Activities of "Repunjay"

ABP Framework version: 4.1.3 UI type: Angular Tiered (MVC) or Identity Server Seperated (Angular): yes Exception message and stack trace: Steps to reproduce the issue:

Creating a new ticket as the previous ticket is closed - https://support.abp.io/QA/Questions/536/How-to-Restrict-users-multiple-login-session

Steps performed as per recommendation -

1. We are saving latest token at the time of login in database.
2. When user login next time again with new browser we are revoking all existing tokens.
3. The api we are using to revoke token is https://localhost:44350/connect/revocation and its returning 200 OK
4. While testing we have figure out even revoked token is giving results while testing from postman.
5. When we login to new browser existing user is not logging out from the browser it because token still alive

What could be the reason for this behaviour even token is revoked and still we can access api’s?

We tried the suggested approach but still facing difficulties. Is it possible for you to share a working example of custom page which includes all the components? We can refer it and use it for our use case.

Thanks, but the problem is we don’t have separate components as in the earlier version of code (3.0.4) we replaced the whole page and now with upgraded code (4.3.1) if we do so, it will be a whole lot of effort. We want support for the whole page change as we are not currently planning to componentize the login page

Hi ABP team - Can you please advise on this issue?

Hi ABP team - Can you please advise on this issue?

Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token

ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Separated (Angular): yes

As part of web application assessment, there was an observation on No Session Timeout. The expiration of JWT was set to 365 days. Need to implement a server side approach which expires a user’s session after a predefined interval (15-20 mins) of inactivity. Kindly advise on how to do it with existing ABP code base in our application.

Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token

As part of web application assessment, there was an observation reported about JWT tokens.

The JSON web token (JWT) for your web application was not encrypted, allowing the data within it to be inspected with trivial effort. This revealed the email (username) and expiration date of the token.

Recommendation is to either -

1. Remove sensitive data from the payload if it is not required - Not sure if this is possible and application will work
2. Instead of placing sensitive data in the payload, use an indirect object reference which is resolved on the server side - Not sure if this is possible and application will work
3. Encrypt the JWT payload using the JSON web encryption (JWE) scheme
4. Encrypt sensitive data within the JWT payload using a custom process.

I understand that this is not related to the framework and it is the subject of Identity Server but we don't have much control over it as the Identity server is integrated within the framwework itself. Can you guide us to remediate this issue based on recommendations mentioned above. Need to know what changes will be required in existing application code to handle it.

Thanks

ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Seperated (Angular): yes

Post upgrade of our application (Angular) to latest ABP 4.3.1, we are facing an issue with account component. As per the latest code AccountComponent, eIdentityComponents does not have a Account member which was there initially. We have our own custom implementation of the entire login page and due to this, we can't break our components in smaller chunks. Can you guide us what can we do to replace the whole Account as a component rather than just smaller components as it will require a lot of efforts to seperate our components.

The structure of the sql you shared is different from the project I received.
Please try to reproduce the problem through the code, you can share the necessary code to create the data. Please keep it simple, thanks.

I'm not sure how does it prevent you to debug the issue. You can create the Litmus_Lenovo_ProfileManagement database thru code migration by executing "update-database" command and selecting "SCV.Litmus.ProfileManagement.HttpApi.Host" project. Once the DB is created, you can setup one record in Samples table using below query -

INSERT INTO public."Samples"( "Id", "ExtraProperties", "ConcurrencyStamp", "CreationTime", "CreatorId", "LastModificationTime", "LastModifierId", "IsDeleted", "DeleterId", "DeletionTime", "TenantId", "Value") VALUES ('e42f9b05-2e27-41f4-a562-c1c00cf49d39', '{}', '', '0001-01-01 00:00:00', null, null, null, false, null, null, 'd1be844b-d3a2-031a-f036-39f5d4380239', 123);

The host database Litmus_Admin and tenant database Litmus_Lenovo_Admin needs to be created thru script as it has the neccessary data and tenant information which is required to reproduce the issue. We cannot create all data thru code.

hi

Here is my steps:

1. Replace all connection strings with my locally.
2. Run modules\litmus-core\src\SCV.Litmus.DbMigrator\SCV.Litmus.DbMigrator
3. Run dotnet ef database update in SCV.Litmus.ProfileManagement.HttpApi.Host project.
4. Run SCV.Litmus.IdentityServer and SCV.Litmus.ProfileManagement.HttpApi.Host.
5. Call https://localhost:44398/profile/api/ProfileManagement/sample get success result.
6. Add a tenant in database.
7. Then Call https://localhost:44398/profile/api/ProfileManagement/sample get success result.

@Repunjay Am I miss some steps?

Hi maliming,

I've sent you an email with detailed steps to reproduce the error and do further debugging. Kindly check and advise.