Activities of "AI-Bot"

1. Solution

• Cause

  • The 404 errors for /libs/... (fonts, JS) indicate static web assets under wwwroot/libs are not being served at runtime. In ABP/Docs, these assets are bundled via the ABP Bundling system and exposed under:
    • /libs/... for third-party packages
    • /_content/{AssemblyName}/... for embedded module assets
    • /__bundles/... for generated bundles
  • Common misconfigurations that lead to 404s or wrong MIME types:
    • Missing app.UseStaticFiles() (or it is placed after endpoint routing).
    • Missing app.UseAbpStaticFiles(); when modules serve embedded static files.
    • Environment set to Production while expecting individual files, but the requested files are not included in the bundle or library path.
    • Requesting wrong paths or case-sensitive filenames (Index.md vs index.md differs on GitHub; similarly for local files).
    • Reverse proxy/base-path issues breaking static file URLs.

• Fix

  1. Ensure middleware order is correct in your Web module’s OnApplicationInitialization:

public override void OnApplicationInitialization(ApplicationInitializationContext context)
  {
      var app = context.GetApplicationBuilder();
      var env = context.GetEnvironment();

      if (env.IsDevelopment())
      {
          app.UseDeveloperExceptionPage();
      }

      app.UseAbpRequestLocalization();

      app.UseStaticFiles();          // 1: physical wwwroot
      app.UseAbpStaticFiles();       // 2: embedded static files from ABP modules

      app.UseRouting();

      app.UseAuthentication();
      app.UseJwtTokenMiddleware();
      app.UseAbpClaimsMap();
      app.UseAuthorization();

      app.UseAuditing();
      app.UseConfiguredEndpoints();
  }

• app.UseStaticFiles() and app.UseAbpStaticFiles() must come before UseRouting/UseEndpoints to serve /libs, /_content, and /__bundles.

2. Verify ABP Bundling includes required libraries

• In your Theme or Web module contributor, confirm these are referenced:
  • Font Awesome (matching the path shown in network errors): /libs/@fortawesome/fontawesome-free/webfonts/...
  • Select2 i18n and Moment locales if used by the page.
• Example contributor snippet:

public class DocsThemeGlobalContributor : BundleContributor
  {
      public override void ConfigureBundle(BundleConfigurationContext context)
      {
          var style = context.Files;
          // styles
          style.AddIfNotContains("/libs/@fortawesome/fontawesome-free/css/all.min.css");

          var script = context.Files;
          // scripts
          script.AddIfNotContains("/libs/jquery/jquery.js");
          script.AddIfNotContains("/libs/select2/js/select2.full.min.js");
          script.AddIfNotContains("/libs/moment/moment.js");
          // add any i18n files you actually use:
          // script.AddIfNotContains("/libs/select2/js/i18n/en.js");
      }
  }

• If your build points to different versions/paths, align URLs accordingly. Check that the files exist under Web/wwwroot/libs (or are provided by a referenced ABP module).

3. Confirm static asset paths

• Open https://localhost:5001/libs/@fortawesome/fontawesome-free/webfonts/fa-regular-400.woff2 directly. If 404, the path is wrong or the middleware isn’t serving.
• Ensure the files exist at:
  • Web/wwwroot/libs/@fortawesome/fontawesome-free/webfonts/...
• If they are embedded by a module instead of your app, load via _content:
  • Example: /_content/Volo.Docs/fontawesome/... depending on the module that embeds them.
  • Prefer using ABP-provided bundle tags in the layout instead of hardcoding absolute file paths.

4. Avoid wrong MIME type “text/html”

• This means the URL returns an HTML page (e.g., error or redirect) while the browser expects JS/CSS/WOFF. Fix the URL or base path so the file is directly served.
• If you use a virtual directory or reverse proxy, set appsettings.json:
  • App:BaseUrl and configure the reverse proxy to not rewrite /libs and /__bundles.

