Activities of "umob1"

Hey Liming,

Thanks for the quick response!

Unfortunately, I’m not able to reproduce this issue locally — it only occurs in our production environment under specific conditions, which seem related to expired access tokens or invalid sessions. I did try to delete a active session locally, but then the authentication functions properly.

I’ve double-checked our configuration:

• [Authorize] is applied at the controller level.
• We’re using ABP + OpenIddict for auth.
• No [AllowAnonymous] attributes are used.
• Authentication failures are logged (e.g., “token no longer valid because session expired”), but the controller method still executes and CurrentUser is null.

Since it’s a production-only issue, I can’t easily provide a minimal repro project. But I’m happy to share relevant logs, config, or middleware setup if that helps narrow it down.

Would you have any ideas what might cause this behavior? Or anything specific I should inspect further?

Thanks again!

CurrentUser is null even though [Authorize] is applied — controller method still executes after failed authentication

Hey ABP team,

We’re running into an issue where a controller method is still being executed even though authentication has failed. This causes CurrentUser.GetId() to throw an exception because CurrentUser is null.

Here's the setup:

[RemoteService]
[Area("umob")]
[ControllerName("UserDocument")]
[Authorize]
public class UserDocumentController : AppVersionRestrictedController
{
    private readonly IUserDocumentHelperAppService _userDocumentHelperAppService;

    public UserDocumentController(IUserDocumentHelperAppService userDocumentHelperAppService)
    {
        _userDocumentHelperAppService = userDocumentHelperAppService;
    }

    [HttpPost]
    [Route("/api/umob/userdocument/validate")]
    public async Task<UserDocumentValidationDto> Validate(PostUserDocumentValidation data) =>
        await _userDocumentHelperAppService.ValidateUserDocumentForAsset(CurrentUser.GetId(), data);
}

In our logs, we clearly see that OpenIddict.Validation.AspNetCore logs an authentication failure:

The token is no longer valid because the user’s session expired. Validation.AspNetCore was not authenticated.

Yet, immediately afterward, the controller method still runs. We end up with this exception:

System.InvalidOperationException: Nullable object must have a value.
   at uMob.Controllers.UserDocumentController.Validate(...)

I've verified that:

• [Authorize] is on the controller level.
• No [AllowAnonymous] is applied.
• We're not using any custom middleware that could short-circuit auth.
• The failure seems to occur in OpenIddict middleware, yet doesn’t prevent the controller from executing.

Do you know how this can happen in an ABP-based app? Is there any ABP config or middleware behavior that could cause CurrentUser to be null while still executing controller methods?

Update:

We have found the issue, We were using the API key of an old ABP license we are no longer using. We found out when checking the NuGet.Config file.

Thank you for your assistance.

Have a nice day!

Nuget servers seem online right now. Can you check if problem still exist?

---

By the way; Did you make any changes in your NuGet.Config file? You may check your NuGet.Config file for custom package resolution options, it's configured to use a custom mapping by default for better performance. It may cause som issues, if you can't solve the problem, you can try removing the following section:

Hi enisn,

Thank you for your suggestions. The problem still persists. We have tried removing the packageSourceMapping from the NuGet.Config file, but this also does not resolve the problem.

Just to verify, it says (for example the Gdpr module):

      Unable to find package Volo.Abp.Gdpr.Domain.Shared with version (>= 9.0.4)
        - Found 76 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ]
        - Found 0 version(s) in nuget.org

Can you confirm that the commercial packages also have version 9.0.5 available?

Thanks

• ABP Framework version: v9.0.4
• UI Type: Angular
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Exception message and full stack trace: error NU1102: Unable to find package Volo.Abp.OpenIddict.Pro.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 49 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.Identity.Pro.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 106 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.LanguageManagement.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 165 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Saas.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 165 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.TextTemplateManagement.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 149 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.LeptonTheme.Management.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 165 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.Gdpr.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 76 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org

Our CI/CD pipelines started failing this afternoon. Did something change with regards to the packages available on the closed NuGet instance?