ASP.NET User confirmed email filter attribute

in security, identity system

Action filters is a very powerful mechanism in an ASP.NET MVC application that gives us the capability of injecting functionality in our application in a centralized and structure way.
In this post I am showing how we can create an action filter attribute in order to decorate our controllers to check if the current user has verified his email address
after registering in our system through new ASP.NET Identity system. I am going to create two filters as we want to have this functionality in regular MVC controllers and in Web Api controllers as well.

First lets see the code for the regular MVC controllers. What we have to do is just derive from ActionFilterAttribute class that lives in System.Web.Mvc namespace and override the OnActionExecuting method.

UserConfirmedFilterAttribute
  • cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class UserConfirmedFilterAttribute : ActionFilterAttribute {
    public override void OnActionExecuting(ActionExecutingContext filterContext) {
        var userId = filterContext.HttpContext.User.Identity.GetUserId();
        // User is not logged in so redirect him to log in controller action
        if (string.IsNullOrEmpty(userId)) {
            filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(
                        new { controller = "Account", action = "Login", 
                                returnUrl = filterContext.HttpContext.Request.RawUrl }));
            return;
        }

        var userManager = filterContext.HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
        if (!userManager.IsEmailConfirmed(userId)) {
            filterContext.Result =
                new RedirectToRouteResult(
                    new RouteValueDictionary(new { controller = "ConstrollerNameToRedirect", 
                                    action = "ActionMethodToRedirect" }));
            return;
        }
        base.OnActionExecuting(filterContext);
    }
}

The code is very simple as in the case the user has confirmed the email the execution flow continues normally. In the opposite case we are able to redirect the user
in a specific action of a controller by replacing the corresponding values.

The code is very similar for Web Api controllers as we can see right below.

UserConfirmedFilterAttribute
  • cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class UserConfirmedWebApiFilterAttribute : ActionFilterAttribute {
    public override Task OnActionExecutingAsync(HttpActionContext actionContext, CancellationToken cancellationToken) {
        var userId = actionContext.RequestContext.Principal.Identity.GetUserId();
        // User is not logged in so redirect him to log in controller action
        if (string.IsNullOrEmpty(userId)) {
            actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.Unauthorized,
                "You must be logged in to access this resource");
            return Task.FromResult(0);
        }

        var userManager = actionContext.Request.GetOwinContext().GetUserManager<ApplicationUserManager>();
        if (!userManager.IsEmailConfirmed(userId)) {
            actionContext.Response = actionContext.Request.CreateErrorResponse(HttpStatusCode.BadRequest,
                "You must be verify your email address in order to access this resource");
            return Task.FromResult(0);
        }
        return base.OnActionExecutingAsync(actionContext, cancellationToken);
    }
}

Here I choose to implement the async version of OnActionExecuting method. If the user has confirmed the email address then the request is served normally.
If the user is not logged in or has not confirmed the email a bad request response is returned containing the additional message.

You can find a complete project containing both of the attributes on Github.

Comment and share

  • page 1 of 1

Babis Karypidis

Hi, I am Babis Karypidis, a Greek software engineer who tries to fit other activities, except development, in his life.


Freelance Software Engineer focusing on .NET, Azure and React.js


Brussels, Belgium