user able to login even after deleting user #6006 | Support Center | ABP Commercial

shobhit created 6 months ago

ABP Framework version: v4.2.2
UI Type: Angular
Database System: EF Core (SQL Server, Oracle, MySQL, PostgreSQL, etc..)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
Exception message and full stack trace:
Steps to reproduce the issue:

We have deleted user and user was logged-in at that point of time. User has not logged-out and even next day user was able to login. it is big security issue. What should be done to prevent this.

4 Answer(s)

0

liangshiwei created 6 months ago
Support Team Fullstack Developer

Hi,

We will check it.
0

liangshiwei created 6 months ago
Support Team Fullstack Developer

You can track this: https://github.com/abpframework/abp/issues/17927
0

shobhit created 6 months ago

Thanks liangshiwei. So what is the quick solution as it is big security risk for us.

liangshiwei created 6 months ago

Support Team Fullstack Developer

Hi,

You can try :

.....

app.UseAuthentication();
app.Use(async (httpContext, next) =>
{
    var currentUser = httpContext.RequestServices.GetRequiredService<ICurrentUser>();
    if (currentUser.IsAuthenticated)
    {
        var userManager = httpContext.RequestServices.GetRequiredService<IdentityUserManager>();
        if (await userManager.FindByIdAsync(currentUser.Id.ToString()) == null)
        {
            await httpContext.SignOutAsync();
            httpContext.Response.Redirect("....");
            return;
        }
    }

    await next();
});

Have an answer to this question? Log in and write your answer.