Received. Thanks!
After running the OWASP ZAP penetration test tool, the report shows 2 Cross Site Scripting (Reflected)
warnings and 1 SQL Injection
warning on the log-out page. These may be false warnings, but can these be resolved as this issue was?
Still experiencing this issue after removing skipIssuerCheck: true
. I've done some more testing and can now consistently cause the issue in my project:
Please also note we are using the subdomain tenant resolver. Let me know if you have any other suggestions. Thanks!
Thanks for the suggestion. I have removed the skipIssuerCheck: true
. I'm still not sure what causes this error to happen so I'll watch it the next few days and will let you know if it happens again.
Our app is not currently public, but I've included the information below. Let me know if there's anything else that could be helpful.
IdentityTokenLifetime: 300
AccessTokenLifetime: 3600
AuthorizationCodeLifetime: 300
AbsoluteRefreshTokenLifetime: 608400
SlidingRefreshTokenLifetime: 304200
Here is our environment.ts
in case that helps as well:
Occasionally when visiting the app after the credentials expire, we get Error refreshing token
in the console. The app then immediately navigates to the login page. After entering credentials, verifying with two factor, and redirecting to the Angular home page, the user is still not logged in. They click login again and must enter credentials and two factor again, and then they are logged in.
Here is the console throughout this flow when this happens:
Any suggestions for a workaround for this?
We're just visually hiding the concept of a UserName
by setting UserName = EmailAddress
. That way users are created and sign in using only their email address, with no option for a different username.
I ended up solving my issue by adding a hidden userName
property with a default value.
export function removeUserNameContributor(
propList: FormPropList<IdentityUserDto>
) {
let previousUserNameProp = propList.get(propList.findIndex(p => p.value.name == 'userName')).value
propList.dropByValue(
'userName',
(prop, text) => prop.name === text
)
propList.addHead({
...previousUserNameProp,
visible: c => false,
defaultValue: 'DEFAULTVALUE'
} as FormProp<IdentityUserDto>);
let emailPropIndex = propList.findIndex(p => p.value.name == 'email');
propList.addHead(propList.get(emailPropIndex).value);
propList.dropByIndex(emailPropIndex + 1);
}
Then in CreateAsync
I ignore the default value in the username and only use the email to create the user.
var user = new Volo.Abp.Identity.IdentityUser(
GuidGenerator.Create(),
input.Email,
input.Email,
CurrentTenant.Id
);
Now the username for all users will be their email address.
Hello! We are trying to hide the username field from the Create and Edit User forms and use the email address for the username instead.
I have successfully removed the username field from the Angular UI and moved the email field to the top like this:
export function removeUserNameContributor(
propList: FormPropList<IdentityUserDto>
) {
propList.dropByValue(
'userName',
(prop, text) => prop.name === text
)
let emailPropIndex = propList.findIndex(p => p.value.name == 'email');
propList.addHead(propList.get(emailPropIndex).value);
propList.dropByIndex(emailPropIndex + 1);
}
export const identityEntityCreateFormPropContributors: IdentityCreateFormPropContributors = {
[eIdentityComponents.Users]: [
removeUserNameContributor
]
}
export const identityEntityEditFormPropContributors: IdentityEditFormPropContributors = {
[eIdentityComponents.Users]: [
removeUserNameContributor
]
}
{
path: 'identity',
loadChildren: () => {
import('./identity/identity.module').then(m => m.IdentityOverrideModule)
return import('@volo/abp.ng.identity').then((m) => m.IdentityModule.forLazy({
createFormPropContributors: identityEntityCreateFormPropContributors,
editFormPropContributors: identityEntityEditFormPropContributors,
}))
}
},
I've also overwritten the CreateAsync
method to set the username to the email address:
[Authorize(IdentityPermissions.Users.Create)]
public override async Task<IdentityUserDto> CreateAsync(IdentityUserCreateDto input)
{
var user = new Volo.Abp.Identity.IdentityUser(
GuidGenerator.Create(),
input.Email,
input.Email,
CurrentTenant.Id
);
input.MapExtraPropertiesTo(user);
(await UserManager.CreateAsync(user, input.Password)).CheckErrors();
...
}
But I am unable to remove the Required
attribute from UserName
on IdentityUserCreateDto
so I get the following error from the form:
In my ...DtoExtensions.cs
I have tried:
ObjectExtensionManager.Instance
.AddOrUpdateProperty<string > (
new[]
{
typeof(IdentityUserCreateDto),
},
"UserName",
options =>
{
options.Attributes.Clear();
options.Validators.Clear();
}
);
and
ObjectExtensionManager.Instance
.AddOrUpdate<IdentityUserCreateDto>(objConfig =>
{
objConfig.AddOrUpdateProperty<string>("UserName", propertyConfig =>
{
propertyConfig.Attributes.Clear();
propertyConfig.Validators.Clear();
});
});
and have tried substituting IdentityUserCreateDto
with IdentityUserCreateOrUpdateDtoBase
but none of these solutions have removed the Required
attribute.
Any ideas would be appreciated. Thanks!
Hello! A while back we disabled the Organization Unit functionality in part by disabling the permissions:
context.GetPermissionOrNull(IdentityPermissions.OrganizationUnits.Default).IsEnabled = false;
context.GetPermissionOrNull(IdentityPermissions.OrganizationUnits.ManageOU).IsEnabled = false;
context.GetPermissionOrNull(IdentityPermissions.OrganizationUnits.ManageRoles).IsEnabled = false;
context.GetPermissionOrNull(IdentityPermissions.OrganizationUnits.ManageUsers).IsEnabled = false;
After upgrading from 4.4.4
to 5.0.1
, the new filters on the user table throw a Volo.Abp.Authorization.AbpAuthorizationException
when trying to get the organization units from Volo.Abp.Identity.OrganizationUnitController.GetListAsync
. Is there a way to disable these new filters on the user table or another workaround to solve this problem within version 5.0.1
?
Thanks!
Solved this by overriding the Lepton HeaderBrandViewComponent
:
Created Default.cshtml
in the Host
project at Themes/Lepton/Components/Header/Brand/Default.cshtml
:
@using Volo.Abp.Ui.Branding
@using Microsoft.Extensions.Configuration;
@inject IConfiguration _config
@inject IBrandingProvider BrandingProvider
<a class="navbar-brand" href="@_config["App:AngularUrl"]" alt="@BrandingProvider.AppName"></a>
It may be nice at some point to add the href url to the BrandingProvider
so those using angular can make all the necessary overrides for the login pages in one place.