1
Vote

SignInManager.HasBeenVerifiedAsync always returns true when TKey is type "int"

description

When the TKey for a user identity is set to "int" code in the SignInManager fails.
The two methods in SignInManager that fail are:
SendTwoFactorCodeAsync(...)
This method will always send a two factor code to a user regardless of whether they have been verified.
So if a hacker is attempting to login, a two factor code will be sent to the person that they are trying to hack into regardless as to whether they provided a correct password or not.
HasBeenVerifiedAsync()
This method always returns true.
People using this will have unexpected results because it always returns true.

There are other failures in the code base, however they are not so critical.
I have already submitted the code changes (dfraserBugfixes pull request) to fix these issue, but having had zero feedback on the matter I am now raising this as an issue so that someone can start to take this matter a little more seriously. I did not want to draw attention to this issue in case there are sites out there that are compromised by this defect.

comments

bdorrans wrote Sep 27, 2016 at 9:07 PM

Oh dear.

Well we'll pull that into the next release. We have been planning one for updating the hashing mechanisms, but we don't have a release date as yet. We'll have a chat internally and see if we can work out a schedule.