Open Closed

REST API Antiforgery Cookie Error After POST api/Login -> POST api/my_entity Call Sequence #554


User avatar
0
jason.smith created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

  • ABP Framework version: v3.3.1 Commerical
  • UI type: Angular
  • Tiered (MVC) or Identity Server Seperated (Angular): Identity Server Included
  • Exception message and stack trace: Server Logs:
2020-11-12 15:51:05.452 +11:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.Fk0-jtlgxmU" is not present.
2020-11-12 15:51:05.452 +11:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.

Response: 400 Bad Request

  • Steps to reproduce the issue: Create new commerical application using suite
  1. Create new solution
  2. Select
    1. Template Type: Application Template
    2. Project Name: Testing
    3. Output Folder: C:\Testing
    4. Create Solution Folder: Yes
    5. UI Framework: Angular
    6. Mobile: None
    7. DB Provider: Entity Framework Core
    8. Connection String: Valid string to database
    9. Separated Identity Server: No
    10. Preview Version: No
  3. Created single entity with a single property of "Name"
  4. Built and ran DB migrations
  5. Built and ran Host

Using Insomina - No Cookies

  1. POST api/account/login using
{
  "userNameOrEmailAddress": "admin",
  "password": "1q2w3E*",
  "rememberMe": true
}
  1. Response contains SetCookies. Insomina stores cookies
set-cookie	idsrv.session=d2M1gwv8ziO_pceYBykIKg; path=/; secure; samesite=none
set-cookie	.AspNetCore.Identity.Application=CfDJ8M-y0buRRcFEoHZEdek9NePLI14KQ97IYsT4VilLHF88t8-bxgISjtyF2g6YdLy39ZTAKLjlLDff55CCtwT8R2bY1oYEPslAzQ17Lj61N3aqeq8uws7RubMp2RE-LIVwXb9pLlybM0hxXLfSyAbC9wfHFVL07Ki_2UV4R-RpICbGQ3ETR7nUmJGcYc7lSsdVKGlms7N149nd-l3MVO8kG1Z2WOs_6SrJ8WDxwU41fZQTrv7bMu7ao41Kj9U78qg4TzuH-3zPliPJyAbHHYFjubXKRdT8M8IZdKwUrNo_ASMtblkmo3B2xUC7uJNPc7IjrOt2jRUdiHOPrszWHzbRbCy7FtCbZP5z1sUiQMmkazXfcVZlTUPlw4I2KldoTYgcjnsq-tFjNl-kMpY8GsAaWn96qwTaXQomhK_xdrta5MZcn9Kv2KXOXz-gkh-G4Q2RLPVOKRrTmx1eEL5EFQg7yOAEF2K2YuAI1LfEiIZCtqMcJGl3LM1GWRJa5UgUdeedTE_YnWFM5Ix8UeD6pZ_W7Z3B_-nh--bSGXb2adpLydl-BPdBhD2ZSOnh9z8O9NgWcjjNnKl28S82jDYY5TZrtlZp75XflU_MoG_QKB2HIK4LHSWNJh5nKqVEXyqnSQQZw1uiExHHuFrpSO0_3G0fyCTtfWr731VwODEnq1Hh_o4HnfBMoyzAg8d0HGjptl2dxBlHZ0PQaeEpdCzxCGagqA6SjVu4tUHUkOndQX4TCIkjqhybA7sW6u3WhMNOdT3i4IMT1m7Vsu0LXZ9roOdnOCsHZFC1UUkByrKoG0Dt_7UHg1Pf9N5S-55vnoAyYYqvrWJidzgYek-ZFEhtdoMkYLMC3SNotwLohR-RwRt6PB7WTUUUrFh6jWum3hPkYiFZFOjvWqi0vvxMKkbJsjrL1V4aKO_DVBpIzpmXGyJen5q_7Bp2NACiyxG0Cdn3Tx-jRUKmtJHnSWLEJCIuUmqWg1z5va6zaX_HZUmdwavFlqjYCglEdR1GUOVWR6x5dRg2ESIXA0fjq88hpIxBuR5vMGRYMoIfIjEwNBB3ZgSenB0TCoihPMjIpHgWa5WCq_VIg0HSJ1agZS6EFcBfSJA2E8WRUOaBYN0YPg5g8L2WI8a1wVSEtyvtn0JzSBOsJatWwQ; expires=Thu, 26 Nov 2020 21:52:49 GMT; path=/; secure; samesite=none; httponly
  1. Don't see any XSRF-TOKEN cookie at this stage
  2. POST api/app/scenarios
  3. Response BAD Request
    1. On the server see the following:
2020-11-12 15:51:05.452 +11:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.Fk0-jtlgxmU" is not present.
2020-11-12 15:51:05.452 +11:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.

