Activities of "jackmcelhinney"

Received. Thanks!

• ABP Framework version: v5.2.2
• UI type: Angular w/ Authorization Code Flow
• DB provider: EF Core
• Identity Server Separated (Angular): no

After running the OWASP ZAP penetration test tool, the report shows 2 Cross Site Scripting (Reflected) warnings and 1 SQL Injection warning on the log-out page. These may be false warnings, but can these be resolved as this issue was?

Still experiencing this issue after removing skipIssuerCheck: true. I've done some more testing and can now consistently cause the issue in my project:

1. Updated lifetimes for testing:
   • AccessTokenLifetime: 300 (5 minutes)
   • SlidingRefreshTokenLifetime: 600 (10 minutes)
   • AbsoluteRefreshTokenLifetime: 900 (15 minutes)
2. Login
3. Close the tab
4. After 15 minutes, navigate back to the site

Please also note we are using the subdomain tenant resolver. Let me know if you have any other suggestions. Thanks!

Thanks for the suggestion. I have removed the skipIssuerCheck: true. I'm still not sure what causes this error to happen so I'll watch it the next few days and will let you know if it happens again.

Our app is not currently public, but I've included the information below. Let me know if there's anything else that could be helpful.

IdentityTokenLifetime: 300
AccessTokenLifetime: 3600
AuthorizationCodeLifetime: 300
AbsoluteRefreshTokenLifetime: 608400
SlidingRefreshTokenLifetime: 304200

Here is our environment.ts in case that helps as well:

• ABP Framework version: v5.0.1
• UI type: Angular (Authorization Code Flow)
• DB provider: EF Core
• Identity Server Separated (Angular): yes

Occasionally when visiting the app after the credentials expire, we get Error refreshing token in the console. The app then immediately navigates to the login page. After entering credentials, verifying with two factor, and redirecting to the Angular home page, the user is still not logged in. They click login again and must enter credentials and two factor again, and then they are logged in.

Here is the console throughout this flow when this happens:

Any suggestions for a workaround for this?

We're just visually hiding the concept of a UserName by setting UserName = EmailAddress. That way users are created and sign in using only their email address, with no option for a different username.

I ended up solving my issue by adding a hidden userName property with a default value.

export function removeUserNameContributor(
  propList: FormPropList<IdentityUserDto>
) {
  let previousUserNameProp = propList.get(propList.findIndex(p => p.value.name == 'userName')).value
  propList.dropByValue(
    'userName',
    (prop, text) => prop.name === text
  )
  propList.addHead({
    ...previousUserNameProp,
    visible: c => false,
    defaultValue: 'DEFAULTVALUE'
  } as FormProp<IdentityUserDto>);

  let emailPropIndex = propList.findIndex(p => p.value.name == 'email');
  propList.addHead(propList.get(emailPropIndex).value);
  propList.dropByIndex(emailPropIndex + 1);
}

Then in CreateAsync I ignore the default value in the username and only use the email to create the user.

var user = new Volo.Abp.Identity.IdentityUser(
    GuidGenerator.Create(),
    input.Email,
    input.Email,
    CurrentTenant.Id
);

Now the username for all users will be their email address.

• ABP Framework version: v5.0.1
• UI type: Angular
• DB provider: EF Core
• Identity Server Separated (Angular): no

Hello! We are trying to hide the username field from the Create and Edit User forms and use the email address for the username instead.

I have successfully removed the username field from the Angular UI and moved the email field to the top like this:

export function removeUserNameContributor(
  propList: FormPropList<IdentityUserDto>
) {
  propList.dropByValue(
    'userName',
    (prop, text) => prop.name === text
  )
  let emailPropIndex = propList.findIndex(p => p.value.name == 'email');
  propList.addHead(propList.get(emailPropIndex).value);
  propList.dropByIndex(emailPropIndex + 1);
}

export const identityEntityCreateFormPropContributors: IdentityCreateFormPropContributors = {
  [eIdentityComponents.Users]: [
    removeUserNameContributor
  ]
}

export const identityEntityEditFormPropContributors: IdentityEditFormPropContributors = {
  [eIdentityComponents.Users]: [
    removeUserNameContributor
  ]
}

{
    path: 'identity',
    loadChildren: () => {
      import('./identity/identity.module').then(m => m.IdentityOverrideModule)
      return import('@volo/abp.ng.identity').then((m) => m.IdentityModule.forLazy({
        createFormPropContributors: identityEntityCreateFormPropContributors,
        editFormPropContributors: identityEntityEditFormPropContributors,
      }))
    }
},

I've also overwritten the CreateAsync method to set the username to the email address:

[Authorize(IdentityPermissions.Users.Create)]
public override async Task<IdentityUserDto> CreateAsync(IdentityUserCreateDto input)
{
    var user = new Volo.Abp.Identity.IdentityUser(
        GuidGenerator.Create(),
        input.Email,
        input.Email,
        CurrentTenant.Id
    );
    
    input.MapExtraPropertiesTo(user);

    (await UserManager.CreateAsync(user, input.Password)).CheckErrors();
    
    ...
}

But I am unable to remove the Required attribute from UserName on IdentityUserCreateDto so I get the following error from the form:

In my ...DtoExtensions.cs I have tried:

ObjectExtensionManager.Instance
.AddOrUpdateProperty<string > (
    new[]
    {
        typeof(IdentityUserCreateDto),
    },
    "UserName",
    options => 
    {
        options.Attributes.Clear();
        options.Validators.Clear();
    }
);

and

ObjectExtensionManager.Instance
.AddOrUpdate<IdentityUserCreateDto>(objConfig =>
{
    objConfig.AddOrUpdateProperty<string>("UserName", propertyConfig =>
    {
        propertyConfig.Attributes.Clear();
        propertyConfig.Validators.Clear();
    });
});

and have tried substituting IdentityUserCreateDto with IdentityUserCreateOrUpdateDtoBase but none of these solutions have removed the Required attribute.

Any ideas would be appreciated. Thanks!

• ABP Framework version: v5.0.1
• UI type: Angular
• DB provider: EF Core
• Identity Server Separated: no

Hello! A while back we disabled the Organization Unit functionality in part by disabling the permissions:

context.GetPermissionOrNull(IdentityPermissions.OrganizationUnits.Default).IsEnabled = false;
context.GetPermissionOrNull(IdentityPermissions.OrganizationUnits.ManageOU).IsEnabled = false;
context.GetPermissionOrNull(IdentityPermissions.OrganizationUnits.ManageRoles).IsEnabled = false;
context.GetPermissionOrNull(IdentityPermissions.OrganizationUnits.ManageUsers).IsEnabled = false;

After upgrading from 4.4.4 to 5.0.1, the new filters on the user table throw a Volo.Abp.Authorization.AbpAuthorizationException when trying to get the organization units from Volo.Abp.Identity.OrganizationUnitController.GetListAsync. Is there a way to disable these new filters on the user table or another workaround to solve this problem within version 5.0.1?

Thanks!

Solved this by overriding the Lepton HeaderBrandViewComponent:

Created Default.cshtml in the Host project at Themes/Lepton/Components/Header/Brand/Default.cshtml:

@using Volo.Abp.Ui.Branding
@using Microsoft.Extensions.Configuration;
@inject IConfiguration _config
@inject IBrandingProvider BrandingProvider
<a class="navbar-brand" href="@_config["App:AngularUrl"]" alt="@BrandingProvider.AppName"></a>

It may be nice at some point to add the href url to the BrandingProvider so those using angular can make all the necessary overrides for the login pages in one place.