Activities of "Repunjay"

Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token

As part of web application assessment, there was an observation reported about JWT tokens.

The JSON web token (JWT) for your web application was not encrypted, allowing the data within it to be inspected with trivial effort. This revealed the email (username) and expiration date of the token.

Recommendation is to either -

1. Remove sensitive data from the payload if it is not required - Not sure if this is possible and application will work
2. Instead of placing sensitive data in the payload, use an indirect object reference which is resolved on the server side - Not sure if this is possible and application will work
3. Encrypt the JWT payload using the JSON web encryption (JWE) scheme
4. Encrypt sensitive data within the JWT payload using a custom process.

I understand that this is not related to the framework and it is the subject of Identity Server but we don't have much control over it as the Identity server is integrated within the framwework itself. Can you guide us to remediate this issue based on recommendations mentioned above. Need to know what changes will be required in existing application code to handle it.

Thanks

ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Seperated (Angular): yes

Post upgrade of our application (Angular) to latest ABP 4.3.1, we are facing an issue with account component. As per the latest code AccountComponent, eIdentityComponents does not have a Account member which was there initially. We have our own custom implementation of the entire login page and due to this, we can't break our components in smaller chunks. Can you guide us what can we do to replace the whole Account as a component rather than just smaller components as it will require a lot of efforts to seperate our components.

• ABP Framework version: v4.3.0. The ABP packages were upgraded from 3.0.4 to 4.3.0
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes
• Exception message and stack trace:
• After Upgrading to Latest framework 4.3.0 and related Volo.Abp.Identity.EntityFrameworkCore and Volo.Abp.EntityFrameworkCore.PostgreSql, We are facing issues connecting to each table. for every repository call, even if it is not a relationship and plain table, we are getting the following error

Npgsql.PostgresException (0x80004005): 42P01: relation "XXX" does not exist at Npgsql.NpgsqlConnector.<ReadMessage>g__ReadMessageLong|194_0(NpgsqlConnector connector, Boolean async, DataRowLoadingMode dataRowLoadingMode, Boolean readingNotifications, Boolean isReadingPrependedMessage) at Npgsql.NpgsqlDataReader.NextResult(Boolean async, Boolean isConsuming, CancellationToken cancellationToken) at Npgsql.NpgsqlDataReader.NextResult() at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior, Boolean async, CancellationToken cancellationToken) at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior, Boolean async, CancellationToken cancellationToken) at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior) at Npgsql.NpgsqlCommand.ExecuteDbDataReader(CommandBehavior behavior) at System.Data.Common.DbCommand.ExecuteReader() at Microsoft.EntityFrameworkCore.Storage.RelationalCommand.ExecuteReader(RelationalCommandParameterObject parameterObject) at Microsoft.EntityFrameworkCore.Query.Internal.SplitQueryingEnumerable1.Enumerator.InitializeReader(DbContext _, Boolean result) at Npgsql.EntityFrameworkCore.PostgreSQL.Storage.Internal.NpgsqlExecutionStrategy.Execute[TState,TResult](TState state, Func3 operation, Func3 verifySucceeded) at Microsoft.EntityFrameworkCore.Query.Internal.SplitQueryingEnumerable1.Enumerator.MoveNext() Exception data: Severity: ERROR SqlState: 42P01 MessageText: relation "XXX" does not exist Position: 23 File: parse_relation.c Line: 1180 Routine: parserOpenTable

• Steps to reproduce the issue:

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

• ABP Framework version: v3.0.4
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes
• Exception message and stack trace: N/A
• Steps to reproduce the issue: N/A

Is there any setting in ABP.IO framework which enforces user to change the password after first login?. If yes, please provide information on the same. If no, can you share some insight on how to set it up in ABP?

Thanks & regards, Repunjay

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

• ABP Framework version: v3.0.4
• UI type: Angular
• Tiered (MVC) or Identity Server Seperated (Angular): yes
• Exception message and stack trace:
• Steps to reproduce the issue:
• We have build a project which has a set of microservices. These microservices are deployed in AWS ECS fargate and exposed as HTTP APIs thru AWS API gateway. We have exported the swagger definitions to build APIs in AWS API gateway. For the identity service, we don't get the swagger definition and we are also not sure about its methods. Due to this, we are unable to host Identity service in AWS API gateway. Would you please advise -
• 1. How to get the Swagger definition of Identity service
• 2. If there is no Swagger definition, any thoughts on how we can host identity service in AWS API gateway so that the other APIs can authenticate and are accessible.

