Unauthenticated users were able to retrieve the contents of the tenants and paged tenants. https://myhost/api/saas/tenants
How to Secure this in our application?
Currently there are no limits on number of attempts that could be made to this functionality which creates risk of brute force. Do we have any existing validations or feature to protect such attacks in abp.io?
We've set up an External API that's meant for a specific client or consumer. This client will be using Token-based authentication to access the API (either through a Controller or an AppService). However, we want to restrict their access only to this particular API and prevent them from accessing any of our other APIs.
The issue we're facing is that some of our controllers or AppServices don't have the [Authorize] attribute, and we need to protect those by requiring a token. Currently, if we generate a token, we can access these endpoints without proper authorization. We can't solve this using permissions because it requires us to decorate methods with Authorize("permission").
For instance, we generate a token from the endpoint: https://our-IdentityServer.com/connect/token using the default JWT Scheme. The parameters include:
grant_type: password scope: Microservice1, Microservice2, Microservice3, and so on client_id: App1 client_secret: xyz123 username: ExternalUser password: Test1234
Important: The token generate for client should not be able to access any of other restricted non-restricted (without [Autthorize] services) APIs of the system.
Abp Nuget is down. Unable to restore from https://nuget.abp.io/
We want to send a monthly report to end users from our application (microservice) and want to use background Jobs. Please can you share how to set a CRON or schedule without using Hangfire or any other library.
Also suggest if there are other ways for this use-case. Thanks
https://docs.abp.io/en/abp/latest/Background-Jobs
We have recently started using Daper with EF Core. Our unit tests are written based on previous implementation of EF Core and using default SQLLite. Now we want to test our repository and dependent unit tests but it gives error like Microsoft.Data.Sqlite.SqliteException : SQLite Error 1: 'no such table: public.MyTables.
I have reviewed daper documentation and there are no details on unit testing and also checked the DaperDemo. https://github.com/abpframework/abp-samples/tree/master/Dapper/DapperDemo
Please can you help with a sample on how to unit tests code or repository that using daper. Thanks
Hi,
We need help with Local Events in ABP.IO. We are performing certain notifications when an entity is created or updated. Inside the handleEvent method, we have used a try-catch block and are not throwing any errors. However, this ILocalEvent handling is causing performance issues, and our APIs are taking around 1.5 seconds to respond. One of the handlers performs an insert operation.
We have tried changing our handler code to the following: `
public async Task HandleEventAsync(EntityCreatedEventData<MyEntity> eventData)
{
// Offload the event handling to a separate thread
await Task.Run(async () =>
{
// Our event handling logic here, notification or database operation
});
}`
Does this look good to you?
Can you provide any insights or suggestions to improve the performance? is await Task.Run(async ()).. is required? is seperate ouw required inside the handler?
Please help us with the following scenario:
In our application, we are facing an issue where access tokens issued for one user can potentially be used by another user to make API requests. This is creating a significant security concern regarding token validation.
We attempted to mitigate the risk by reducing the access token lifetime, but this introduces the need to implement refresh tokens, which adds complexity.
Our key requirement is: The access token generated for a specific user/session should only be usable by that same user on the same device or session. No other system or user should be able to reuse or impersonate that token. What is the best practice in ABP.IO (and OpenIddict) to ensure tokens are strictly bound to the original user and device/session? Is there a recommended way to include and validate a session ID, device fingerprint, or user agent for this purpose?
Any guidance on how to implement this securely within the ABP.IO framework would be greatly appreciated.
We followed the documentation here: https://abp.io/docs/8.0/Modules/OpenIddict#refresh-token
Following is the snapshot of our OpenIddict build and server configuration:
ABP Framework version: v8.3.1 UI Type: Angular Database System: EF Core (PostgreSQL) Tiered (for MVC) or Auth Server Separated (for Angular): yes Exception message and full stack trace: NA Steps to reproduce the issue: NA
We are currently implementing token binding in our Identity Server using OpenIddict within the ABP.IO framework (v8.3.0), and we want to securely associate each access token with a unique session identifier stored in a HttpOnly cookie.
Our goal is to:
What we tried so far:
context.Response.Cookies.Append("X-Session-Id", sessionId, new CookieOptions
{
HttpOnly = true,
Secure = true,
SameSite = SameSiteMode.None,
Path = "/",
Expires = DateTimeOffset.UtcNow.AddHours(8)
});
We are not sure if this approach is fully aligned with ABP.IO best practices, especially regarding:
Exception: As soon as any request includes cookies (due to withCredentials: true in Angular), our backend rejects the request — even if the cookies are unrelated to antiforgery.
Hi Team,
We have implemented access and refresh tokens in our application, and all standard validations are in place.
However, we’ve observed that even after logging out, the original access token obtained during login remains valid and can still be used for API calls until it naturally expires.
We would like to explicitly mark the access token as expired or revoked during logout to prevent any further usage. Could you please advise how we can achieve this within the ABP.IO and OpenIddict setup?
Looking forward to your guidance.
