Activities of "NH-Support"

ABP Framework v 9.0.1 Angular Tiered Separated Auth

Also We have a Microservice project with angular app

I'm not saying it's revealing secret and it doesn't have to reveal a secret to become a "Security Issue"

I'm saying this increase the attack surface on the application

is there a way to minimize that exposure ? an anonymous doesn't need to know my lockout policy nor my password policy and what it looks like

Hi,

I see that the endpoint api/abp/application-configuration is retrieving a punch of data even though the user is not authenticated

I do understand that it's meant to be public, but it's exposing unnecessary data like (Password policy, Lockout Policy, SignIn.RequireConfirmedEmail, multiTenancy status, AuditLogging.Enable, LanguageManagement.Enable, Account.EnableLdapLogin, Identity.EnableOAuthLogin )

is there a way to secure those ? maybe disabling them or making them available after authentication ? is this doable and is it gonna affect/breaks the front end application ?

i checked this article on how to extend them but can't seem to find a link in the docs about customizing that endpoint

Thanks

We get this Exception on production when seed OpenIdDict started couldn't execute this function (Abp function) FindByClientIdAsync(String clientId, CancellationToken cancellationToken)

[06:51:09 FTL] Host terminated unexpectedly!
Volo.Abp.AbpInitializationException: An error occurred during the initialize Volo.Abp.Modularity.OnApplicationInitializationModuleLifecycleContributor phase of the module NanoPBMNeo.NanoPBMNeoHttpApiHostModule, NanoPBMNeo.HttpApi.Host, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: One or more errors occurred. (JsonObjectCreationHandling.Populate is incompatible with reference handling.). See the inner exception for details.
 ---> System.AggregateException: One or more errors occurred. (JsonObjectCreationHandling.Populate is incompatible with reference handling.)
 ---> System.InvalidOperationException: JsonObjectCreationHandling.Populate is incompatible with reference handling.
   at System.Text.Json.ThrowHelper.ThrowInvalidOperationException_ObjectCreationHandlingPropertyCannotAllowReferenceHandling()
   at System.Text.Json.Serialization.Metadata.JsonPropertyInfo.DetermineEffectiveObjectCreationHandlingForProperty()
   at System.Text.Json.Serialization.Metadata.JsonPropertyInfo.Configure()
   at System.Text.Json.Serialization.Metadata.JsonTypeInfo.ConfigureProperties()
   at System.Text.Json.Serialization.Metadata.JsonTypeInfo.Configure()
   at System.Text.Json.Serialization.Metadata.JsonTypeInfo.<EnsureConfigured>g__ConfigureSynchronized|172_0()
   at System.Text.Json.JsonSerializerOptions.GetTypeInfoInternal(Type type, Boolean ensureConfigured, Nullable`1 ensureNotNull, Boolean resolveIfMutable, Boolean fallBackToNearestAncestorType)
   at System.Text.Json.Serialization.Metadata.JsonPropertyInfo.Configure()
   at System.Text.Json.Serialization.Metadata.JsonTypeInfo.ConfigureProperties()
   at System.Text.Json.Serialization.Metadata.JsonTypeInfo.Configure()
   at System.Text.Json.Serialization.Metadata.JsonTypeInfo.&lt;EnsureConfigured&gt;g__ConfigureSynchronized|172_0()
   at System.Text.Json.JsonSerializerOptions.GetTypeInfoInternal(Type type, Boolean ensureConfigured, Nullable`1 ensureNotNull, Boolean resolveIfMutable, Boolean fallBackToNearestAncestorType)
   at System.Text.Json.JsonSerializerOptions.GetTypeInfoForRootType(Type type, Boolean fallBackToNearestAncestorType)
   at System.Text.Json.JsonSerializer.Deserialize(String json, Type returnType, JsonSerializerOptions options)
   at Volo.Abp.Json.SystemTextJson.AbpSystemTextJsonSerializer.Deserialize(Type type, String jsonString, Boolean camelCase)
   at Volo.Abp.Caching.Utf8JsonDistributedCacheSerializer.Deserialize[T](Byte[] bytes)
   at Volo.Abp.Caching.DistributedCache`2.GetAsync(TCacheKey key, Nullable`1 hideErrors, Boolean considerUow, CancellationToken token)
   at Volo.Abp.Caching.DistributedCache`2.GetOrAddAsync(TCacheKey key, Func`1 factory, Func`1 optionsFactory, Nullable`1 hideErrors, Boolean considerUow, CancellationToken token)
   at Volo.Abp.OpenIddict.Applications.AbpOpenIddictApplicationCache.FindByClientIdAsync(String clientId, CancellationToken cancellationToken)
   at OpenIddict.Core.OpenIddictApplicationManager`1.FindByClientIdAsync(String identifier, CancellationToken cancellationToken)
   at OpenIddict.Core.OpenIddictApplicationManager`1.OpenIddict.Abstractions.IOpenIddictApplicationManager.FindByClientIdAsync(String identifier, CancellationToken cancellationToken)
   at Nano_NanoPBMNeo.OpenIddict.OpenIddictDataSeedContributor.CreateApplicationAsync(String name, String type, String consentType, String displayName, String secret, List`1 grantTypes, List`1 scopes, String redirectUri, String postLogoutRedirectUri, List`1 permissions, String clientUri, String logoUri) in /app/src/NanoPBMNeo.Domain/OpenIddict/OpenIddictDataSeedContributor.cs:line 210
   at Nano_NanoPBMNeo.OpenIddict.OpenIddictDataSeedContributor.CreateApplicationsAsync() in /app/src/NanoPBMNeo.Domain/OpenIddict/OpenIddictDataSeedContributor.cs:line 89
   at Nano_NanoPBMNeo.OpenIddict.OpenIddictDataSeedContributor.SeedAsync(DataSeedContext context) in /app/src/NanoPBMNeo.Domain/OpenIddict/OpenIddictDataSeedContributor.cs:line 48
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at NanoPBMNeo.Data.Seeders.SeederService.Seed() in /app/src/NanoPBMNeo.Domain/Data/Seeders/Services/SeederService.cs:line 96
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous(IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.ProceedAsync()
   at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync(IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   --- End of inner exception stack trace ---
   at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
   at System.Threading.Tasks.Task.Wait(Int32 millisecondsTimeout, CancellationToken cancellationToken)
   at System.Threading.Tasks.Task.Wait()
   at NanoPBMNeo.NanoPBMNeoHttpApiHostModule.OnApplicationInitialization(ApplicationInitializationContext context) in /app/src/NanoPBMNeo.HttpApi.Host/NanoPBMNeoHttpApiHostModule.cs:line 360
   at Volo.Abp.Modularity.AbpModule.OnApplicationInitializationAsync(ApplicationInitializationContext context)
   at Volo.Abp.Modularity.OnApplicationInitializationModuleLifecycleContributor.InitializeAsync(ApplicationInitializationContext context, IAbpModule module)
   at Volo.Abp.Modularity.ModuleManager.InitializeModulesAsync(ApplicationInitializationContext context)
   --- End of inner exception stack trace ---
   at Volo.Abp.Modularity.ModuleManager.InitializeModulesAsync(ApplicationInitializationContext context)
   at Volo.Abp.AbpApplicationBase.InitializeModulesAsync()
   at Volo.Abp.AbpApplicationWithExternalServiceProvider.InitializeAsync(IServiceProvider serviceProvider)
   at Microsoft.AspNetCore.Builder.AbpApplicationBuilderExtensions.InitializeApplicationAsync(IApplicationBuilder app)

