ResetPassword code should be HtmlDecoded

[westonsoftware]

An "invalid token" message is displayed periodically on the ResetPassword page after using the ForgotPassword page to send the user an email, and clicking on that link.

https://github.com/aspnet/AspNetCore/blob/bfec2c14be1e65f7dd361a43950d4c848ad0cd35/src/Identity/UI/src/Areas/Identity/Pages/V3/Account/ResetPassword.cshtml.cs#L120

I believe the fix should be to decode the code like this ...

var decoded = System.Web.HttpUtility.HtmlDecode(Input.Code);
var result = await _userManager.ResetPasswordAsync(user, decoded, Input.Password);

I would do a PR for this but I have never contributed before and I thought someone could squeeze this in.
Thanks
--Andy

[westonsoftware]

Note that the code is encoded here in ForgotPassword ...
https://github.com/aspnet/AspNetCore/blob/bfec2c14be1e65f7dd361a43950d4c848ad0cd35/src/Identity/UI/src/Areas/Identity/Pages/V3/Account/ForgotPassword.cshtml.cs#L87

[blowdart]

I know you say it's intermittent, but do you happen to have an example of such a code?

[westonsoftware]

Yes, I should have mentioned, keep trying it until your code has a '+' in it, that was happening to me consistently for a while.

[westonsoftware]

The chars are defined here ...
https://github.com/dotnet/corefx/blob/4636de3b8595ad10eaebf00cbeed715684e7fd1b/src/System.Text.Encodings.Web/src/System/Text/Encodings/Web/HtmlEncoder.cs#L76

[blowdart]

Ah, that would explain it :) + decodes different in forms than in URIs.

@HaoK we have a hint :)

[HaoK]

Didn't notice this one since it wasn't assigned to me, will fix it in preview 8

[HaoK]

Fix now url encodes the code before we html encode it so it should be always safe, we also url decode the code before we try to verify them with the user manager as well

[westonsoftware]

Thanks! :)