Skip to content

fix(users): check IdentityResult on unlock to avoid silent failure#191

Merged
antosubash merged 1 commit into
mainfrom
fix/unlock-check-identity-result
May 10, 2026
Merged

fix(users): check IdentityResult on unlock to avoid silent failure#191
antosubash merged 1 commit into
mainfrom
fix/unlock-check-identity-result

Conversation

@antosubash
Copy link
Copy Markdown
Owner

@antosubash antosubash commented May 10, 2026

Summary

  • UnlockAccountEndpoint now checks IdentityResult.Succeeded on both UpdateAsync (clearing LockoutEnd / AccessFailedCount) and UpdateSecurityStampAsync. Previously, a store failure (concurrency, persistence error) was silently swallowed: the page rendered "Account unlocked successfully" and UserSelfUnlockedEvent was published for an unlock that never persisted.
  • On failure, the endpoint now returns the same InvalidLink() page used for invalid tokens, so the user can request a fresh unlock email.

Verification

  • Manually exercised the full unlock flow at https://localhost:5001 via Playwright:
    • /Identity/Account/Lockout renders the new "receive an unlock link by email" link
    • Form on /Identity/Account/SendUnlockEmail redirects to /SendUnlockEmailConfirmation
    • Unlock URL pulled from host log; navigating to it shows "Account unlocked"
    • DB confirmed LockoutEnd cleared, AccessFailedCount=0, SecurityStamp rotated
    • Reusing the same URL after success correctly shows "Invalid or expired unlock link" (security stamp invalidated the token)
  • All local CI passed: lint, frontend build, .NET build, 939 .NET tests, 47 Playwright smoke tests.

Test plan

  • CI green on PR
  • Reviewer spot-checks UnlockAccountEndpoint.cs for the Succeeded branches

@antosubash
fix(users): check IdentityResult on unlock to avoid silent failure
14857dc 
UpdateAsync and UpdateSecurityStampAsync return IdentityResult; if the
store fails (concurrency, persistence error), the previous code still
rendered "successfully unlocked" and emitted UserSelfUnlockedEvent for
an unlock that never persisted. Surface failures via the InvalidLink
page instead.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 10, 2026

Deploying simplemodule-website with  Cloudflare Pages  Cloudflare Pages

Latest commit: 14857dc
Status: ✅  Deploy successful!
Preview URL: https://f36532ff.simplemodule-website.pages.dev
Branch Preview URL: https://fix-unlock-check-identity-re.simplemodule-website.pages.dev

View logs

@antosubash antosubash merged commit afdf6c8 into main May 10, 2026
6 checks passed
@antosubash antosubash deleted the fix/unlock-check-identity-result branch May 10, 2026 21:48
@antosubash antosubash mentioned this pull request May 10, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@antosubash