REST API Antiforgery Cookie Error After POST api/Login -> POST api/my_entity Call Sequence #554 | Support

jason.smith created 4 years ago

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

ABP Framework version: v3.3.1 Commerical
UI type: Angular
Tiered (MVC) or Identity Server Seperated (Angular): Identity Server Included
Exception message and stack trace: Server Logs:

2020-11-12 15:51:05.452 +11:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.Fk0-jtlgxmU" is not present.
2020-11-12 15:51:05.452 +11:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.

Response: 400 Bad Request

Steps to reproduce the issue: Create new commerical application using suite

Create new solution
Select
1. Template Type: Application Template
2. Project Name: Testing
3. Output Folder: C:\Testing
4. Create Solution Folder: Yes
5. UI Framework: Angular
6. Mobile: None
7. DB Provider: Entity Framework Core
8. Connection String: Valid string to database
9. Separated Identity Server: No
10. Preview Version: No
Created single entity with a single property of "Name"
Built and ran DB migrations
Built and ran Host

Using Insomina - No Cookies

POST api/account/login using

{
  "userNameOrEmailAddress": "admin",
  "password": "1q2w3E*",
  "rememberMe": true
}

Response contains SetCookies. Insomina stores cookies

set-cookie	idsrv.session=d2M1gwv8ziO_pceYBykIKg; path=/; secure; samesite=none
set-cookie	.AspNetCore.Identity.Application=CfDJ8M-y0buRRcFEoHZEdek9NePLI14KQ97IYsT4VilLHF88t8-bxgISjtyF2g6YdLy39ZTAKLjlLDff55CCtwT8R2bY1oYEPslAzQ17Lj61N3aqeq8uws7RubMp2RE-LIVwXb9pLlybM0hxXLfSyAbC9wfHFVL07Ki_2UV4R-RpICbGQ3ETR7nUmJGcYc7lSsdVKGlms7N149nd-l3MVO8kG1Z2WOs_6SrJ8WDxwU41fZQTrv7bMu7ao41Kj9U78qg4TzuH-3zPliPJyAbHHYFjubXKRdT8M8IZdKwUrNo_ASMtblkmo3B2xUC7uJNPc7IjrOt2jRUdiHOPrszWHzbRbCy7FtCbZP5z1sUiQMmkazXfcVZlTUPlw4I2KldoTYgcjnsq-tFjNl-kMpY8GsAaWn96qwTaXQomhK_xdrta5MZcn9Kv2KXOXz-gkh-G4Q2RLPVOKRrTmx1eEL5EFQg7yOAEF2K2YuAI1LfEiIZCtqMcJGl3LM1GWRJa5UgUdeedTE_YnWFM5Ix8UeD6pZ_W7Z3B_-nh--bSGXb2adpLydl-BPdBhD2ZSOnh9z8O9NgWcjjNnKl28S82jDYY5TZrtlZp75XflU_MoG_QKB2HIK4LHSWNJh5nKqVEXyqnSQQZw1uiExHHuFrpSO0_3G0fyCTtfWr731VwODEnq1Hh_o4HnfBMoyzAg8d0HGjptl2dxBlHZ0PQaeEpdCzxCGagqA6SjVu4tUHUkOndQX4TCIkjqhybA7sW6u3WhMNOdT3i4IMT1m7Vsu0LXZ9roOdnOCsHZFC1UUkByrKoG0Dt_7UHg1Pf9N5S-55vnoAyYYqvrWJidzgYek-ZFEhtdoMkYLMC3SNotwLohR-RwRt6PB7WTUUUrFh6jWum3hPkYiFZFOjvWqi0vvxMKkbJsjrL1V4aKO_DVBpIzpmXGyJen5q_7Bp2NACiyxG0Cdn3Tx-jRUKmtJHnSWLEJCIuUmqWg1z5va6zaX_HZUmdwavFlqjYCglEdR1GUOVWR6x5dRg2ESIXA0fjq88hpIxBuR5vMGRYMoIfIjEwNBB3ZgSenB0TCoihPMjIpHgWa5WCq_VIg0HSJ1agZS6EFcBfSJA2E8WRUOaBYN0YPg5g8L2WI8a1wVSEtyvtn0JzSBOsJatWwQ; expires=Thu, 26 Nov 2020 21:52:49 GMT; path=/; secure; samesite=none; httponly

Don't see any XSRF-TOKEN cookie at this stage
POST api/app/scenarios
Response BAD Request
1. On the server see the following:

2020-11-12 15:51:05.452 +11:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.Fk0-jtlgxmU" is not present.
2020-11-12 15:51:05.452 +11:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.