I have recently updated our solution to use the commercial modules. This change the authentication method to the commerical module available which is fine. On testing cookie authentication for POST requests no longer work (GET requests are fine).

To see if this was an issue with my migration to the commercial modules I decided to create a simple Angular application using the Abp Suite. The same issue is present. For cookie auth POST requests no longer work. Also of interest, only the first POST to Login works. All subsequent calls result in a 400 Bad Request.

Any hints as to where to look would be greatly appreciated. The very strange behaviour is that GET requests work, yet POST requests fail for the same endpoint. My current next step is to debug AbpAutoValidateAntiforgeryTokenAuthorizationFilter, which I was hoping not to do.

I can see that the default options does the following:

AutoValidateIgnoredHttpMethods = new HashSet<string> {"GET", "HEAD", "TRACE", "OPTIONS"}; So that explains why the GET request is working, but the POST is not.

Yet the following:

TokenCookie = new CookieBuilder
            {
                Name = "XSRF-TOKEN",
                HttpOnly = false,
                IsEssential = true,
                Expiration = TimeSpan.FromDays(3650) //10 years!
            };

I never see this cookie returned from the service. Calling https://localhost:44382/api/account/login does not return this token, how is it retrieved using the login REST API call?


15 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You need use the Identityserver token endpoint instead of /api/account/login

  • User Avatar
    0
    christianvpernix created

    Hi,

    Also getting this issue after upgrading to 3.3.1 - seems to only be affecting POST calls via the API/Swagger

    Can you please post some detailed code on this IdentityServer token endpoint we should be calling instead of the account login?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Calling API via swagger will not send xsrf-token, We fixed it in v4.0. see https://github.com/abpframework/abp/pull/6124, https://github.com/abpframework/abp/pull/5864.

    For now, you can reference the Volo.Abp.Swashbuckle package to your HttpApi.Host project.

  • User Avatar
    0
    jason.smith created

    @liangshiwei the image you posted does not appear

  • User Avatar
    0
    christianvpernix created

    Hi,

    We have called the IdentityServer connect endpoint and received a token - please provide detail on how this should now be used to make successful POST calls

    We are getting the following error when attempting to POST from a mobile application to the ABP REST API

    > Request starting HTTP/1.1 POST https://app--dev1.websites.net/api/app/ProfileTest application/json 179
    > 2020-11-17 01:06:45.627 +00:00 [INF] Authorization was successful.
    > 2020-11-17 01:06:45.629 +00:00 [INF] Executing endpoint '..ProfileTests.ProfileTestAppService.CreateAsync (..Application)'
    > 2020-11-17 01:06:45.631 +00:00 [INF] Route matched with {action = "Create", controller = "ProfileTest", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[..ProfileTests.ProfileTestDto] CreateAsync(..ProfileTests.ProfileTestCreateDto) on controller ..ProfileTests.ProfileTestAppService (..Application).
    > 2020-11-17 01:06:45.641 +00:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.w5W7x28NAIs" is not present.
    > 2020-11-17 01:06:45.647 +00:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.
    > 2020-11-17 01:06:45.648 +00:00 [INF] Executing HttpStatusCodeResult, setting HTTP status code 400
    > 2020-11-17 01:06:45.649 +00:00 [INF] Executed action ..ProfileTests.ProfileTestAppService.CreateAsync (..Application) in 17.294ms
    > 2020-11-17 01:06:45.650 +00:00 [INF] Executed endpoint '..ProfileTests.ProfileTestAppService.CreateAsync (..Application)'
    > 2020-11-17 01:06:45.678 +00:00 [INF] Request finished in 79.3745ms 302 
    > 2020-11-17 01:06:45.709 +00:00 [INF] Request starting HTTP/1.1 GET https://app--dev1.websites.net/Error?httpStatusCode=400  
    
  • User Avatar
    0
    alper created
    Support Team Director

    Set the token as Bearer token in your HttpClient

    client.SetBearerToken(accessToken);
    

