitimate consumer guid and nonetheless VALID activation code. However, after I click on this hyperlink and my UsersController begins, one thing dangerous occurs. That is my activation technique in UserController (a part of code)
[Route("api/[controller]")]
[ApiController]
public class UsersController : ControllerBase
{
[HttpGet("activate")]
[AllowAnonymous]
public async Process<IActionResult> ActivateAccount([FromQuery] Guid userId, [FromQuery] string code)
string.IsNullOrWhiteSpace(code))
return BadRequest();
}
And the bizarre factor is that the code
parameter is invalid right here. The worth is simply with out plus indicators. As an alternative it has areas. What’s unsuitable?