Activities of "umob1"

CurrentUser is null even though [Authorize] is applied — controller method still executes after failed authentication

Hey ABP team,

We’re running into an issue where a controller method is still being executed even though authentication has failed. This causes CurrentUser.GetId() to throw an exception because CurrentUser is null.

Here's the setup:

[RemoteService]
[Area("umob")]
[ControllerName("UserDocument")]
[Authorize]
public class UserDocumentController : AppVersionRestrictedController
{
    private readonly IUserDocumentHelperAppService _userDocumentHelperAppService;

    public UserDocumentController(IUserDocumentHelperAppService userDocumentHelperAppService)
    {
        _userDocumentHelperAppService = userDocumentHelperAppService;
    }

    [HttpPost]
    [Route("/api/umob/userdocument/validate")]
    public async Task<UserDocumentValidationDto> Validate(PostUserDocumentValidation data) =>
        await _userDocumentHelperAppService.ValidateUserDocumentForAsset(CurrentUser.GetId(), data);
}

In our logs, we clearly see that OpenIddict.Validation.AspNetCore logs an authentication failure:

The token is no longer valid because the user’s session expired. Validation.AspNetCore was not authenticated.

Yet, immediately afterward, the controller method still runs. We end up with this exception:

System.InvalidOperationException: Nullable object must have a value.
   at uMob.Controllers.UserDocumentController.Validate(...)

I've verified that:

• [Authorize] is on the controller level.
• No [AllowAnonymous] is applied.
• We're not using any custom middleware that could short-circuit auth.
• The failure seems to occur in OpenIddict middleware, yet doesn’t prevent the controller from executing.

Do you know how this can happen in an ABP-based app? Is there any ABP config or middleware behavior that could cause CurrentUser to be null while still executing controller methods?

• ABP Framework version: v9.0.4
• UI Type: Angular
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Exception message and full stack trace: error NU1102: Unable to find package Volo.Abp.OpenIddict.Pro.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 49 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.Identity.Pro.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 106 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.LanguageManagement.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 165 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Saas.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 165 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.TextTemplateManagement.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 149 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.LeptonTheme.Management.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 165 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org error NU1102: Unable to find package Volo.Abp.Gdpr.Domain.Shared with version (>= 9.0.4) error NU1102: - Found 76 version(s) in ABP Commercial NuGet Source [ Nearest version: 8.1.5 ] error NU1102: - Found 0 version(s) in nuget.org

Our CI/CD pipelines started failing this afternoon. Did something change with regards to the packages available on the closed NuGet instance?