If you're creating a bug/problem report, please include followings:
- ABP Framework version: v5.2.2
- UI type: Blazor Server
- DB provider: EF Core
- **Tiered (MVC) no
- Exception message and stack trace:
- Steps to reproduce the issue:"
I used the template of Blazor Server and got it up and running. I navigated to the swagger page b4 logging-in .no cookies in the browser as it was a private window. ERROR: no exception but I am very concerned that I was able to make calls on the api via the swagger page despite not been logged in.
5 Answer(s)
-
0
So it turns out the application template is using the **wrong **method call - it should be in ConfigureSwaggerServices. If peolple out there are using the code as is from the Blazor Server Template then they have zero security - wide open.
`` services.AddAbpSwaggerGenWithOAuth( configuration["AuthServer:Authority"], new Dictionary<string, string> { {"xxx", "xAPI"} }, options => { options.SwaggerDoc("v1", new OpenApiInfo { Title = "xAPI", Version = "v1" }); options.DocInclusionPredicate((docName, description) => true); options.CustomSchemaIds(type => type.FullName); } );` `NOT
`` services.AddAbpSwaggerGen( options => { options.SwaggerDoc("v1", new OpenApiInfo { Title = "EL API", Version = "v1" }); options.DocInclusionPredicate((docName, description) => true); options.CustomSchemaIds(type => type.FullName); } );`` -
0
Hi,
I guess you can call the API via Swagger page because you're logged into the app right?
If you open a new private window and navigate to Swagger page without login, you should not be able to call the authorization API
-
0
I wish that was true, but i tested it a few times with fresh templated commercial projects and in a private window.
-
0
Can you please share some screenshots?
-
0
You can see the GIF image, first request is redirected to the login page, then I log in to the app and the second request is succeeded.
