This was initially observed by new users (who were set up with no phone number) going to "Personal info" tab of the "/Account/Manage" page, clicking "Verify" (on their email) and then clicking "Submit" (without having made any changes). The submit changes the user's phone number from NULL to an empty string which creates a "ChangePhoneNumber" security log and updates the security stamp, this results in the verification email that was just sent being immediately invalid.
- ABP Framework version: v7.3.2
- UI Type: MVC
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): yes
- Exception message and full stack trace:
- Steps to reproduce the issue:
- Create new user (without phone number)
- Log in as new user
- Go to "My account" ("/Account/Manage")
- Go to "Personal info" tab
- Click "Verify" (for email)
- Click "Submit"
- Click link in verification email - results in "Invalid token"
I believe this is caused by how the form is submitted by serializing the form which results in the null phone number becoming an empty string.
I have resolved this with the following change:
[Dependency(ReplaceServices = true)]
public class CustomProfileAppService : ProfileAppService
{
// Constructor omitted for brevity
public override async Task<ProfileDto> UpdateAsync(UpdateProfileDto input)
{
if (string.IsNullOrEmpty(input.PhoneNumber))
{
var user = await UserManager.GetByIdAsync(CurrentUser.GetId());
if (string.IsNullOrEmpty(user.PhoneNumber))
{
input.PhoneNumber = user.PhoneNumber;
}
}
return await base.UpdateAsync(input);
}
}
We are immediately providing user training to ensure this does not occur whilst we release this change as this has been reported multiple times, however, whilst what they are doing is unnecessary, I do not think it is unreasonable that they would not expect the steps they are taking to invalidate their verification token.
I have noticed that on submitting the "/Identity/Users/EditModal" the security stamp is changed every time. Which leads me to believe that it is being updated unnecessarily beyond the scenario that ours users have encountered.
Additionally it would be nice to have some visibility of when and why the security stamp changes in the security logs. The ChangePhoneNumber log is already present, and was key to us being able to diagnose what had happened here, but other changes (such as roles/permissions) which I believe to be valid reasons for the security stamp to change are not present in the security logs. It would also be nice to have a security log for when the security stamp has changed (even if this were always inferable from the other logs).