Thanks, Repunjay

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

• ABP Framework version: v3.0.4
• UI type: Angular
• Tiered (MVC) or Identity Server Seperated (Angular): yes
• Exception message and stack trace:
• Steps to reproduce the issue:

Hi,

We have one service/api which runs in docker container. When one of the operation of this api is invoked, it publishes an event to a Distributed Event Bus (Rabbit MQ). The event is consumed by the Event handler which is a part of another service/api (Application project). This api is hosted in another container. We have noticed a problem that when the second service is idle, the event handler doesn't listens to the messages published by first service. Thus we have to restart the container of second service and than the handler consumes the event and process it. Is there a way to make that event handler continously listening to the messages despite service becomes idle? The Event Handler is written in the Application project of the second service. Below is the code snippet. Let me know if require further information.

using Microsoft.Extensions.Logging;
using FinanceManagement.SharedServices;
using FinanceManagement.TradeFinanceDetails;
using Shared.MqServices.ETO;
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
using Volo.Abp.DependencyInjection;
using Volo.Abp.EventBus.Distributed;

namespace FinanceManagement.MessagingServices
{
    public class TradeFinanceBatchEventHandler : IDistributedEventHandler<BatchCreatedEto>, ITransientDependency
    {
        private readonly IDistributedEventBus _distributedEventBus;
        private readonly ISharedAppService _sharedAppService;
        private readonly ITradeFinanceBatchAppService _tradeFinanceBatchAppService;
        private readonly ILogger _logger;

        public TradeFinanceBatchEventHandler(IDistributedEventBus distributedEventBus,
            ITradeFinanceBatchAppService tradeFinanceBatchAppService,
            ISharedAppService sharedAppService,
            ILogger<TradeFinanceBatchEventHandler> logger
            )
        {
            _distributedEventBus = distributedEventBus;
            _sharedAppService = sharedAppService;
            _tradeFinanceBatchAppService = tradeFinanceBatchAppService;
            _logger = logger;
        }
        public async Task HandleEventAsync(BatchCreatedEto eventData)
        {
            if (eventData.BatchId != Guid.Empty)
            {
                _logger.LogInformation("Start Process..");

                _logger.LogInformation("BatchId : " + eventData.BatchId.ToString());

                var batch = await _sharedAppService.GetBatchDetailById(eventData.BatchId);

                //Save TradeFinance
                var tradeFinancebatch = await _tradeFinanceBatchAppService.SaveRequestForFinancingAsync(batch);

                _logger.LogInformation("End Process.");
                //Send Acknowledgement
                //Update status in BatchService Batch using API
            }
        }
    }
}

Thanks & regards, Repunjay

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

• ABP Framework version: v3.0.4
• UI type: Angular
• Tiered (MVC) or Identity Server Seperated (Angular): yes
• Exception message and stack trace:
• We scanned our project code base through Snyk tool (Synk.io) and it reported few vulnerabilites. While reviewing we found that the assemblies like "System.Net.Http" and "System.Text.RegularExpressions" are not directly referenced in our code base and thus we could n't upgrade them to latest and resolve these issues. Is this something, ABP can do upgrade of framework code base in order for us to address these issues. Below are the vulnerabilities reported -

Denial of Service (DoS) Improper Certificate Validation Information Exposure Regular Expression Denial of Service (ReDoS) Privilege Escalation Authentication Bypass

Vulnerable module: System.Net.Http Introduced through: xunit.extensibility.execution@2.4.1 and xunit@2.4.1 Exploit maturity: No known exploit Fixed in: 4.1.2, 4.3.2 Introduced through: project@* › xunit.extensibility.execution@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0 Introduced through: project@* › xunit@2.4.1 › xunit.assert@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0 Introduced through: project@* › xunit.extensibility.execution@2.4.1 › xunit.extensibility.core@2.4.1 › NETStandard.Library@1.6.1 › System.Net.Http@4.3.0

Vulnerable module: System.Text.RegularExpressions Introduced through: meta-common-packages@meta Exploit maturity: No known exploit Fixed in: 4.3.1 Introduced through: project@* › meta-common-packages@meta › System.Text.RegularExpressions@4.3.0

• Steps to reproduce the issue:

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

• ABP Framework version: v3.0.4
• UI type: Angular
• Tiered (MVC) or Identity Server Seperated (Angular): yes
• Exception message and stack trace: We are trying to create Rest API using AWS API gateway but when trying to import swagger definition of our API, it gives the validation error as mentioned below -

* {
  "messages": [
    "attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Batches.BatchDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
    "attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Invoices.InvoiceByStatusDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
    "attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.CreditNotes.CreditNoteByStatusDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
    "attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Batches.GetBatchDetailDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
    "attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Invoices.InvoiceDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
    "attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Quotes.QuoteDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$",
    "attribute components.schemas.Schema name Volo.Abp.Application.Dtos.PagedResultDto`1[[SCV.Litmus.InvoiceManagement.Samples.SampleDto, SCV.Litmus.InvoiceManagement.Application.Contracts, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]] doesn't adhere to regular expression ^[a-zA-Z0-9\\.\\-_]+$"
  ]
}

Steps to reproduce the issue: Attached is the class file for one object "BatchDto.cs". Kindly suggest what's wrong with the class implementation and steps to resolve.