5. Clear caches and rebuild

• Stop the app, delete bin/obj, rebuild. If you are using the dynamic bundling in production, ensure minified bundles are produced, or set ASPNETCORE_ENVIRONMENT=Development to see individual files while troubleshooting.

6. About the small square icons in the page

• That’s Font Awesome not loading. Once /libs/@fortawesome/fontawesome-free/webfonts/... are served correctly (steps 1–3), the icons will render.

• Quick checklist for your screenshots

  • You have the font files under Web/wwwroot/libs/@fortawesome/fontawesome-free/webfonts; good.
  • Add/verify:
    • app.UseStaticFiles(); app.UseAbpStaticFiles(); order as above.
    • Include “/libs/@fortawesome/fontawesome-free/css/all.min.css” in the global style bundle used by the Documents page layout.
    • Ensure your HTML uses <abp-style-bundle> and <abp-script-bundle> that include the libraries, rather than hardcoded tags with wrong paths.

2. Sources

• https://docs.abp.io/en/abp/latest/Modules/Docs
• https://abp.io/docs/latest/apps/volo-docs
• https://github.com/abpframework/abp/tree/dev/modules/docs

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution

• Why the error happens:
  • VoloDocs orders versions using NuGet.SemanticVersion. When “GitHub version provider source” is set to Branches, every branch name is treated as a version and must be a valid semantic version (e.g., 1.0, 1.0.0, 2.1). Your repository’s default branch is main, and VoloDocs tries to parse “main.0.0” while sorting, which throws: 'main.0.0' is not a valid version string.
• Two ways to fix:

A) Recommended: Use Releases/Tags as versions

• In your project settings:
  • GitHub root URL: https://github.com/<owner>/<repo>/tree/{version}/en
    • Keep the literal {version} placeholder, do not hardcode a specific version.
  • GitHub version provider source: Releases
  • Latest version branch name: leave empty
  • Version branch prefix: leave empty
• Create Git tags in your GitHub repo that are valid semantic versions, e.g.:
  • v1.0 or 1.0 or 1.0.0
  • Push the tags and create releases for them (optional but recommended).
• Folder structure in each tag should match your current main branch structure (en/Index.md, docs-nav.json, docs-params.json).
• Then browse: /documents/en/<shortName>/latest or /documents/en/<shortName>/<version>.

B) If you must use Branches as versions

• Rename or create branches whose names are valid SemVer values, for example:
  • 1.0
  • 1.0.0
  • 2.0
• In project settings:
  • GitHub version provider source: Branches
  • Version branch prefix: optional. If you set a prefix like release/, make sure your branches are release/1.0, release/1.0.0, etc.
  • Latest version branch name: set to the SemVer branch name you want treated as “latest”, e.g., 1.0 or 1.0.0. Do not set this to “main”.
• GitHub root URL should still contain {version}:
  • https://github.com/<owner>/<repo>/tree/{version}/en

Additional checks

• Default document names:
  • Default document name: Index
  • Navigation document name: docs-nav.json
  • Parameters document name: docs-params.json
• The files must exist under the {version}/en/ folder for each tag/branch.
• If you previously saved settings with Branches + non-SemVer branch names (e.g., main), clear the cache and reload:
  • Restart the app or clear the distributed cache if configured.

Quick apply to your screenshots

• Change GitHub root URL to: https://github.com/shijo-kg/test-doc/tree/{version}/en
• Either:
  • Switch “GitHub version provider source” to Releases and create a tag v1.0 (or 1.0.0), or
  • Keep “Branches” but create a branch named 1.0 (or 1.0.0) and set “Latest version branch name” to 1.0 (or 1.0.0). Leave “main” out of the version configuration.

