Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token
As part of web application assessment, there was an observation reported about JWT tokens.
The JSON web token (JWT) for your web application was not encrypted, allowing the data within it to be inspected with trivial effort. This revealed the email (username) and expiration date of the token.
Recommendation is to either -
I understand that this is not related to the framework and it is the subject of Identity Server but we don't have much control over it as the Identity server is integrated within the framwework itself. Can you guide us to remediate this issue based on recommendations mentioned above. Need to know what changes will be required in existing application code to handle it.
Thanks
ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Seperated (Angular): yes
Post upgrade of our application (Angular) to latest ABP 4.3.1, we are facing an issue with account component. As per the latest code AccountComponent, eIdentityComponents does not have a Account member which was there initially. We have our own custom implementation of the entire login page and due to this, we can't break our components in smaller chunks. Can you guide us what can we do to replace the whole Account as a component rather than just smaller components as it will require a lot of efforts to seperate our components.
Npgsql.PostgresException (0x80004005): 42P01: relation "XXX" does not exist
at Npgsql.NpgsqlConnector.<ReadMessage>g__ReadMessageLong|194_0(NpgsqlConnector connector, Boolean async, DataRowLoadingMode dataRowLoadingMode, Boolean readingNotifications, Boolean isReadingPrependedMessage)
at Npgsql.NpgsqlDataReader.NextResult(Boolean async, Boolean isConsuming, CancellationToken cancellationToken)
at Npgsql.NpgsqlDataReader.NextResult()
at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior, Boolean async, CancellationToken cancellationToken)
at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior, Boolean async, CancellationToken cancellationToken)
at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior)
at Npgsql.NpgsqlCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.ExecuteReader()
at Microsoft.EntityFrameworkCore.Storage.RelationalCommand.ExecuteReader(RelationalCommandParameterObject parameterObject)
at Microsoft.EntityFrameworkCore.Query.Internal.SplitQueryingEnumerable1.Enumerator.InitializeReader(DbContext _, Boolean result) at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlExecutionStrategy.Execute[TState,TResult](TState state, Func3 operation, Func3 verifySucceeded) at Microsoft.EntityFrameworkCore.Query.Internal.SplitQueryingEnumerable1.Enumerator.MoveNext()
Exception data:
Severity: ERROR
SqlState: 42P01
MessageText: relation "XXX" does not exist
Position: 23
File: parse_relation.c
Line: 1180
Routine: parserOpenTable
Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.
Is there any setting in ABP.IO framework which enforces user to change the password after first login?. If yes, please provide information on the same. If no, can you share some insight on how to set it up in ABP?
Thanks & regards, Repunjay
Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.
Thanks, Repunjay
Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.
Hi,
We have one service/api which runs in docker container. When one of the operation of this api is invoked, it publishes an event to a Distributed Event Bus (Rabbit MQ). The event is consumed by the Event handler which is a part of another service/api (Application project). This api is hosted in another container. We have noticed a problem that when the second service is idle, the event handler doesn't listens to the messages published by first service. Thus we have to restart the container of second service and than the handler consumes the event and process it. Is there a way to make that event handler continously listening to the messages despite service becomes idle? The Event Handler is written in the Application project of the second service. Below is the code snippet. Let me know if require further information.
