For programmers, testers and tech geeks

Protect sensitive data in Core usig IDataProtector

I had a scenario where I had to reset the user password when user clicks the link in email received as result of using forgot password feature of one of my project. The link which user received in email had userId and password reset token as querystring and I thought why not lets just secure both of these properties. For this purpose I created an interface and one implementation class.

The Interface is

public interface IDataProtectionService
        string Protect(string value);
        string UnProtect(string value);

The implementation is

public class DataProtectionService : IDataProtectionService
        private readonly IDataProtector protector;

        public DataProtectionService(IDataProtectionProvider provider)
            protector = provider.CreateProtector("Core_Project_Protector_key");

        public string Protect(string value)
            return protector.Protect(value);

        public string UnProtect(string value)
            return protector.Unprotect(value);

And I registered this in Core's dependency injection.

services.AddScoped<IDataProtectionService, DataProtectionService>();
and to enable DataProtection feature of Core I added a line in Startup.cs in ConfigureService method.

At this point everything is prepared and I just need to inject IDataProtectionService interface inside my EmailService so that before sending the password reset link we can protect our userId and Token and prepare the link.
var callbackUrl = baseUrl + "userId=" + _dataProtectionService.Protect(user.Id.ToString()) + "&code=" + _dataProtectionService.Protect(token.UrlEncode());
With this the email we will receive will have encrypted values of userId and token.
And when we receive values in our action we can just use _dataProtectionService.UnProtect(userId) to get original value.