2. Sources

• https://docs.abp.io/en/abp/latest/Modules/Docs
• https://github.com/abpframework/abp/tree/dev/modules/docs
• https://abp.io/docs/latest/apps/volo-docs

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution

• The MacOS Apple Silicon button on abp.io/get-started currently points to a studio.abp.io download endpoint that is returning a Cloudflare 1016 Origin DNS error. That host is temporarily unreachable, so the button fails.
• Use the official ABP Studio macOS updater channel instead (served from abp.io), which is up and provides the same installer packages:
  • Open this URL in your browser: https://abp.io/docs/latest/studio/
  • In the Installation section, use the ABP Studio page link to download for macOS Apple Silicon. If you already have ABP Studio, it will self-update from the abp.io release feed.
• If you need to get started immediately without Studio, you can create and run ABP solutions with the ABP CLI:
  • Install .NET 8/9 SDK
  • Install ABP CLI: dotnet tool install -g Volo.Abp.Cli
  • Create a new solution: abp new Acme.BookStore -u angular -dbms postgresql
  • Navigate to the solution and run as usual with dotnet run or the provided scripts.

Notes:

• The 1016 error is on the public download host and not related to your Mac. Once DNS is restored for studio.abp.io, the MacOS Apple Silicon button will work again. Until then, use the ABP Studio documentation page and the in-app updater feed served from abp.io, or use the ABP CLI.

2. Sources

• ABP Studio documentation: https://abp.io/docs/latest/studio/
• Get Started page: https://abp.io/get-started

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution

• Yes. ABP supports showing an OTP step after a successful username/password login (Two-Factor Authentication). Users can use Email, SMS, or an Authenticator app. You can allow the user to choose Email or SMS on the OTP screen, or you can restrict to one provider.

• Enable 2FA and providers:

  • Email provider requires EmailConfirmed = true and a configured email sender (in Release).
  • SMS provider requires PhoneNumberConfirmed = true and an ISmsSender implementation (e.g., Twilio SMS module).
  • TOTP authenticator can be enabled by the user from the account/manage page.

• How the built-in flow works:

  1. Call /connect/token with username/password (resource owner password flow). If 2FA is required, response includes error_description = RequiresTwoFactor with userId and twoFactorToken.
  2. Send the code:
     • POST /api/account/send-two-factor-code with body: { token, userId, provider: "Email" | "SMS" }
  3. Get the delivered code (email/SMS).
  4. Retry /connect/token adding TwoFactorProvider and TwoFactorCode in the form body: grant_type=password client_id=... username=... password=... scope=... TwoFactorProvider=Email or SMS TwoFactorCode=123456 After that, the token is issued.

• Let the user choose Email or SMS:

  • Use the built-in “Send Security Code” page (Account/SendSecurityCode.cshtml) which shows the provider dropdown. In Blazor Server UI, you can override this page by copying it under YourProject.Blazor/Pages/Account/SendSecurityCode.cshtml and customize the UI to present Email/SMS choices you prefer.
  • If you want to customize available providers, override AccountAppService.GetTwoFactorProvidersAsync and return only the providers you allow or in the order you want. Example:

public class MyAccountAppService : AccountAppService
  {
      public override async Task<ListResultDto<NameValue>> GetTwoFactorProvidersAsync(GetTwoFactorProvidersInput input)
      {
          var result = await base.GetTwoFactorProvidersAsync(input);
          // Keep only Email and SMS
          result.Items = result.Items.Where(p => p.Name == "Email" || p.Name == "SMS").ToList();
          return result;
      }
  }

Register your derived service in your module to replace the default IAccountAppService.

• If you want to force a single provider (e.g., SMS only) and remove the dropdown:

  • Override GetTwoFactorProvidersAsync to return only SMS.
  • Override the SendSecurityCode UI (SendSecurityCode.cshtml) to remove the provider selection and post provider="SMS" automatically.
  • In Blazor Server, place the overridden page under YourProject.Blazor/Pages/Account/SendSecurityCode.cshtml (and optional code-behind) so it overrides the module page.

• Notes and prerequisites:

  • Email provider: configure SMTP in appsettings for production; in DEBUG, codes are logged.
  • SMS provider: install/configure Twilio SMS module or your own ISmsSender. In DEBUG, codes are logged; in production, ensure E.164 phone formatting to avoid vendor errors.
  • If you always get RequiresTwoFactor on /connect/token even after verifying the code, ensure you include TwoFactorProvider and TwoFactorCode in the second /connect/token call, and preserve tenant context if multi-tenant.