I have recently updated our solution to use the commercial modules. This change the authentication method to the commerical module available which is fine. On testing cookie authentication for POST requests no longer work (GET requests are fine).

To see if this was an issue with my migration to the commercial modules I decided to create a simple Angular application using the Abp Suite. The same issue is present. For cookie auth POST requests no longer work. Also of interest, only the first POST to Login works. All subsequent calls result in a 400 Bad Request.

Any hints as to where to look would be greatly appreciated. The very strange behaviour is that GET requests work, yet POST requests fail for the same endpoint. My current next step is to debug AbpAutoValidateAntiforgeryTokenAuthorizationFilter, which I was hoping not to do.

I can see that the default options does the following:

AutoValidateIgnoredHttpMethods = new HashSet<string> {"GET", "HEAD", "TRACE", "OPTIONS"}; So that explains why the GET request is working, but the POST is not.

Yet the following:

TokenCookie = new CookieBuilder
            {
                Name = "XSRF-TOKEN",
                HttpOnly = false,
                IsEssential = true,
                Expiration = TimeSpan.FromDays(3650) //10 years!
            };

I never see this cookie returned from the service. Calling https://localhost:44382/api/account/login does not return this token, how is it retrieved using the login REST API call?

15 Answer(s)

0

liangshiwei created 4 years ago
Support Team Fullstack Developer

Hi,

You need use the Identityserver token endpoint instead of /api/account/login
0

christianvpernix created 4 years ago

Hi,

Also getting this issue after upgrading to 3.3.1 - seems to only be affecting POST calls via the API/Swagger

Can you please post some detailed code on this IdentityServer token endpoint we should be calling instead of the account login?
0

liangshiwei created 4 years ago
Support Team Fullstack Developer

Hi,

Calling API via swagger will not send xsrf-token, We fixed it in v4.0. see https://github.com/abpframework/abp/pull/6124, https://github.com/abpframework/abp/pull/5864.

For now, you can reference the Volo.Abp.Swashbuckle package to your HttpApi.Host project.
0

jason.smith created 4 years ago

@liangshiwei the image you posted does not appear

christianvpernix created 4 years ago

Hi,

We have called the IdentityServer connect endpoint and received a token - please provide detail on how this should now be used to make successful POST calls

We are getting the following error when attempting to POST from a mobile application to the ABP REST API

> Request starting HTTP/1.1 POST https://app--dev1.websites.net/api/app/ProfileTest application/json 179
> 2020-11-17 01:06:45.627 +00:00 [INF] Authorization was successful.
> 2020-11-17 01:06:45.629 +00:00 [INF] Executing endpoint '..ProfileTests.ProfileTestAppService.CreateAsync (..Application)'
> 2020-11-17 01:06:45.631 +00:00 [INF] Route matched with {action = "Create", controller = "ProfileTest", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[..ProfileTests.ProfileTestDto] CreateAsync(..ProfileTests.ProfileTestCreateDto) on controller ..ProfileTests.ProfileTestAppService (..Application).
> 2020-11-17 01:06:45.641 +00:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.w5W7x28NAIs" is not present.
> 2020-11-17 01:06:45.647 +00:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.
> 2020-11-17 01:06:45.648 +00:00 [INF] Executing HttpStatusCodeResult, setting HTTP status code 400
> 2020-11-17 01:06:45.649 +00:00 [INF] Executed action ..ProfileTests.ProfileTestAppService.CreateAsync (..Application) in 17.294ms
> 2020-11-17 01:06:45.650 +00:00 [INF] Executed endpoint '..ProfileTests.ProfileTestAppService.CreateAsync (..Application)'
> 2020-11-17 01:06:45.678 +00:00 [INF] Request finished in 79.3745ms 302 
> 2020-11-17 01:06:45.709 +00:00 [INF] Request starting HTTP/1.1 GET https://app--dev1.websites.net/Error?httpStatusCode=400

