Account activation and password reset tokens

Question

I've been working with VirtoCommerce 1.13 and I want registered users to get an email in order to confirm their account. To do so, I've activated the correct property and the email does get sent and everything, although the token part of the URL wasn't formatted properly. I solved this by using HttpUtility.Encode and .Decode so I can both send the right token and decode it properly when a new user visits that link. So far everything works for new users except most of the time, users trying to recover their password will get hit with "Password reset failed. Either invalid or expired token. Please try to reset _password again". The token is encoded/decoded in the same way as in the registry process. Sometimes it does work and I have no idea why or how to replicate it. Any hints? Thank you.

EDIT: Upon further debugging, ResetPasswordWithTokenAsync returns false due to "Invalid token." error but the token itself doesn't show any signs of not being valid.

Answer 1

I have found the error, when using the decode function for the token upon the password reset, the token wound up getting decoded twice, which means it went from the URL encoded format, to text, to text again but with small changes, one of them being '+'s being converted into white-spaces which meant the tokens wouldn't match up.

EDIT: after changing this behaviour, the token wound up getting encoded twice and decoded only once, which means reverting the decode I put in there made it a bit worse. In order to fix this, Apparently the token for the password recovery doesn't need to be encoded or decoded like in the registration process.