2. Sources

• https://github.com/abpframework/abp
• https://abp.io/support/questions/4444
• https://abp.io/support/questions/9956

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution The error is coming from OpenIddict: “When using X.509 encryption credentials, at least one of the registered certificates must be valid. To use key rollover, register both the new certificate and the old one in the credentials collection.” This happens when the AuthServer can’t load a valid signing/encryption key in production.

Do this checklist and fix:

• Generate a proper OpenIddict certificate for production (not the site TLS cert)

  • On the server (or locally and deploy the file), run: dotnet dev-certs https -v -ep openiddict.pfx -p 00000000-0000-0000-0000-000000000000
  • Place openiddict.pfx next to the AuthServer executable (or a configured path).
  • Make sure the password you set here is the same you configure in code.

• Configure ABP OpenIddict to use the PFX in production

  • In your AuthServer module:

public override void PreConfigureServices(ServiceConfigurationContext context)
    {
        var hostingEnvironment = context.Services.GetHostingEnvironment();
        var configuration = context.Services.GetConfiguration();

        if (!hostingEnvironment.IsDevelopment())
        {
            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });

            PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
            {
                // If your pfx is in content root
                serverBuilder.AddProductionEncryptionAndSigningCertificate(
                    "openiddict.pfx",
                    "00000000-0000-0000-0000-000000000000"
                );

                // Set the public HTTPS issuer
                serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
            });
        }
    }

• If running under IIS/Azure and you face key-access issues, pass key storage flags:

PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
    {
        var flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet;
        serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "00000000-0000-0000-0000-000000000000", flags);
    });

• Ensure the file is actually present on the server

  • openiddict.pfx is usually ignored by git; copy it to the server during deployment or stop ignoring it.
  • If the file is missing, OpenIddict will fail at startup with the exact error you see.

• Keep Authority and metadata HTTPS-only

  • appsettings:

"AuthServer": {
      "Authority": "https://your-authserver-host",
      "RequireHttpsMetadata": true,
      "CertificatePassPhrase": "00000000-0000-0000-0000-000000000000"
    }

• Behind a reverse proxy, ensure the app sees HTTPS:
  • Forward headers correctly (X-Forwarded-Proto).
  • Or force scheme:

app.Use(async (ctx, next) =>
      {
          ctx.Request.Scheme = "https";
          await next();
      });

If you temporarily set RequireHttpsMetadata = false, discovery will emit http URLs and SPAs will reject them; keep it true and fix scheme/forwarding instead.

• About the “key rollover” message

  • This appears when OpenIddict finds an expired/invalid encryption/signing certificate and no other valid certificate. You don’t need to “register old + new” unless you really want rollover; you just need at least one valid cert. Ensure the currently configured PFX is valid and loadable by the process.

• IIS-specific tips

  • If you still get access errors to the private key:
    • Ensure the app pool identity can access the key, or
    • Use MachineKeySet/EphemeralKeySet flags as shown above, or
    • Import the certificate into the Local Machine store and load from there.

2. Sources

• OpenIddict certificate configuration in ABP deployment:
  • https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment
• Community Q&A showing the same error and resolution (generate and deploy openiddict.pfx):
  • https://abp.io/support/questions/9016
• Troubleshooting OpenIddict certificate loading in IIS/Azure (key storage flags, production cert usage):
  • https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/deployment-iis

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution Short answer: Yes—use createRoutes for every ABP/Commercial feature package route you lazy-load (Identity, Saas, Audit Logging, Language Management, Text Template Management, Account, etc.) after upgrading to v9.x. This ensures each standalone feature page gets its feature-level providers and avoids InjectionToken undefined errors.

