locked
Creating non-hackable User Registration Page using Data Annotations RRS feed

  • Question

  • User1434241939 posted

    I have a user registration razor page and corresponding action that uses UserManager and SignInManager to create user accounts.  It works just fine.

    However, I only want a few people to be able to register so I have disabled all links to /Accounts/Register.  But it's easy enough for someone or some bot to guess at the registration route, register and then log in.  I am not sure what the best way to "hide" the registration might be.  Here are possibilities I came up with:

    • Create a hard-to-guess route and corresponding action such as /Accounts/xpflqj7t99y  Only those who are sent the route can register.
    • Let anyone register but make the default roles as restrictive as possible
    • Add a field to the view model called something like "Secret" (which is sent to select people only) and decorate it with a data annotation such as 
    [RegularExpression("^Th1s1sAnUnl1kelyS3cr3t$", ErrorMessage = "Incorrect Secret")]
    public string Secret { get; set; }

    The last one seems to be the easiest but I don't know if Data Annotations are secure.  Is there some accepted convention of doing this that I'm missing?

    Thursday, May 21, 2020 8:40 PM

All replies

  • User475983607 posted

    If you know the users then load a table with the user's emails that are allowed to create accounts.  Check the user's email against the table when registering.  If the email does not exist then don't register the user.

    Thursday, May 21, 2020 9:13 PM
  • User-474980206 posted

    expanding on this approach is to email invites to register. the email contains a code (usually also in a link), that the recipient uses to start a valid registration. the code typically is tied to the email and has a timeout. 

    Thursday, May 21, 2020 9:37 PM