Activities of "Yaduraj.Shakti"

Hi @maliming

No we don;t have this scope in our environement.ts file.

Thanks a lot @maliming

I will ensure that we are using common protective measures.

However, in our application tokens are short lived and this is impacting

• user experience with frequent re-authentication
• technical issues or broken functionality due to token expiration during active use (example: we have long-running background tasks)

Could you please provide guidance or share an example of how to implement access token + refresh token flow within ABP.IO (Angular + .NET Core backend)? Please note we had recently migrated from IdentityServer to OpenIddict.

hi

access tokens issued for one user can potentially be used by another user to make API requests.

Why can one user's token be obtained by another user? How did he get it?

Thanks

Hi @maliming

Let me clarify the context further, here is my updated reply:

During our recent security and penetration testing, we identified a critical vulnerability related to token validation. Specifically, an access token issued for one user can be used by another user or system to access protected resources. This token reuse issue represents a serious security risk.

We must address this immediately to prevent potential misuse and ensure secure access to our application.

Please guide on all the possible options. How to achieve followings:

• Access tokens should be strictly tied to the user, device, or session they were issued for.
• No other user or system should be able to use someone else’s token to make API requests.

Thanks

Please help us with the following scenario:

In our application, we are facing an issue where access tokens issued for one user can potentially be used by another user to make API requests. This is creating a significant security concern regarding token validation.

We attempted to mitigate the risk by reducing the access token lifetime, but this introduces the need to implement refresh tokens, which adds complexity.

Our key requirement is: The access token generated for a specific user/session should only be usable by that same user on the same device or session. No other system or user should be able to reuse or impersonate that token. What is the best practice in ABP.IO (and OpenIddict) to ensure tokens are strictly bound to the original user and device/session? Is there a recommended way to include and validate a session ID, device fingerprint, or user agent for this purpose?

Any guidance on how to implement this securely within the ABP.IO framework would be greatly appreciated.

We followed the documentation here: https://abp.io/docs/8.0/Modules/OpenIddict#refresh-token

Following is the snapshot of our OpenIddict build and server configuration:

ABP Framework version: v8.3.1 UI Type: Angular Database System: EF Core (PostgreSQL) Tiered (for MVC) or Auth Server Separated (for Angular): yes Exception message and full stack trace: NA Steps to reproduce the issue: NA

Thanks @enisn

One more thing, we are using ILocalEvent to track the entity changes and in the local event handler we are further publishing the IDistributedEventBus. Would this still be causing performance issues.

`MyEntityStatusChangedEventHandler: ILocalEventHandler<EntityCreatedEventData<MyEntity>>
{
	//Handling local event
	public async Task HandleEventAsync(EntityCreatedEventData<MyEntity> entityCreatedData)
	{
		//Publishing Distrubuted event
		await _distributedEventBus.PublishAsync(new CustomDataEto
		{
			//set properties
			CustomDataEto.Data = MyEntity.Data;
		}
	}
}`

Also, what if we use new transaction scope using IUnitOfWorkManager.

Hi,

We need help with Local Events in ABP.IO. We are performing certain notifications when an entity is created or updated. Inside the handleEvent method, we have used a try-catch block and are not throwing any errors. However, this ILocalEvent handling is causing performance issues, and our APIs are taking around 1.5 seconds to respond. One of the handlers performs an insert operation.

We have tried changing our handler code to the following: `

public async Task HandleEventAsync(EntityCreatedEventData<MyEntity> eventData)

{

// Offload the event handling to a separate thread
await Task.Run(async () =>
{
    // Our event handling logic here, notification or database operation
});

}`

Does this look good to you?

Can you provide any insights or suggestions to improve the performance? is await Task.Run(async ()).. is required? is seperate ouw required inside the handler?

• ABP Framework version: v8.3.0
• UI Type: Angular
• Database System: EF Core (PostgreSQL)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Exception message and full stack trace: No exception But Angular APIs needs to refresh again to get updated data so we need to put the call in setTimeout for 1-2 seconds.
• Steps to reproduce the issue: NA

We have recently started using Daper with EF Core. Our unit tests are written based on previous implementation of EF Core and using default SQLLite. Now we want to test our repository and dependent unit tests but it gives error like Microsoft.Data.Sqlite.SqliteException : SQLite Error 1: 'no such table: public.MyTables.

I have reviewed daper documentation and there are no details on unit testing and also checked the DaperDemo. https://github.com/abpframework/abp-samples/tree/master/Dapper/DapperDemo

Please can you help with a sample on how to unit tests code or repository that using daper. Thanks

• ABP Framework version: v8.3.0
• UI Type: Angular
• Database System: EF Core (PostgreSQL) and Daper
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Exception message and full stack trace: No Such Table found
• Steps to reproduce the issue: Write unit test that calls the Daper repository to access seeded data.

Hi @maliming

Thank you for your response.

in this case how can I schedule Background job to run on monthly basis on a specific time such as EOD (I am bound to not use hangfire or any other lib as of now). Please can you come up with an example?

Thanks!

We want to send a monthly report to end users from our application (microservice) and want to use background Jobs. Please can you share how to set a CRON or schedule without using Hangfire or any other library.

Also suggest if there are other ways for this use-case. Thanks

https://docs.abp.io/en/abp/latest/Background-Jobs

• ABP Framework version: v7.2.2
• UI Type: Angularr
• Database System: EF Core (PostgreSQL)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes/no
• Exception message and full stack trace:

Thank you for the quick response.