Skip to content

feat(users): self-service account unlock via email#184

Closed
antosubash wants to merge 1 commit into
mainfrom
emdash/feat-account-lockout-self-service-unlock-email-nbawo
Closed

feat(users): self-service account unlock via email#184
antosubash wants to merge 1 commit into
mainfrom
emdash/feat-account-lockout-self-service-unlock-email-nbawo

Conversation

@antosubash
Copy link
Copy Markdown
Owner

@antosubash antosubash commented May 10, 2026

Summary

  • Adds a self-service unlock flow so locked-out users can request an unlock link by email instead of waiting or contacting an admin
  • Lockout page now offers a "receive an unlock link by email" option
  • Token-based unlock with security stamp rotation (single-use links)
  • Rate-limited via auth-strict policy, no account enumeration leak
  • Audit event (UserSelfUnlockedEvent) emitted on successful self-unlock

Test plan

  • dotnet build — no errors or warnings
  • dotnet test --filter "AccountUnlock" — 6 integration tests pass:
    • Unknown email → generic confirmation (no enumeration leak)
    • Locked user → generic confirmation + email sent
    • Missing params → redirect to home
    • Invalid userId → error page
    • Tampered token → error page
    • Valid token → account unlocked, lockout cleared, access failed count reset
  • All 46 existing Users tests still pass

Closes #181

@antosubash
feat(users): add self-service account unlock via email
6063b77 
When users get locked out from failed sign-ins, they can now request an
unlock link by email instead of waiting or contacting an admin.

- Add SendUnlockEmailEndpoint (POST with rate limiting, no email enumeration leak)
- Add UnlockAccountEndpoint (token verification, security stamp rotation)
- Add IAccountUnlockEmailSender with console and production implementations
- Add UserSelfUnlockedEvent for audit trail
- Update Lockout page with link to unlock flow
- Add integration tests for happy path, unknown email, invalid token

Closes #181
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 10, 2026
edited
Loading

Deploying simplemodule-website with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6063b77
Status: ✅  Deploy successful!
Preview URL: https://2ab856a2.simplemodule-website.pages.dev
Branch Preview URL: https://emdash-feat-self-service-acc.simplemodule-website.pages.dev

View logs

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 10, 2026
edited
Loading

Deploying simplemodule-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 6063b77
Status: ✅  Deploy successful!
Preview URL: https://53db15e2.simplemodule.pages.dev
Branch Preview URL: https://emdash-feat-self-service-acc.simplemodule.pages.dev

View logs

@antosubash
Copy link
Copy Markdown
Owner Author

antosubash commented May 10, 2026

Superseded by #187, which shipped this feature with revisions (token-purpose constant, email-confirmed gate, safe base64 decode, recording email sender + rate-limit tests). Follow-up fix for the silent-failure path on IdentityResult is in #191.

@antosubash antosubash closed this May 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Identity: account lockout self-service unlock via email

1 participant

@antosubash