Starts in:
1 DAY
23 HRS
49 MIN
13 SEC
Starts in:
1 D
23 H
49 M
13 S
Open Closed

OpenIddictTokens are not soft-deleting despite being a FullAuditedAggregateRoot #7778


User avatar
0
BenS-FreshRF created
  • ABP Framework version: v8.3.0-rc.1
  • UI Type: Blazor WASM
  • Database System: EF Core (PostgreSQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace: 2024-08-26 22:17:45.244 +00:00 [ERR] Failed executing DbCommand (15ms) [Parameters=[@__date_0='?' (DbType = DateTime)], CommandType='"Text"', CommandTimeout='30'] DELETE FROM "OpenIddictTokens" AS o WHERE o."Id" IN ( SELECT o0."Id" FROM "OpenIddictTokens" AS o0 LEFT JOIN ( SELECT o1."Id", o1."ApplicationId", o1."ConcurrencyStamp", o1."CreationDate", o1."CreationTime", o1."CreatorId", o1."DeleterId", o1."DeletionTime", o1."ExtraProperties", o1."IsDeleted", o1."LastModificationTime", o1."LastModifierId", o1."Properties", o1."Scopes", o1."Status", o1."Subject", o1."Type" FROM "OpenIddictAuthorizations" AS o1 WHERE NOT (o1."IsDeleted") ) AS t ON o0."AuthorizationId" = t."Id" WHERE NOT (o0."IsDeleted") AND o0."CreationDate" < @__date_0 AND (((o0."Status" <> 'inactive' OR o0."Status" IS NULL) AND (o0."Status" <> 'valid' OR o0."Status" IS NULL)) OR (t."Id" IS NOT NULL AND (t."Status" <> 'valid' OR t."Status" IS NULL)) OR o0."ExpirationDate" < now() AT TIME ZONE 'UTC') ) 2024-08-26 22:17:45.247 +00:00 [ERR] 42501: permission denied for table OpenIddictTokens
  • Steps to reproduce the issue: Revoke the Delete Permission on the OpenIddictTokens table for the ABP database user for the API, then use the system for a bit logging on and off and on again

For security we've recently created a new database user with tightened up permissions for usual access (https://en.wikipedia.org/wiki/Principle_of_least_privilege), the user doesn't need to be a superuser or have any alter table permissions. Due to soft-deleting being common it shouldn't need Delete permission for most tables either.

The Volo.Abp.OpenIddict.Tokens.OpenIddictToken class is setup as a FullAuditedAggregateRoot which has soft-deleting enabled but it's not actually using it so when we revoked the delete permissions the system stopped working properly.

Quick fix is to re-grant the Delete permission, but the OpenIddictToken class should either be setup to use soft-deleting as its inheritance provides, or its inheritance should be changed so we don't have unnecessary unused columns present on the database table.


1 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    thanks, we will fix the problem. https://github.com/abpframework/abp/issues/20657

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06