Enhance LinkUserTokenProvider with single-active policy and consent helpers#25450
Merged
Conversation
…elpers - Make LinkUserTokenProvider derive from AbpSingleActiveTokenProvider - Add AbpLinkUserTokenProviderOptions with 10 min default lifespan - Add RemoveLinkUserTokenAsync extension on IdentityUserManager - Add SetLinkConsentAsync/GetLinkConsentAsync/RemoveLinkConsentAsync on IdentityLinkUserManager backed by user.Tokens slot [AbpLinkUserConsent]/Consent
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates ABP Identity’s link-user flow by moving LinkUserTokenProvider onto the framework’s single-active token infrastructure (so only the most recently issued token remains valid) and adds helpers for invalidation and storing a per-user “link consent” payload in IdentityUser.Tokens.
Changes:
- Switch
LinkUserTokenProviderto derive fromAbpSingleActiveTokenProviderand introduceAbpLinkUserTokenProviderOptionswith a 10-minute default lifespan. - Add
IdentityUserManager.RemoveLinkUserTokenAsyncto invalidate previously issued link-user tokens by removing the stored hash. - Add consent payload helpers (
SetLinkConsentAsync/GetLinkConsentAsync/RemoveLinkConsentAsync) onIdentityLinkUserManagerplus corresponding tests.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| modules/identity/test/Volo.Abp.Identity.Domain.Tests/Volo/Abp/Identity/IdentityLinkUserManager_Tests.cs | Adds test coverage for link-consent persistence, overwrite, and removal behaviors. |
| modules/identity/test/Volo.Abp.Identity.AspNetCore.Tests/Volo/Abp/Identity/AspNetCore/LinkUserTokenProvider_Tests.cs | Refactors tests to reuse AbpSingleActiveTokenProviderTestBase and adds invalidation test for RemoveLinkUserTokenAsync. |
| modules/identity/src/Volo.Abp.Identity.Domain/Volo/Abp/Identity/IdentityLinkUserManager.cs | Implements consent payload helpers using IdentityUser.Tokens. |
| modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/LinkUserTokenProviderConsts.cs | Adds constants for consent token storage keys. |
| modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/LinkUserTokenProvider.cs | Updates provider to single-active token policy base class and injects required dependencies. |
| modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/IdentityUserManagerSingleActiveTokenExtensions.cs | Adds RemoveLinkUserTokenAsync helper to remove the stored hash entry. |
| modules/identity/src/Volo.Abp.Identity.AspNetCore/Volo/Abp/Identity/AspNetCore/AbpLinkUserTokenProviderOptions.cs | Introduces dedicated token provider options (name + default lifespan). |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## dev #25450 +/- ##
==========================================
- Coverage 49.40% 49.36% -0.04%
==========================================
Files 3670 3671 +1
Lines 123598 123718 +120
Branches 9453 9456 +3
==========================================
+ Hits 61062 61072 +10
- Misses 60705 60830 +125
+ Partials 1831 1816 -15 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
- Use UserManager.SetAuthenticationTokenAsync/GetAuthenticationTokenAsync/ RemoveAuthenticationTokenAsync so the Tokens collection is loaded via IdentityUserStore.EnsureCollectionLoadedAsync instead of relying on the GetByIdAsync(includeDetails) convention. - Add a RemoveLinkUserTokenAsync(manager, user, purpose) overload to invalidate tokens issued for purposes other than LinkUserTokenPurpose. - Add a cross-UnitOfWork persistence test for SetLink/Get/Remove ConsentAsync. - Drop the unused IdentityLinkUserRepository field from LinkUserTokenProvider_Tests.
Member
Author
|
@copilot please review again |
Contributor
Done. I addressed the open review points and pushed commit |
d095f56 to
8429dba
Compare
- SetLinkConsentAsync uses FindByIdAsync + null no-op, matching the missing-user behaviour of Get/RemoveLinkConsentAsync. - Decorate Set/Get/RemoveLinkConsentAsync with [UnitOfWork] so the underlying IdentityUserStore.GetTokenAsync can EnsureCollectionLoaded the user.Tokens collection (fixes the CI failure on GetLinkConsentAsync_Should_Return_Null_When_No_Consent_Written). - Clarify LinkUserTokenProvider XML doc to note that the single-active policy is enforced per purpose (matches AbpSingleActiveTokenProvider). - Rename LinkUserTokenProvider_Should_Be_Register to *_Registered for consistency with sibling token-provider tests. - Add tests covering: (a) RemoveLinkUserTokenAsync(purpose) only invalidates the requested purpose, and (b) same-purpose GenerateLink TokenAsync invalidates the previously issued token.
Contributor
|
This PR will be tested on 10.5.0-rc.1 |
ebicoglu
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade
LinkUserTokenProviderto derive fromAbpSingleActiveTokenProviderwith a dedicatedAbpLinkUserTokenProviderOptions(default 10 min lifespan, configurable per project). AddRemoveLinkUserTokenAsyncextension onIdentityUserManager.Add three consent payload helpers on
IdentityLinkUserManager(SetLinkConsentAsync/GetLinkConsentAsync/RemoveLinkConsentAsync) backed by theuser.Tokensslot[AbpLinkUserConsent]/Consent. Framework owns the storage, callers own the payload format.Companion to volosoft/volo#22357.