    See https://github.com/abpframework/abp/blob/740fb05644d1097877bbb34446956958e4dc36bd/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Http/CliHttpClient.cs#L48

    Also check out https://support.abp.io/QA/Questions/560/How-can-I-call-an-ABP-remote-service-method#answer-19f25faa-e2f5-bc56-3bc7-39f8e32906bf

  • User Avatar
    0
    christianvpernix created

    Hi,

    We added the access token as a bearer token as you suggested but still get the same error:

    > Request starting HTTP/1.1 POST https://app--dev1.websites.net/api/app/ProfileTest application/json 179
    > 2020-11-17 01:06:45.627 +00:00 [INF] Authorization was successful.
    > 2020-11-17 01:06:45.629 +00:00 [INF] Executing endpoint '..ProfileTests.ProfileTestAppService.CreateAsync (..Application)'
    > 2020-11-17 01:06:45.631 +00:00 [INF] Route matched with {action = "Create", controller = "ProfileTest", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[..ProfileTests.ProfileTestDto] CreateAsync(..ProfileTests.ProfileTestCreateDto) on controller ..ProfileTests.ProfileTestAppService (..Application).
    > 2020-11-17 01:06:45.641 +00:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.w5W7x28NAIs" is not present.
    > 2020-11-17 01:06:45.647 +00:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.
    > 2020-11-17 01:06:45.648 +00:00 [INF] Executing HttpStatusCodeResult, setting HTTP status code 400
    > 2020-11-17 01:06:45.649 +00:00 [INF] Executed action ..ProfileTests.ProfileTestAppService.CreateAsync (..Application) in 17.294ms
    > 2020-11-17 01:06:45.650 +00:00 [INF] Executed endpoint '..ProfileTests.ProfileTestAppService.CreateAsync (..Application)'
    > 2020-11-17 01:06:45.678 +00:00 [INF] Request finished in 79.3745ms 302 
    > 2020-11-17 01:06:45.709 +00:00 [INF] Request starting HTTP/1.1 GET https://app--dev1.websites.net/Error?httpStatusCode=400  
    

    To clarify - this is a third party app independently developed that simply needs to call the ABP REST API and make a POST. It was working fine prior to updating to 3.3.1. This is now impacting business and we need a resolution. Can we please organise a video call to go over the issue and resolve?

    Thanks

  • User Avatar
    0
    jason.smith created

    OK. Just downgraded to 3.2.1 to get the old behaviour.

    All I need to do now is login and then I can perfom POSTS with just providing a cookie

    I don't require the bearer auth method, or a XSRF-TOKEN

  • User Avatar
    0
    christianvpernix created

    Hi Jason,

    Might also have to do the same - could you shed some light on how you downgraded? I don't see any options to do so using the CLI

    Thanks in advance

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    I can help you remotely. shiwei.liang@volosoft.com

  • User Avatar
    0
    jason.smith created

    Hi @christianvpernix,

    You might like the answer. Basically I opened every proj file, and the package.json in your front end (mine is angular). Then every abp package you see, change the version number from 3.3.1 to 3.2.1. Then restore packages through nuget and npm and build. A few things might break at this point and you have to figure out how to extract those features. I was lucky that the external party login (facebook, google, etc) was the only thing that broke, so I deleted their configurations.

    Still testing. So we will see if this was a good move or not.

    Hope that helps.

  • User Avatar
    0
    christianvpernix created

    Thanks @jason.smith, looks promising :)

  • User Avatar
    0
    geoffro created

    Hi @liangshiwei we are on ABP Framework version: v4.0.2 Commerical and still experience all POST API calls returning a 400 Bad Request when calling via swagger? logs also reveal "The required antiforgery cookie ".AspNetCore.Antiforgery.ddttNScLARY" is not present."

    What is it we need to do?

  • User Avatar
    0
    alper created
    Support Team Director

    you can disable it with AutoValidate = false https://docs.abp.io/en/abp/4.1/CSRF-Anti-Forgery#abpantiforgeryoptions or you need to add the anti-forgery token to the header with the header name RequestVerificationToken.

    this is implemented in new ABP templates. you can create a new template to see how it works and adopt to your existing project.

  • User Avatar
    0
    geoffro created

    Thanks @alper that worked

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09