Expose a SignInManager.CheckPassword API that does lockout (optionally)

[brockallen]

I know there's already a confirm email on the UserManager, but imagine this scenario:

I want my email verification page to require the user's password (in addition to the code) -- people enter wrong email addresses all the time and we need a way to protect against the wrong email recipient from using the code to pwn the account.

So before I can verify the code, I also need to verify the password. Now I can call CheckPassword on the UserManager, but that level in the API does not provide me brute force protection. So I need an API on the SignInManager that will do the brute force checks on the password without trying to force 2fa or check that the email is already confirmed (because we're in the middle of confirming the email).

So the SignInManager could have an API that accepts the user, code, and password.

This email verification is hard stuff.

[HaoK]

Sounds like what you really want is just a way to just CheckPassword that doesn't do SignIn or TwoFactor on SignInManager, but optionally will still count against lockouts/login failures

  Task<SignInResult> SignInManager.CheckPasswordAsync(user, password, lockoutOnFailure)

[brockallen]

Yep.

[HaoK]

fe60304