From 14857dc54e7feeedb906ce15d8275ba924ca4b5f Mon Sep 17 00:00:00 2001
From: Anto Subash <antosubash@live.com>
Date: Sun, 10 May 2026 23:33:05 +0200
Subject: [PATCH] fix(users): check IdentityResult on unlock to avoid silent
 failure

UpdateAsync and UpdateSecurityStampAsync return IdentityResult; if the
store fails (concurrency, persistence error), the previous code still
rendered "successfully unlocked" and emitted UserSelfUnlockedEvent for
an unlock that never persisted. Surface failures via the InvalidLink
page instead.
---
 .../Pages/Account/UnlockAccountEndpoint.cs           | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules/Users/src/SimpleModule.Users/Pages/Account/UnlockAccountEndpoint.cs b/modules/Users/src/SimpleModule.Users/Pages/Account/UnlockAccountEndpoint.cs
index 971561fe..411fcfd2 100644
--- a/modules/Users/src/SimpleModule.Users/Pages/Account/UnlockAccountEndpoint.cs
+++ b/modules/Users/src/SimpleModule.Users/Pages/Account/UnlockAccountEndpoint.cs
@@ -76,8 +76,16 @@ static IResult InvalidLink() =>
 
                     user.LockoutEnd = null;
                     user.AccessFailedCount = 0;
-                    await userManager.UpdateAsync(user);
-                    await userManager.UpdateSecurityStampAsync(user);
+                    var updateResult = await userManager.UpdateAsync(user);
+                    if (!updateResult.Succeeded)
+                    {
+                        return InvalidLink();
+                    }
+                    var stampResult = await userManager.UpdateSecurityStampAsync(user);
+                    if (!stampResult.Succeeded)
+                    {
+                        return InvalidLink();
+                    }
 
                     await bus.PublishAsync(
                         new UserSelfUnlockedEvent(UserId.From(user.Id), user.Email ?? string.Empty)