Starts in:
2 DAYS
12 HRS
6 MIN
3 SEC
Starts in:
2 D
12 H
6 M
3 S

Activities of "balessi75"

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi,

We recently had our ABP application penetration tested by an established security firm. The testers noted the following...

The application allows users to authenticate with a multi-factor authentication code sent via email or cellphone. There are two primary issues with the MFA authentication workflow: -There are no limits to the number of MFA guesses a user can make as long as guesses are made using the API -MFA tokens only expire after the time limit of 6 minutes has elapsed, not when a new MFA token is generated or when the token is used to login Together these misconfigurations can make it so that an MFA bypass is statistically probable....

They end with the following recommendation...

Ensure that MFA codes are invalidated after being used to authenticate a user. Furthermore, ensure that a user can only guess the MFA code a small number of times (5-10) before a lockout

How can we override/adjust the application to expire the security code/token as soon as it is used to login? Additionally, how can we make it such that after x failed attempts, the security code/token is expired?

Any suggestions/guidance is greatly appreciated as we need to have the application certified by this security firm.

Regards,

Brian

Hi liangshiwei,

It appears the user was changing their password with the failed validation "Volo.Abp.Identity:PasswordRequiresNonAlphanumeric", yet they received the following message from abp.jquery.js.

      defaultError403: {
            message: 'You are not authorized!',
            details: 'You are not allowed to perform this operation.'
        },

We are unfamiliar with the internal jquery implementation within ABP.

Please see below for the log details and advise.

https://eiufsd.nvisiononline.net/api/account/my-profile/change-password application/json 99
2024-05-03 13:49:07.331 +00:00 [INF] (Instance: 53d7) Executing endpoint 'Volo.Abp.Account.ProfileController.ChangePasswordAsync (Volo.Abp.Account.Pro.Public.HttpApi)'
2024-05-03 13:49:07.335 +00:00 [INF] (Instance: 53d7) Route matched with {controller = "Profile", area = "account", action = "ChangePassword", page = ""}. Executing controller action with signature System.Threading.Tasks.Task ChangePasswordAsync(Volo.Abp.Account.ChangePasswordInput) on controller Volo.Abp.Account.ProfileController (Volo.Abp.Account.Pro.Public.HttpApi).
2024-05-03 13:49:07.351 +00:00 [INF] (Instance: 53d7) Executing action method Volo.Abp.Account.ProfileController.ChangePasswordAsync (Volo.Abp.Account.Pro.Public.HttpApi) - Validation state: "Valid"
2024-05-03 13:49:07.572 +00:00 [WRN] (Instance: 53d7) ---------- RemoteServiceErrorInfo ----------
{
  "code": "Volo.Abp.Identity:PasswordRequiresNonAlphanumeric",
  "message": "Passwords must have at least one non alphanumeric character.",
  "details": null,
  "data": {},
  "validationErrors": null
}

2024-05-03 13:49:07.572 +00:00 [WRN] (Instance: 53d7) Passwords must have at least one non alphanumeric character.
Volo.Abp.Identity.AbpIdentityResultException: Passwords must have at least one non alphanumeric character.
   at Microsoft.AspNetCore.Identity.AbpIdentityResultExtensions.CheckErrors(IdentityResult identityResult)
   at Volo.Abp.Account.ProfileAppService.ChangePasswordAsync(ChangePasswordInput input)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Authorization.AuthorizationInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.GlobalFeatures.GlobalFeatureInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Auditing.AuditingInterceptor.ProceedByLoggingAsync(IAbpMethodInvocation invocation, AbpAuditingOptions options, IAuditingHelper auditingHelper, IAuditLogScope auditLogScope)
   at Volo.Abp.Auditing.AuditingInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Features.FeatureInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Validation.ValidationInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Logged|12_1(ControllerActionInvoker invoker)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
2024-05-03 13:49:07.572 +00:00 [WRN] (Instance: 53d7) Code:Volo.Abp.Identity:PasswordRequiresNonAlphanumeric
2024-05-03 13:49:07.572 +00:00 [WRN] (Instance: 53d7) Details:
2024-05-03 13:49:07.575 +00:00 [INF] (Instance: 53d7) Executing ObjectResult, writing value of type 'Volo.Abp.Http.RemoteServiceErrorResponse'.
2024-05-03 13:49:07.578 +00:00 [INF] (Instance: 53d7) Executed action Volo.Abp.Account.ProfileController.ChangePasswordAsync (Volo.Abp.Account.Pro.Public.HttpApi) in 242.5297ms
2024-05-03 13:49:07.578 +00:00 [INF] (Instance: 53d7) Executed endpoint 'Volo.Abp.Account.ProfileController.ChangePasswordAsync (Volo.Abp.Account.Pro.Public.HttpApi)'
2024-05-03 13:49:07.626 +00:00 [INF] (Instance: 53d7) Request finished HTTP/1.1 POST https://eiufsd.nvisiononline.net/api/account/my-profile/change-password application/json 99 - 403 - application/json;+charset=utf-8 325.1399ms

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme:

Hi,

We have a client in production that is getting the following ABP error when attempting to change their password.

We cannot replicate the issue in our QA environment.

Please advise and let us know of any troubleshooting steps we can take.

Thank you.

Thanks for confirming IanW.

We came up with an approach similar to what you described.

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi,

Our entire user base will always be located in the same time zone which is different than UTC and we would like the end user to always see their local time (East US).

We've read https://docs.abp.io/en/abp/latest/Timing and still are unsure of how to handle the following scenario...

In local development, we can convert ABP stored UTC values as pages load and everything works correctly, however this approach doesn't work when we deploy to Azure.

This is because the environments running in Azure have a local time of UTC. So we can't use CreationDateTime.ToLocalTime()as it will always return a UTC time instead of East US.

Is there anyway around this or a certain recommended approach?

Thanks in advance.

Excellent, this was very helpful. Thanks @maliming!

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi, We have successfully overridden the Change Password UI (see solution structure below). The problem is that we need to reference a new javascript file in the overridden page to augment it's functionality.

In Pages/Account/Components/ProfileManagementGroup/Password/Default.cshtml, we attempted to add the following and at runtime but the page never includes the javascript reference.

This didn't work:

@section scripts
{
   &lt;script type="text/javascript" src="/Pages/Account/PasswordStrength.js"&gt;&lt;/script&gt;

}

and this didn't work

@section scripts
{
    &lt;abp-script-bundle name="@typeof(ManageModel).FullName"&gt;
        &lt;abp-script src="/Pages/Account/PasswordStrength.js" /&gt;
    &lt;/abp-script-bundle&gt;

 }

Is there something different that needs to be done with these view components (password, personalinfo, profilepicture, etc)?

Hi you can access a video using the link below...

The video shows the following...

  1. User accessing a page they have permissions to
  2. User then accessing a page they do not have permissions to
  3. User then accessing a page that does not exist

https://www.icloud.com/iclouddrive/08aBbYcniD17PdTME67mBM9RQ#Demo_CSD_-_Google_Chrome_2023-12-14_23-26-58

Item 2 is the scenario where we want to redirect to a custom access denied page.

Thangs again @liangshiwei,

Your temporary solution works perfectly!

ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme

Hi, We found that when a page is not authorized for a particular user, and that user attempts to access the page's URL in the browser address bar, (while logged in) the page still loads, but it's contents are empty.

In ABP, what's the best approach to redirect the user to an Access Denied page?

Thanks in advance!

Showing 11 to 20 of 245 entries
Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06