Activities of "balessi75"
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi,
We recently had our ABP application penetration tested by an established security firm. The testers noted the following...
The application allows users to authenticate with a multi-factor authentication code sent via email or cellphone. There are two primary issues with the MFA authentication workflow: -There are no limits to the number of MFA guesses a user can make as long as guesses are made using the API -MFA tokens only expire after the time limit of 6 minutes has elapsed, not when a new MFA token is generated or when the token is used to login Together these misconfigurations can make it so that an MFA bypass is statistically probable....
They end with the following recommendation...
Ensure that MFA codes are invalidated after being used to authenticate a user. Furthermore, ensure that a user can only guess the MFA code a small number of times (5-10) before a lockout
How can we override/adjust the application to expire the security code/token as soon as it is used to login? Additionally, how can we make it such that after x failed attempts, the security code/token is expired?
Any suggestions/guidance is greatly appreciated as we need to have the application certified by this security firm.
Regards,
Brian
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme:
Hi,
We have a client in production that is getting the following ABP error when attempting to change their password.
We cannot replicate the issue in our QA environment.
Please advise and let us know of any troubleshooting steps we can take.
Thank you.
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi,
Our entire user base will always be located in the same time zone which is different than UTC and we would like the end user to always see their local time (East US).
We've read https://docs.abp.io/en/abp/latest/Timing and still are unsure of how to handle the following scenario...
In local development, we can convert ABP stored UTC values as pages load and everything works correctly, however this approach doesn't work when we deploy to Azure.
This is because the environments running in Azure have a local time of UTC. So we can't use CreationDateTime.ToLocalTime()as it will always return a UTC time instead of East US.
Is there anyway around this or a certain recommended approach?
Thanks in advance.
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi, We have successfully overridden the Change Password UI (see solution structure below). The problem is that we need to reference a new javascript file in the overridden page to augment it's functionality.
In Pages/Account/Components/ProfileManagementGroup/Password/Default.cshtml, we attempted to add the following and at runtime but the page never includes the javascript reference.
This didn't work:
@section scripts
{
<script type="text/javascript" src="/Pages/Account/PasswordStrength.js"></script>
}
and this didn't work
@section scripts
{
<abp-script-bundle name="@typeof(ManageModel).FullName">
<abp-script src="/Pages/Account/PasswordStrength.js" />
</abp-script-bundle>
}
Is there something different that needs to be done with these view components (password, personalinfo, profilepicture, etc)?
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi, We found that when a page is not authorized for a particular user, and that user attempts to access the page's URL in the browser address bar, (while logged in) the page still loads, but it's contents are empty.
In ABP, what's the best approach to redirect the user to an Access Denied page?
Thanks in advance!
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi, We found that that the 2FA option for using an Authenticator App is being presented to the user when logging in even if they have not setup 2FA on their account.
We recently upgraded to 7.4.2 which includes the Authenticator feature and when a user sets it up, it works perfectly.
What we noticed, however, is that if a user never sets it up, and simply saves something on their 'My Account' area (not related to 2fa or authenticator) the new 2fa option is now presented to the user when logging in - even though they never set it up and can't use it.
Please advise. Any workarounds are greatly appreciated.
Thanks
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi,
The password complexity validation message can sometimes have the text Identity.Default appended to the end of it.
Steps to reproduce:
- Change the required number of unique password characters from 1 to 5
- Attempt to add a user with a password containing 1 character
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi,
How can I get the password complexity requirements setup in ABP Settings for use in JS on the front-end Registration page?
Is there a Service that can be injected for use in the Registration page?
I tried the following, but it returns the default password settings from MS instead of the values set in the ABP Settings page.
private readonly IdentityOptions _identityOptions;
public nVisionRegisterModel(IOptions<IdentityOptions> identityOptions) : base ()
{
_identityOptions = identityOptions.Value;
}
Thanks in advance!
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi
After an upgrade from 7.2.1 to 7.4.2, we noticed a new column 'User Count' in role administration.
The count seems to include users that have been soft deleted which we believe is misleading to users.
Please advise.
Regards, Brian
ABP Commercial 7.4.2 / Blazor Server / EF / Non tiered / Separate Host and Tenant DBs / Lepton Theme
Hi,
Depending on the number of items in a grid and the number of items in an action menu drop down, the action menu drop down items can be cut-off and not visible. See below for an example in the tenant management grid where the 'edit' action is not visible outside the grid's border.
Any suggestions or work arounds to always make sure that all action items are shown?
