Open Closed

user able to login even after deleting user #6006


User avatar
0
shobhit created
  • ABP Framework version: v4.2.2
  • UI Type: Angular
  • Database System: EF Core (SQL Server, Oracle, MySQL, PostgreSQL, etc..)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

We have deleted user and user was logged-in at that point of time. User has not logged-out and even next day user was able to login. it is big security issue. What should be done to prevent this.


4 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    We will check it.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    You can track this: https://github.com/abpframework/abp/issues/17927

  • User Avatar
    0
    shobhit created

    Thanks liangshiwei. So what is the quick solution as it is big security risk for us.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can try :

    .....
    
    app.UseAuthentication();
    app.Use(async (httpContext, next) =>
    {
        var currentUser = httpContext.RequestServices.GetRequiredService<ICurrentUser>();
        if (currentUser.IsAuthenticated)
        {
            var userManager = httpContext.RequestServices.GetRequiredService<IdentityUserManager>();
            if (await userManager.FindByIdAsync(currentUser.Id.ToString()) == null)
            {
                await httpContext.SignOutAsync();
                httpContext.Response.Redirect("....");
                return;
            }
        }
    
        await next();
    });
    
Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38