Activities of "BenS-FreshRF"

Good Morning

We're prepping for a production deployment and were expecting 8.3 Final to be released last week, instead we got rc3. Is there a new release date scheduled for when 8.3 Final will be finished and released? Thanks.

• ABP Framework version: v8.3.0-rc.1 (migrated from 7.2)
• UI Type: Blazor WASM
• Database System: EF Core (PostgreSQL)
• Tiered (for MVC) or Auth Server Separated (for Angular): no
• Exception message and full stack trace: No exceptions
• Steps to reproduce the issue: Set the Session Management Prevent Concurrent Login setting to 'Logout from All Devices' Log out / log in again Open new browser window and log in, old browser window should be logged out but continues working Open new incognito browser window and log in, old browser windows should be logged out but continue working Open new instance of different browser (Firefox instead of Chrome) and log in, all Chrome windows should be logged out but continue working Navigate to Identity Management -> Users -> User sessions -> Revoke all Sessions If you Revoke the Session marked as 'Current' it correctly logs the user out But if all other Sessions are Revoked the other browser windows still continue working Revoking the 'Current' User Session from another browser window leaves zero sessions active but all browser windows continue working

End result is four active working browsers (2 in Chrome, 1 in Chrome Incognito, 1 in Firefox) with zero active sessions and Prevent Concurrent Login turned on. Refreshing any of the browsers causes the WASM page to reload, creating new sessions without asking for credentials.

Have logged on / off and restarted the Blazor and HttpApi.Host instance and rebuilt the project after setting the Prevent Concurrent Logins. Deleting all sessions out of the AbpSessions table also leaves all browsers active and logged in.

• ABP Framework version: v8.3.0-rc.1
• UI Type: Blazor WASM
• Database System: EF Core (PostgreSQL)
• Tiered (for MVC) or Auth Server Separated (for Angular): no
• Exception message and full stack trace: 2024-08-26 22:17:45.244 +00:00 [ERR] Failed executing DbCommand (15ms) [Parameters=[@__date_0='?' (DbType = DateTime)], CommandType='"Text"', CommandTimeout='30'] DELETE FROM "OpenIddictTokens" AS o WHERE o."Id" IN ( SELECT o0."Id" FROM "OpenIddictTokens" AS o0 LEFT JOIN ( SELECT o1."Id", o1."ApplicationId", o1."ConcurrencyStamp", o1."CreationDate", o1."CreationTime", o1."CreatorId", o1."DeleterId", o1."DeletionTime", o1."ExtraProperties", o1."IsDeleted", o1."LastModificationTime", o1."LastModifierId", o1."Properties", o1."Scopes", o1."Status", o1."Subject", o1."Type" FROM "OpenIddictAuthorizations" AS o1 WHERE NOT (o1."IsDeleted") ) AS t ON o0."AuthorizationId" = t."Id" WHERE NOT (o0."IsDeleted") AND o0."CreationDate" < @__date_0 AND (((o0."Status" <> 'inactive' OR o0."Status" IS NULL) AND (o0."Status" <> 'valid' OR o0."Status" IS NULL)) OR (t."Id" IS NOT NULL AND (t."Status" <> 'valid' OR t."Status" IS NULL)) OR o0."ExpirationDate" < now() AT TIME ZONE 'UTC') ) 2024-08-26 22:17:45.247 +00:00 [ERR] 42501: permission denied for table OpenIddictTokens
• Steps to reproduce the issue: Revoke the Delete Permission on the OpenIddictTokens table for the ABP database user for the API, then use the system for a bit logging on and off and on again

For security we've recently created a new database user with tightened up permissions for usual access (https://en.wikipedia.org/wiki/Principle_of_least_privilege), the user doesn't need to be a superuser or have any alter table permissions. Due to soft-deleting being common it shouldn't need Delete permission for most tables either.

The Volo.Abp.OpenIddict.Tokens.OpenIddictToken class is setup as a FullAuditedAggregateRoot which has soft-deleting enabled but it's not actually using it so when we revoked the delete permissions the system stopped working properly.

Quick fix is to re-grant the Delete permission, but the OpenIddictToken class should either be setup to use soft-deleting as its inheritance provides, or its inheritance should be changed so we don't have unnecessary unused columns present on the database table.