What to change

• Replace old forLazy() or module class lazy-loads with createRoutes for each package:
  • @volo/abp.ng.identity → import('@volo/abp.ng.identity').then(m => m.createRoutes())
  • @volo/abp.ng.saas → import('@volo/abp.ng.saas').then(m => m.createRoutes())
  • @volo/abp.ng.audit-logging → import('@volo/abp.ng.audit-logging').then(m => m.createRoutes())
  • @volo/abp.ng.language-management → import('@volo/abp.ng.language-management').then(m => m.createRoutes())
  • @volo/abp.ng.text-template-management → import('@volo/abp.ng.text-template-management').then(m => m.createRoutes())
  • @volo/abp.ng.account (public/admin where applicable) → import('@volo/abp.ng.account').then(m => m.createRoutes())
  • Any other ABP/Commercial Angular feature package that exposes createRoutes

Example const routes: Routes = [ { path: 'identity', loadChildren: () => import('@volo/abp.ng.identity').then(m => m.createRoutes()) }, { path: 'saas', loadChildren: () => import('@volo/abp.ng.saas').then(m => m.createRoutes()) }, { path: 'audit-logging', loadChildren: () => import('@volo/abp.ng.audit-logging').then(m => m.createRoutes()) }, { path: 'language-management', loadChildren: () => import('@volo/abp.ng.language-management').then(m => m.createRoutes()) }, { path: 'text-template-management', loadChildren: () => import('@volo/abp.ng.text-template-management').then(m => m.createRoutes()) }, { path: 'account', loadChildren: () => import('@volo/abp.ng.account').then(m => m.createRoutes()) }, ];

Notes

• You can still keep your app as module-based overall. The key is that feature routes must come from createRoutes so those standalone components receive their providers.
• Do not import or declare feature components directly; always navigate via the routes returned by createRoutes.
• Keep the corresponding provideXxxConfig() (e.g., provideSaasConfig) at the root providers as you already do.

2. Sources

• ABP community article describing the switch from forLazy() to createRoutes in feature packages: https://abp.io/community/articles/zzi2rr2z

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution

• LeptonX does not bundle or grant a FullCalendar commercial license. If you use FullCalendar’s premium features or require a commercial license, you must obtain it separately from FullCalendar.
• ABP Commercial/LeptonX licenses only cover ABP/LeptonX deliverables. Third‑party JS libraries like FullCalendar retain their own licensing terms.
• What to do:
  • If you use only FullCalendar’s open-source core under its OSS license, you can continue under that license.
  • If you use any FullCalendar Premium plugins/features or your usage requires a commercial license, purchase a license directly from FullCalendar and include your license key in your app per their documentation.

2. Sources

• https://fullcalendar.io/license
• https://github.com/abpframework/abp

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution The error “No provider found for InjectionToken undefined. Source: Standalone[_TenantsComponent]” occurs because, starting with ABP Angular v9, feature UIs (like Saas Tenants) use standalone components and provide their own feature-level providers via createRoutes/provideXxxConfig. In a module-based app that still imports config modules, it’s easy to miss one of these providers when navigating directly to a standalone feature page.

Apply these steps:

• Use createRoutes for SAAS routes (even in a module-based app) In your AppRoutingModule (or wherever you define feature routes), load the Saas routes using the package’s route factory. This ensures the Tenants standalone component receives its providers.

  Example: import { RouterModule, Routes } from '@angular/router'; import { createRoutes as createSaasRoutes } from '@volo/abp.ng.saas';

  const routes: Routes = [ { path: 'saas', loadChildren: () => import('@volo/abp.ng.saas').then(m => createSaasRoutes()), }, // ...other routes ];

  @NgModule({ imports: [RouterModule.forRoot(routes)], exports: [RouterModule], }) export class AppRoutingModule {}

• Keep provideSaasConfig() in root providers You already have:

  • SaasConfigModule in imports,
  • importProvidersFrom(SaasConfigModule.forRoot()),
  • provideSaasConfig() in providers.

  That’s fine. The critical part is that the route uses createSaasRoutes() so the Tenants standalone component runs with the correct Feature providers. If you currently lazy-load a module via SaasConfigModule.forRoot() alone or navigate to the component outside its created routes, the DI context misses feature tokens.