Thank you for support

1- for bundle files I follow the steps but get some issue :

@volosoft/ngx-lepton-x.abp I try to download this package separatly but return not found error

I try to use @volosoft/abp.ng.theme.lepton-x but provideThemeLeptonX, withThemeLeptonXOptions not defiend within it

2- for call abp end points I didn't find a solution to replace abp controller call from angular

Ok waiting the Angular team also inside the services file I didn't find the Url for replace for example this is the AbpApiDefinitionService:

Thank you for reply How to override the Angular services to replace the URL? I couldn't find it within the documentation

Not fixing

We are building a client-facing SaaS application using ABP Framework. Some of our clients are able to detect that our system is based on ABP because of the following identifiers in the Angular app:

Endpoints (for examples )

/api/abp/application-configuration

/api/abp/application-localization

We would like to rename the controller prefix so that it uses our company’s namespace instead of abp.

Static Files

The Angular app references abp-bundle.css (see screenshot attached).

1- What is the recommended way to override/replace the controller name or route prefix for the built-in ABP Application Configuration and Localization endpoints and all abp end points ?

2- How can we change the generated CSS bundle name (currently abp-bundle.css) so it uses a custom prefix (e.g., company-bundle.css)?

Is there an officially supported approach to globally replace abp in exposed API routes, static files, and headers while keeping ABP updates compatible?

I put RequireHttpsMetadata = false and use http://auth/.well-known/openid-configuration but internally still request /authorize and other configuration using https and couldn't link internal url with certificate the solution for me was disable the certificate check and now it is working

Thank you for your support