Generate Token API access

Asked

Viewed 91 times

1

Good morning,

I will send a link through my system for the client to have access, until then everything is ok, however I wanted to send a token to validate, along with the link, and when the client access the page, it validate the token if everything is right, he access, otherwise it informs that it has no access.

Like I do when I reset the password I use for myself `Identity

 var token = await _userManager.GeneratePasswordResetTokenAsync(user);
        var encodedToken = HttpUtility.UrlEncode(token);

And then I use the code

   var decodedToken = HttpUtility.UrlDecode(model.Token);

What would be the best way to do ? To not have security loopholes in the system. That’s my biggest concern.

1 answer

-1

Use some symmetric encryption that only your application can decrypt.

Generate an access link by passing the information you want by parameter.

  //Algo que voce consiga identificar o usuario
  int idUsuario;

  //Data que o link é valido
  DateTime LinkExpirado;

  //url do seu site
  string UrlAplicacao;

 //Link que você irá mandar para o cliente acessar
 string UrlEnviarCliente = $"{UrlAplicacao}/usuarios/{MetodoCriptografia(idUsuario)}/{MetodoCriptografia(LinkExpirado)}";

Now just create a controller for access.

 [Route("usuarios/{identificador}/{LinkExpirado}")]
 [AllowAnonymous]
 public async Task<IActionResult> ValidaAcessoUsuario(string identificador, string LinkExpirado) 
 {
    string idUsuario = MetodoDescriptografa(identificador);
    string dataExpirado = MetodoDescriptografa(LinkExpirado);
 }

Now you make the necessary validations, checking if you are a valid user, if the date has not yet expired ...

Regarding security, you can pass more information by parameter and ensure a strong key for your encryption, I do not see much more can be done.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.