brockallen.MembershipReboot account confirmation not working

Question

To get to the point, and not force anyone to read a lengthy explanation, I've known there's issues with Microsoft's security defaults when it comes to many of its technologies. I use ASP.NET and MVC, and actually was ready to use Microsoft's defaults (like IdentityService) - and was looking into it's more advanced features - so I can master them. But then I stumbled upon Brock Allen's blog post - where he explained Microsoft's defaults in these regards are just not good enough. So, that was where I found out about his MembershipReboot project.

I've been in the process of implementing this library, at first with not so much success, but have been gaining traction, and have had some success. I went from it not working at all, to having di issues. I fixed all that (with a little help). Now, the login and register pages work, and registration works as well as sending out verification emails, they all work. This is where I'm now stuck at. After receiving the verification email, and clicking the link in the email - I go to the localhost:####/ChangeEmail/(verification key) page - and this is where my new problem is. I'm using some of the code taken from the (SingleTenant) sample code.

When it goes to that page, in the default setup, it told me it had "System.ArgumentException: account" and it pointed to the code "if (account.HasPassword())" in the Confirm ActionResult of the ChangeEmailController. I added a line of code above that if statement in that ActionResult - "Redirect("http://" + account.Email);" - just to see what it would do with that. With that addition, it gave me another (related) error - "Object reference not set to an instance of an object." and it pointed to that exact code I added.

So, it really frustrates me, it's obvious that the system works in loading the library, it works in being able to actually register a user, it works in being able to send an email with the proper verification key (I compared it to the database entry, it was the same code). But, then when the link to the verification method is clicked on - it doesn't seem to want to retrieve that same account data from the database. I find this to be pretty strange.

Answer 1

(Please excuse me for my slightly long introduction of what leads up to the actual answer to the issue I was asking about, if you don't care to read an explanation of how I got to the actual answer, then skip the following two paragraphs, and read the third following paragraph (and everything underneath it) - which holds the actual answer)

I also posted this question on the GitHub (issues) page of the library. Over here (on stackoverflow) - nobody was able to provide any suggestions. That's fine, because the author of the library was very helpful. After some back and forth with him, we were able to address my concerns, and figure out what it was that was causing the issue at hand.

To be fair to the library and the author, it wasn't necessarily the library itself that was at fault. It was more-so the fact that the author lives a busy life (like most of us), and wasn't able to write a very in-depth documentation for developers of all stripes (including those who might not just immediately understand how to do this just by looking at his documentation - I do have quite a bit of experience in software development (as a hobby), but I definitely still am at a point of learning some things I need to know (I intend to get a Microsoft Certificate, and am studying for it)).

The actual answer to the question: Basically put, it just so turns out, the main thing that got me to this problem was really dealing with the verification key itself. I assumed - like with many libraries, and even what can be found in the default ASP.NET system (including the default Identity system Microsoft provides) - that getting the actual Verification key was done like "var key = account.VerificationKey;" - but the author of the library revealed to me to get the proper verification key that actually is associated with the account being created (and his system includes an advanced form of hashing, by the way (pretty impressive)) - I had to use an Event Handling system - because his library uses an "Event Bus" system. I have quite some knowledge in WebForms, and am getting comfortable with MVC. I understand c#, and many of it's functionalities to a decent degree, but it may be slightly embarrassing, but I never (before this) had experience with Event Handling - and actually am happy that this library led me to do some learning on it. This is what the author said of how to go about it (and other related things dealing with his library can be done in similar ways):

"Something like this:

public class CustomEmailEventHandler : IEventHandler<AccountCreatedEvent<UserAccount>>
    {
        public void Handle(AccountCreatedEvent<UserAccount> evt)
        {
            // send evt.VerificationKey to evt.Account.Email
        }
    }

and then register it with the MR config:

var config = new MembershipRebootConfiguration();
config.AddEventHandler(new CustomEmailEventHandler());

That's roughly it. You'd need to implement additional IEventHandler for the other events you cared about from here: https://github.com/brockallen/BrockAllen.MembershipReboot/blob/master/src/BrockAllen.MembershipReboot/AccountService/UserAccountEvents.cs"

As I said - he did say his documentation did make mention of this, it's just that it wasn't very clear about it. Once he revealed this to me, I went back to his documentation, I found out - to implement the var "config" (which he described in the answer I just quoted) - it must be done with DI, like Ninject, like so:

kernel.Bind<MembershipRebootConfiguration>().ToConstant(config);

Lastly, I must add, the author was very helpful, and his library is definitely impressive. I asked him to answer this question here, and he told me to go ahead and do it on my own, so I answered it here using the information he provided to me.