using Microsoft.Extensions.Logging;
using FinanceManagement.SharedServices;
using FinanceManagement.TradeFinanceDetails;
using Shared.MqServices.ETO;
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using Volo.Abp.DependencyInjection;
using Volo.Abp.EventBus.Distributed;
namespace FinanceManagement.MessagingServices
{
public class TradeFinanceBatchEventHandler : IDistributedEventHandler<BatchCreatedEto>, ITransientDependency
{
private readonly IDistributedEventBus _distributedEventBus;
private readonly ISharedAppService _sharedAppService;
private readonly ITradeFinanceBatchAppService _tradeFinanceBatchAppService;
private readonly ILogger _logger;
public TradeFinanceBatchEventHandler(IDistributedEventBus distributedEventBus,
ITradeFinanceBatchAppService tradeFinanceBatchAppService,
ISharedAppService sharedAppService,
ILogger<TradeFinanceBatchEventHandler> logger
)
{
_distributedEventBus = distributedEventBus;
_sharedAppService = sharedAppService;
_tradeFinanceBatchAppService = tradeFinanceBatchAppService;
_logger = logger;
}
public async Task HandleEventAsync(BatchCreatedEto eventData)
{
if (eventData.BatchId != Guid.Empty)
{
_logger.LogInformation("Start Process..");
_logger.LogInformation("BatchId : " + eventData.BatchId.ToString());
var batch = await _sharedAppService.GetBatchDetailById(eventData.BatchId);
//Save TradeFinance
var tradeFinancebatch = await _tradeFinanceBatchAppService.SaveRequestForFinancingAsync(batch);
_logger.LogInformation("End Process.");
//Send Acknowledgement
//Update status in BatchService Batch using API
}
}
}
}
Thanks & regards, Repunjay
Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.
Denial of Service (DoS) Improper Certificate Validation Information Exposure Regular Expression Denial of Service (ReDoS) Privilege Escalation Authentication Bypass
Vulnerable module: System.Net.Http Introduced through: xunit.extensibility.execution@2.4.1 and xunit@2.4.1 Exploit maturity: No known exploit Fixed in: 4.1.2, 4.3.2 Introduced through: project@* › xunit.extensibility.execution@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0 Introduced through: project@* › xunit@2.4.1 › xunit.assert@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0 Introduced through: project@* › xunit.extensibility.execution@2.4.1 › xunit.extensibility.core@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0
Vulnerable module: System.Text.RegularExpressions Introduced through: meta-common-packages@meta Exploit maturity: No known exploit Fixed in: 4.3.1 Introduced through: project@* › meta-common-packages@meta › System.Text.RegularExpressions@4.3.0
Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.
* {
"messages": [
"attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Batches.BatchDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
"attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Invoices.InvoiceByStatusDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
"attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.CreditNotes.CreditNoteByStatusDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
"attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Batches.GetBatchDetailDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
"attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Invoices.InvoiceDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
"attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Quotes.QuoteDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
"attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Samples.SampleDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$"
]
}
Steps to reproduce the issue: Attached is the class file for one object "BatchDto.cs". Kindly suggest what's wrong with the class implementation and steps to resolve.
using System;
using Volo.Abp.Application.Dtos;
namespace SCV.Litmus.InvoiceManagement.Batches
{
public class BatchDto : FullAuditedEntityDto<Guid>
{
public string BatchNumber { get; set; }
public Guid SupplierId { get; set; }
public Guid BusinessEntityId { get; set; }
public int CurrencyId { get; set; }
public string Description { get; set; }
public double RequestedFinanceAmount { get; set; }
public string BenchMark { get; set; }
public double MarginRate { get; set; }
public double InvoiceTotalAmount { get; set; }
public double CreditNoteTotalAmount { get; set; }
public double NetFinanceAmount { get; set; }
public DateTime BatchCreationDate { get; set; }
}
}
Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.
