Open Closed

File Management module with unauthorized issue when downloading the uploaded files #2324


User avatar
0
trendline created
  • ABP Framework version: v5.0.0
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

The FileManagement module with abp ver 5.0.0, when download the uploaded file Access the download link "https://localhost:44302/api/file-management/file-descriptor/download/580dc21e-c971-1ab1-d7ad-3a00f84c15bc?token=4f18829e-f70b-4088-b039-333b705a08d8" it says unauthorized "{"error":{"code":"Unauthorized","message":"Unauthorized","details":null,"data":null,"validationErrors":null}}" But all the permissions already assigned for file management module.

the audit logging recorded the download token is invalid.

Can you help me figure out is there special permission for the download api?

@maliming, I cann't reply this topic now, add the reproduce steps here:

  1. add the module by CLI
  2. apply the permission to user who can view the filemanagement module
  3. upload a image file which using database as the BLOB provider
  4. Preview the uploaded image in the file management listing, click on the link, open a new window in browser, it already append a token in the query strings, but it failed to check it.

3 Answer(s)
  • User Avatar
    -1
    cotur created

    Hello @trendline ,

    Files that uploaded with File Management module can't be downloaded directly by a link for now. We've added "token validation" for extra security.

    First, the UI makes a request to the backend application to take token, that token will be used for download, Example:

    UI makes a request -> // api/file-management/get-token / [FILE-ID] Token = 12345 UI opens a new tab with the url -> api/file-management/[FILE-ID]?token=12345 Then the download process will start.

    Tokens become expired when they used once. If you want to disable that, for each download request, you need to consume new token.

    So, how you can achieve your request, let me show you one example.

    You may create unique tokens for each dowload request by overriding DownloadAsync method of FileDescriptorController controller:

    Note that, you need to secure your api yourself.

    [HttpGet]
            [Route("download/{id}")]
            [AllowAnonymous]
            public virtual async Task<IRemoteStreamContent> DownloadAsync(Guid id, string token)
            {
                var fileDescriptor = await FileDescriptorAppService.GetAsync(id);
                
                // add this
                if(string.IsNullOrWhiteSpace(token))
                {
                    token = await FileDescriptorAppService.GetDownloadTokenAsync(id); 
                }
                
                Response.Headers.Add("Content-Disposition", $"attachment;filename=\"{fileDescriptor.Name}\"");
                Response.Headers.Add("Accept-Ranges", "bytes");
                Response.ContentType = fileDescriptor.MimeType;
    
                return await FileDescriptorAppService.DownloadAsync(id, token);
            }
    
  • User Avatar
    0
    trendline created

    Thanks for your detailed explanation, I will try to override the DownloadAsync method in the FileManagement module. Although the links which in the uploaded files list, with a token as the query string, but it still cannot be verified when click the download link to preview the file, is this not updated with 5.0.0?

    Hi @cotur, could you have a look on this issue? The File Management module already got a token then bind to the link to get a file, but it still has this issue.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi trendline

    Can you share full steps to reproduce?

Made with ❤️ on ABP v9.1.0-preview. Updated on December 26, 2024, 06:07