Starts in:
1 DAY
23 HRS
31 MIN
5 SEC
Starts in:
1 D
23 H
31 M
5 S
Open Closed

Email Confirmation Incorrect Redirect URL (Angular) #2657


User avatar
0
riley.trevillion.spatialhub4d created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v4.4.3
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no

Hello

We're encountering an issue with the confirm email address redirect URL where the user is being redirected to the aspnet server swagger UI API page instead of the angular client. Steps to reproduce this -

  1. Enable the 'Require confirmed email' setting in Identity Management settings tab
  2. Register a new user via the identity server / aspnet server login page (not the angular one) - it doesn't matter if it's a local user or a user via SSO provider like Google or Microsoft
  3. When the user to prompted to verify their email address, the first automatic verification email that is sent contains a link which contains the correct 'returnUrl' query parameter. Confirming your email address via this will redirect you to the angular client as it is supposed to. Notice that https://localhost:44348 is the server and http://localhost:4200 url at the end is the angular client
  4. If you click the 'Verify' button instead, the second email that is sent does NOT contain the returnUrl query parameter. This is the first issue that needs to be resolved
  5. The next issue is that for some reason, even with returnUrl query parameter defined, the ConfirmUser.js file is referencing a field id that does not exist, so returnUrl value is null. I've had to manually define these fields as hidden fields to fix this issue.
  6. Final issue is that the logic within the Volo Account module routes the user to the '~/' URL even with the returnUrl query parameter set when pressing the Verify button. the '~/' value seems to refer to address on server, not the angular client https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.Mvc.UI/Volo/Abp/AspNetCore/Mvc/UI/RazorPages/AbpPageModel.cs I've resolved this by setting the RedirectUrl directly to the query parameter value (which will be the angular client if using my previous fixes). I'm aware this opens up some security issues around redirect hijacking, so an official fix from the ABP Team for this issue and the other issues I have mentioned would be appreciated.

Thanks


6 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Thanks, I will check this.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The other issues seem to be resolved, Only

  • User Avatar
    0
    riley.trevillion.spatialhub4d created

    Hi @maliming

    Are you able to confirm what version of ABP these problems have been resolved in and which of the specific fixes are included? Could you clarify what you mean with the screenshot you've posted. Is that still an outstanding issue?

    Upgrading to a new version will take time for us so we would like to be certain that if we upgrade that it will actually resolve the issues mentioned.

    Thankyou

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I added theReturnUrl and ReturnUrlHash to the ConfirmUser page today and tested in v5.1.

    You can create a new template project to confirm that.

  • User Avatar
    0
    riley.trevillion.spatialhub4d created

    Great!

    I will verify the fixes in a new project template

    Thankyou

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    : )

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06