Open Closed

Blazor Server - the API is not protected by any Authentication #3153


User avatar
0
barrett2474 created

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v5.2.2
  • UI type: Blazor Server
  • DB provider: EF Core
  • **Tiered (MVC) no
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

I used the template of Blazor Server and got it up and running. I navigated to the swagger page b4 logging-in .no cookies in the browser as it was a private window. ERROR: no exception but I am very concerned that I was able to make calls on the api via the swagger page despite not been logged in.


5 Answer(s)
  • User Avatar
    0
    barrett2474 created

    So it turns out the application template is using the **wrong **method call - it should be in ConfigureSwaggerServices. If peolple out there are using the code as is from the Blazor Server Template then they have zero security - wide open.

    `` services.AddAbpSwaggerGenWithOAuth(
                configuration["AuthServer:Authority"], 
                new Dictionary<string, string>
               {
                        {"xxx", "xAPI"}
               },
                options =>
                {
                    options.SwaggerDoc("v1", new OpenApiInfo { Title = "xAPI", Version = "v1" });
                    options.DocInclusionPredicate((docName, description) => true);
                    options.CustomSchemaIds(type => type.FullName);
                }
            );`
    `
    

    NOT

    `` services.AddAbpSwaggerGen(
                options =>
                {
                    options.SwaggerDoc("v1", new OpenApiInfo { Title = "EL API", Version = "v1" });
                    options.DocInclusionPredicate((docName, description) => true);
                    options.CustomSchemaIds(type => type.FullName);
                }
            );``
    
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I guess you can call the API via Swagger page because you're logged into the app right?

    If you open a new private window and navigate to Swagger page without login, you should not be able to call the authorization API

  • User Avatar
    0
    barrett2474 created

    I wish that was true, but i tested it a few times with fresh templated commercial projects and in a private window.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Can you please share some screenshots?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    You can see the GIF image, first request is redirected to the login page, then I log in to the app and the second request is succeeded.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09