• Do not declare or import TenantsComponent manually Don’t import or declare _TenantsComponent (or any SAAS component) directly in your own module. Always navigate through the SAAS routes returned by createSaasRoutes().

• Version alignment Ensure all ABP/Commercial Angular packages are on the same exact version range as the ABP CLI template you’re targeting, and Angular is aligned. For ABP 9.3.6:

  • @abp/* and @volo/* packages: ~9.3.x
  • Angular: 20.3.x After editing package versions, delete node_modules and your lock file, then reinstall.

• If you previously used forLazy() Replace any old lazy-load syntax like: loadChildren: () => import('@volo/abp.ng.saas').then(m => m.SaasModule.forLazy({...})) with the new: loadChildren: () => import('@volo/abp.ng.saas').then(m => m.createRoutes({...}))

• Last-resort guard If you still see the InjectionToken undefined from a standalone component, it almost always means that page is rendered outside its feature route tree. Double-check that:

  • Navigation to saas/tenants is via the router above,
  • No direct component reference or custom route bypasses the createSaasRoutes() returned tree.

2. Sources

• https://abp.io/support/questions/8997/NullInjectorError-No-provider-for-InjectionToken-undefined-in-Standalone-Component
• https://abp.io/community/articles/zzi2rr2z

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution

• What Volo.Abp.Cli is and how it’s used

  • Volo.Abp.Cli is ABP’s command-line tool. It is a dotnet global tool used during development for tasks like creating/upgrading projects, adding modules, installing client libraries, etc. It is not required at runtime of your application.
  • Since ABP v8.2+, the old Volo.Abp.Cli has been replaced by the new CLI package Volo.Abp.Studio.Cli. If you still have the old CLI installed, it can surface in security scans even though your app doesn’t depend on it at runtime.

• Why it appears in your vulnerability scan after upgrading to 8.3.4

  • Many scanners flag globally installed developer tools or transitive dev-time artifacts. The ABP CLI is typically installed globally and may also be referenced by local tooling scripts, but it is not a NuGet runtime dependency of your solution projects.
  • In ABP 8.x, you should use the new CLI (Volo.Abp.Studio.Cli). Keeping the old Volo.Abp.Cli installed can continue to trigger findings.

• How to remove or mitigate the vulnerability finding

  1. Uninstall the old CLI (global tool):
     • Run: dotnet tool uninstall -g Volo.Abp.Cli
  2. Install the new CLI (recommended for ABP 8.2+):
     • Run: dotnet tool install -g Volo.Abp.Studio.Cli
     • This provides the same abp command and supports both new and “old mode” when needed.
  3. Ensure your solution has no PackageReference to Volo.Abp.Cli:
     • Search your .csproj files and Directory.Packages.props for Volo.Abp.Cli. There should be none. If found, remove it since CLI is a dotnet tool, not a project dependency.
  4. Re-run your security scan:
     • After removing the old global tool and any stray references, the finding should disappear because your application binaries do not include the CLI.
  5. If your CI agents install the old CLI:
     • Update CI scripts to install Volo.Abp.Studio.Cli instead of Volo.Abp.Cli, or remove CLI installation entirely if not needed in the pipeline.

• Important notes

  • The CLI is not a runtime dependency of ABP applications. Removing it will not affect your deployed application.
  • If you must use the old CLI features for legacy templates, the new CLI can invoke old mode with the --old switch when necessary, without keeping the old Volo.Abp.Cli installed globally.

2. Sources

• https://abp.io/docs/latest/cli
• https://abp.io/community/articles/2zfl7sqs

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

1. Solution The symptoms indicate that your DbContext is being created on the Host side (or before the tenant context is applied), so EF Core is opening the host connection even though MultiTenantConnectionStringResolver can resolve the tenant’s connection string. In ABP, the actual connection used by DbContext is determined when the DbContext is constructed and its options are configured. If the tenant context isn’t active at that moment, the host connection is cached/opened and reused.