using System;
using Volo.Abp.Application.Dtos;

namespace SCV.Litmus.InvoiceManagement.Batches
{
    public class BatchDto : FullAuditedEntityDto<Guid>
    {
        public string BatchNumber { get; set; }

        public Guid SupplierId { get; set; }

        public Guid BusinessEntityId { get; set; }

        public int CurrencyId { get; set; }

        public string Description { get; set; }

        public double RequestedFinanceAmount { get; set; }

        public string BenchMark { get; set; }

        public double MarginRate { get; set; }

        public double InvoiceTotalAmount { get; set; }

        public double CreditNoteTotalAmount { get; set; }

        public double NetFinanceAmount { get; set; }

        public DateTime BatchCreationDate { get; set; }
    }
}

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

• ABP Framework version: v3.0.4
• UI type: Angular
• Tiered (MVC) or Identity Server Seperated (Angular): yes
• Exception message and stack trace:

2020-09-01 15:54:37.892 +00:00 [INF] Request finished in 12.2568ms 404 text/html; charset=utf-8 2020-09-01 15:54:47.167 +00:00 [INF] Request starting HTTP/1.1 POST http://52.76.27.179/Account/Login application/x-www-form-urlencoded 317 2020-09-01 15:54:47.168 +00:00 [INF] CORS policy execution failed. 2020-09-01 15:54:47.168 +00:00 [INF] Request origin http://52.76.27.179 does not have permission to access the resource. 2020-09-01 15:54:47.172 +00:00 [INF] No CORS policy found for the specified request. 2020-09-01 15:54:47.173 +00:00 [INF] Executing endpoint '/Account/Login' 2020-09-01 15:54:47.175 +00:00 [INF] Route matched with {page = "/Account/Login", area = "", controller = "", action = ""}. Executing page /Account/Login 2020-09-01 15:54:47.206 +00:00 [INF] Executing handler method Volo.Abp.Account.Public.Web.Pages.Account.LoginModel.OnPostAsync - ModelState is "Valid" 2020-09-01 15:54:47.579 +00:00 [WRN] Invalid password for user 5dc0ff50-a197-c0a3-bcbe-39f5d3e999ac. 2020-09-01 15:54:47.580 +00:00 [WRN] User 5dc0ff50-a197-c0a3-bcbe-39f5d3e999ac failed to provide the correct password. 2020-09-01 15:54:47.752 +00:00 [INF] Executed handler method OnPostAsync, returned result Microsoft.AspNetCore.Mvc.RazorPages.PageResult. 2020-09-01 15:54:47.810 +00:00 [INF] Executed page /Account/Login in 635.2435ms 2020-09-01 15:54:47.811 +00:00 [INF] Executed endpoint '/Account/Login' 2020-09-01 15:54:47.936 +00:00 [INF] Request starting HTTP/1.1 GET http://52.76.27.179/__bundles/Lepton.Global.6F3011FF0A55A24A6A8C93BB718D26D8.js?_v=637345724587994221 2020-09-01 15:54:47.937 +00:00 [INF] The file /__bundles/Lepton.Global.6F3011FF0A55A24A6A8C93BB718D26D8.js was not modified 2020-09-01 15:54:47.938 +00:00 [INF] Request finished in 1.5823ms 304 application/javascript 2020-09-01 15:54:47.938 +00:00 [INF] Request starting HTTP/1.1 GET http://52.76.27.179/Abp/ApplicationConfigurationScript 2020-09-01 15:54:47.940 +00:00 [INF] Executing endpoint 'Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.AbpApplicationConfigurationScriptController.Get (Volo.Abp.AspNetCore.Mvc)' 2020-09-01 15:54:47.941 +00:00 [INF] Request starting HTTP/1.1 GET http://52.76.27.179/__bundles/Lepton.Global.D83D057CFA4A44472FE618AF093450A8.css?_v=637345724581876537 2020-09-01 15:54:47.941 +00:00 [INF] Request finished in 773.9358ms 200 text/html; charset=utf-8 2020-09-01 15:54:47.941 +00:00 [INF] Route matched with {area = "Abp", action = "Get", controller = "AbpApplicationConfigurationScript", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.ActionResult] Get() on controller Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.AbpApplicationConfigurationScriptController (Volo.Abp.AspNetCore.Mvc). 2020-09-01 15:54:47.942 +00:00 [INF] The file /__bundles/Lepton.Global.D83D057CFA4A44472FE618AF093450A8.css was not modified 2020-09-01 15:54:47.942 +00:00 [INF] Request finished in 0.832ms 304 text/css 2020-09-01 15:54:47.942 +00:00 [INF] Request starting HTTP/1.1 GET http://52.76.27.179/Abp/ServiceProxyScript 2020-09-01 15:54:47.944 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.944 +00:00 [INF] Executing endpoint 'Volo.Abp.AspNetCore.Mvc.ProxyScripting.AbpServiceProxyScriptController.GetAll (Volo.Abp.AspNetCore.Mvc)' 2020-09-01 15:54:47.944 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.944 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.944 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed. 2020-09-01 15:54:47.945 +00:00 [INF] Authorization failed.

• Steps to reproduce the issue:

Hi,

I have updated ABP pacakges for aspnet-core solution from version 2.7.0 to 3.0.4 using ABP CLI update command. The packages are updated, compiled successfully and swagger API is running fine. However, when I updated Angular solution using ABP CLI update command, I updated npm modules using yarn command and when I try to run application using yarn start, I'm getting below error, could you please advise on steps to resolve it?