2020-09-01 15:54:37.892 +00:00 [INF] Request finished in 12.2568ms 404 text/html; charset=utf-8 2020-09-01 15:54:47.167 +00:00 [INF] Request starting HTTP/1.1 POST http://52.76.27.179/Account/Login application/x-www-form-urlencoded 317 2020-09-01 15:54:47.168 +00:00 [INF] CORS policy execution failed. 2020-09-01 15:54:47.168 +00:00 [INF] Request origin http://52.76.27.179 does not have permission to access the resource. 2020-09-01 15:54:47.172 +00:00 [INF] No CORS policy found for the specified request. 2020-09-01 15:54:47.173 +00:00 [INF] Executing endpoint '/Account/Login' 2020-09-01 15:54:47.175 +00:00 [INF] Route matched with {page = "/Account/Login", area = "", controller = "", action = ""}. Executing page /Account/Login 2020-09-01 15:54:47.206 +00:00 [INF] Executing handler method Volo.Abp.Account.Public.Web.Pages.Account.LoginModel.OnPostAsync - ModelState is "Valid" 2020-09-01 15:54:47.579 +00:00 [WRN] Invalid password for user 5dc0ff50-a197-c0a3-bcbe-39f5d3e999ac. 2020-09-01 15:54:47.580 +00:00 [WRN] User 5dc0ff50-a197-c0a3-bcbe-39f5d3e999ac failed to provide the correct password. 2020-09-01 15:54:47.752 +00:00 [INF] Executed handler method OnPostAsync, returned result Microsoft.AspNetCore.Mvc.RazorPages.PageResult. 2020-09-01 15:54:47.810 +00:00 [INF] Executed page /Account/Login in 635.2435ms 2020-09-01 15:54:47.811 +00:00 [INF] Executed endpoint '/Account/Login' 2020-09-01 15:54:47.936 +00:00 [INF] Request starting HTTP/1.1 GET http://52.76.27.179/__bundles/Lepton.Global.6F3011FF0A55A24A6A8C93BB718D26D8.js?_v=637345724587994221 2020-09-01 15:54:47.937 +00:00 [INF] The file /__bundles/Lepton.Global.6F3011FF0A55A24A6A8C93BB718D26D8.js was not modified 2020-09-01 15:54:47.938 +00:00 [INF] Request finished in 1.5823ms 304 application/javascript 2020-09-01 15:54:47.938 +00:00 [INF] Request starting HTTP/1.1 GET http://52.76.27.179/Abp/ApplicationConfigurationScript 2020-09-01 15:54:47.940 +00:00 [INF] Executing endpoint 'Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.AbpApplicationConfigurationScriptController.Get (Volo.Abp.AspNetCore.Mvc)' 2020-09-01 15:54:47.941 +00:00 [INF] Request starting HTTP/1.1 GET http://52.76.27.179/__bundles/Lepton.Global.D83D057CFA4A44472FE618AF093450A8.css?_v=637345724581876537 2020-09-01 15:54:47.941 +00:00 [INF] Request finished in 773.9358ms 200 text/html; charset=utf-8 2020-09-01 15:54:47.941 +00:00 [INF] Route matched with {area = "Abp", action = "Get", controller = "AbpApplicationConfigurationScript", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.ActionResult] Get() on controller Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.AbpApplicationConfigurationScriptController (Volo.Abp.AspNetCore.Mvc). 2020-09-01 15:54:47.942 +00:00 [INF] The file /__bundles/Lepton.Global.D83D057CFA4A44472FE618AF093450A8.css was not modified 2020-09-01 15:54:47.942 +00:00 [INF] Request finished in 0.832ms 304 text/css 2020-09-01 15:54:47.942 +00:00 [INF] Request starting HTTP/1.1 GET http://52.76.27.179/Abp/ServiceProxyScript 2020-09-01 15:54:47.944 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.944 +00:00 [INF] Executing endpoint 'Volo.Abp.AspNetCore.Mvc.ProxyScripting.AbpServiceProxyScriptController.GetAll (Volo.Abp.AspNetCore.Mvc)' 2020-09-01 15:54:47.944 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.944 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.944 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed.
Hi,
I have updated ABP pacakges for aspnet-core solution from version 2.7.0 to 3.0.4 using ABP CLI update command. The packages are updated, compiled successfully and swagger API is running fine. However, when I updated Angular solution using ABP CLI update command, I updated npm modules using yarn command and when I try to run application using yarn start, I'm getting below error, could you please advise on steps to resolve it?