Check and fix the following:

• Ensure UseMultiTenancy middleware order In all web/API hosts, the multi-tenancy middleware must run after authentication so the current tenant is available to downstream services resolving connection strings.

app.UseRouting();
  app.UseAuthentication();
  app.UseMultiTenancy();
  app.UseAuthorization();

Wrong order (multi-tenancy before authentication) leads to missing tenant context during DbContext creation and thus host DB usage.

• Resolve DbContext inside the tenant scope If you manually resolve repositories/DbContexts or run background jobs, ensure they execute inside the current tenant scope:

using (_currentTenant.Change(tenantId))
  {
      // Resolve repositories/DbContexts here, after tenant has been set
      var ctx = await repository.GetDbContextAsync();
      // Now ctx.Database.GetConnectionString() should be the tenant’s connection string
  }

Do not cache DbContext, DbContextOptions, or services that depend on tenant context across tenant boundaries.

• Do not override DbContext options with a static connection In your module or DbContext factory, avoid code that hardwires a connection string (e.g., options.UseSqlServer(hostConnString)). ABP’s EfCore integration configures the provider and defers the connection string to the IConnectionStringResolver at runtime. If you must configure provider:

Configure<AbpDbContextOptions>(options =>
  {
      options.UseSqlServer(); // no literal connection string here
  });

If you pass a literal connection string in UseSqlServer, it will always use that (host) connection, bypassing the resolver.

• Use the correct ConnectionStringName Ensure your DbContext has the ConnectionStringName attribute matching the name you configured per tenant (Default unless you changed it):

[ConnectionStringName("Default")]
  public class MyDbContext : AbpDbContext<MyDbContext> { ... }

Since your checks show ConnectionStringNameAttribute.GetConnStringName returns the correct name and the resolver returns the tenant string, this is likely fine.

• Verify tenant connection strings exist and are valid Per-tenant connection strings must be stored in the SaaS tenant (or custom tenant store) and not encrypted in a way the resolver can’t use. If you store encrypted strings, replace or decorate IConnectionStringResolver/IConnectionStringChecker accordingly so DbContext gets a plain connection at runtime. Otherwise, EF Core will fail and may fallback to host (or throw). See sample replacement below:

[Dependency(ReplaceServices = true)]
  public class EncryptedConnectionStringChecker : SqlServerConnectionStringChecker
  {
      private readonly IStringEncryptionService _enc;
      public EncryptedConnectionStringChecker(IStringEncryptionService enc) => _enc = enc;

      public override Task<AbpConnectionStringCheckResult> CheckAsync(string cs)
          => base.CheckAsync(_enc.Decrypt(cs));
  }

• Don’t read Database.GetConnectionString too early If you log dbContext.Database.GetConnectionString() before the tenant scope is active or before the provider initializes, you may see host/null. Inspect after resolving DbContext within the tenant scope.

• Background workers and integration events For hosted services, background jobs, or event handlers (out of HTTP pipeline), wrap operations with _currentTenant.Change(tenantId) before resolving repositories/DbContexts.

Minimal checklist you can try now:

1. Move app.UseMultiTenancy() after app.UseAuthentication() and before app.UseAuthorization() in all hosts.
2. Remove any hard-coded connection strings in UseSqlServer/UseNpgsql; use options.UseSqlServer() only.
3. Ensure all code that resolves repositories/DbContexts runs inside using (_currentTenant.Change(tenantId)) when operating for a specific tenant (especially outside controllers).
4. If you encrypt tenant connection strings, ensure the runtime resolver/checker returns a decrypted string to EF Core.

2. Sources

• Multi-tenancy middleware order (must run after authentication)
  • https://abp.io/support/questions/9577
• Connection strings fundamentals and resolver behavior
  • https://abp.io/docs/latest/framework/fundamentals/connection-strings
• Custom connection string resolver example and per-context override
  • https://abp.io/support/questions/453
• Handling encrypted tenant connection strings via checker override
  • https://abp.io/support/questions/9507

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.