0
alper created 4 years ago
Support Team Director
Set the token as Bearer token in your HttpClient

client.SetBearerToken(accessToken);

See https://github.com/abpframework/abp/blob/740fb05644d1097877bbb34446956958e4dc36bd/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Http/CliHttpClient.cs#L48

Also check out https://support.abp.io/QA/Questions/560/How-can-I-call-an-ABP-remote-service-method#answer-19f25faa-e2f5-bc56-3bc7-39f8e32906bf

christianvpernix created 4 years ago

Hi,

We added the access token as a bearer token as you suggested but still get the same error:

> Request starting HTTP/1.1 POST https://app--dev1.websites.net/api/app/ProfileTest application/json 179
> 2020-11-17 01:06:45.627 +00:00 [INF] Authorization was successful.
> 2020-11-17 01:06:45.629 +00:00 [INF] Executing endpoint '..ProfileTests.ProfileTestAppService.CreateAsync (..Application)'
> 2020-11-17 01:06:45.631 +00:00 [INF] Route matched with {action = "Create", controller = "ProfileTest", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[..ProfileTests.ProfileTestDto] CreateAsync(..ProfileTests.ProfileTestCreateDto) on controller ..ProfileTests.ProfileTestAppService (..Application).
> 2020-11-17 01:06:45.641 +00:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.w5W7x28NAIs" is not present.
> 2020-11-17 01:06:45.647 +00:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.
> 2020-11-17 01:06:45.648 +00:00 [INF] Executing HttpStatusCodeResult, setting HTTP status code 400
> 2020-11-17 01:06:45.649 +00:00 [INF] Executed action ..ProfileTests.ProfileTestAppService.CreateAsync (..Application) in 17.294ms
> 2020-11-17 01:06:45.650 +00:00 [INF] Executed endpoint '..ProfileTests.ProfileTestAppService.CreateAsync (..Application)'
> 2020-11-17 01:06:45.678 +00:00 [INF] Request finished in 79.3745ms 302 
> 2020-11-17 01:06:45.709 +00:00 [INF] Request starting HTTP/1.1 GET https://app--dev1.websites.net/Error?httpStatusCode=400

To clarify - this is a third party app independently developed that simply needs to call the ABP REST API and make a POST. It was working fine prior to updating to 3.3.1. This is now impacting business and we need a resolution. Can we please organise a video call to go over the issue and resolve?

Thanks

0

jason.smith created 4 years ago

OK. Just downgraded to 3.2.1 to get the old behaviour.

All I need to do now is login and then I can perfom POSTS with just providing a cookie

I don't require the bearer auth method, or a XSRF-TOKEN
0

christianvpernix created 4 years ago

Hi Jason,

Might also have to do the same - could you shed some light on how you downgraded? I don't see any options to do so using the CLI

Thanks in advance
0

liangshiwei created 4 years ago
Support Team Fullstack Developer

I can help you remotely. shiwei.liang@volosoft.com
0

jason.smith created 4 years ago

Hi @christianvpernix,

You might like the answer. Basically I opened every proj file, and the package.json in your front end (mine is angular). Then every abp package you see, change the version number from 3.3.1 to 3.2.1. Then restore packages through nuget and npm and build. A few things might break at this point and you have to figure out how to extract those features. I was lucky that the external party login (facebook, google, etc) was the only thing that broke, so I deleted their configurations.

Still testing. So we will see if this was a good move or not.

Hope that helps.
0

christianvpernix created 4 years ago

Thanks @jason.smith, looks promising :)
0

geoffro created 4 years ago

Hi @liangshiwei we are on ABP Framework version: v4.0.2 Commerical and still experience all POST API calls returning a 400 Bad Request when calling via swagger? logs also reveal "The required antiforgery cookie ".AspNetCore.Antiforgery.ddttNScLARY" is not present."

What is it we need to do?
0

alper created 4 years ago
Support Team Director

you can disable it with AutoValidate = false https://docs.abp.io/en/abp/4.1/CSRF-Anti-Forgery#abpantiforgeryoptions or you need to add the anti-forgery token to the header with the header name RequestVerificationToken.

this is implemented in new ABP templates. you can create a new template to see how it works and adopt to your existing project.

1
0

geoffro created 4 years ago

Thanks @alper that worked

Have an answer to this question? Log in and write your answer.