I had a scenario where I had to reset the user password when user clicks the link in email received as result of using forgot password feature of one of my project. The link which user received in email had userId and password reset token as querystring and I thought why not lets just secure both of these properties. For this purpose I created an interface and one implementation class.
The Interface is
public interface IDataProtectionService
string Protect(string value);
string UnProtect(string value);
The implementation is
public class DataProtectionService : IDataProtectionService
private readonly IDataProtector protector;
public DataProtectionService(IDataProtectionProvider provider)
protector = provider.CreateProtector("Core_Project_Protector_key");
public string Protect(string value)
public string UnProtect(string value)
And I registered this in Asp.net Core's dependency injection.
and to enable DataProtection feature of Asp.net Core I added a line in Startup.cs in ConfigureService method.
At this point everything is prepared and I just need to inject IDataProtectionService interface inside my EmailService so that before sending the password reset link we can protect our userId and Token and prepare the link.
var callbackUrl = baseUrl + "userId=" + _dataProtectionService.Protect(user.Id.ToString()) + "&code=" + _dataProtectionService.Protect(token.UrlEncode());
With this the email we will receive will have encrypted values of userId and token.
And when we receive values in our action we can just use _dataProtectionService.UnProtect(userId) to get original value.