Activities of "jason.smith"

Refresh token not found in database causes Angular UI to hang.

2020-11-26 10:56:05.745 +00:00 [DBG] refresh_token grant with value: iT6s1mhTmlfz62tFZ7Rhj3xn-j1koHwhWdrGkpPQYlA not found in store.
2020-11-26 10:56:05.745 +00:00 [WRN] Invalid refresh token
2020-11-26 10:56:05.745 +00:00 [WRN] Refresh token validation failed. aborting, {"ClientId":"Repros_App","ClientName":"Repros_App","GrantType":"refresh_token","Scopes":null,"AuthorizationCode":null,"RefreshToken":null,"UserName":null,"AuthenticationContextReferenceClasses":null,"Tenant":null,"IdP":null,"Raw":{"grant_type":"refresh_token","scope":"offline_access Repros","refresh_token":"***REDACTED***","client_id":"Repros_App"},"$type":"TokenRequestValidationLog"}
2020-11-26 10:56:05.746 +00:00 [INF] {"ClientId":"Repros_App","ClientName":"Repros_App","RedirectUri":null,"Endpoint":"Token","SubjectId":null,"Scopes":null,"GrantType":"refresh_token","Error":"invalid_grant","ErrorDescription":null,"Category":"Token","Name":"Token Issued Failure","EventType":"Failure","Id":2001,"Message":null,"ActivityId":"0HM4HTQO2PDS6:00000001","TimeStamp":"2020-11-26T10:56:05.0000000Z","ProcessId":3992,"LocalIpAddress":"127.0.0.1:5001","RemoteIpAddress":"172.69.34.197","$type":"TokenIssuedFailureEvent"}
2020-11-26 10:56:05.746 +00:00 [INF] Request finished in 25.1345ms 400 application/json; charset=UTF-8

Hi @christianvpernix,

You might like the answer. Basically I opened every proj file, and the package.json in your front end (mine is angular). Then every abp package you see, change the version number from 3.3.1 to 3.2.1. Then restore packages through nuget and npm and build. A few things might break at this point and you have to figure out how to extract those features. I was lucky that the external party login (facebook, google, etc) was the only thing that broke, so I deleted their configurations.

Still testing. So we will see if this was a good move or not.

Hope that helps.

OK. Just downgraded to 3.2.1 to get the old behaviour.

All I need to do now is login and then I can perfom POSTS with just providing a cookie

I don't require the bearer auth method, or a XSRF-TOKEN

In addition to the above, does this mean the cli and suite always use the latest ? (i.e. the cli use the latest suite, and suite latest nuget pacakges).

If this is the case the tool not be of any use in day to day operations. Updating to the latest will be a controlled action in our environment. The cookie issue listed above is a classic reason as to why. Please advise if there is a way to use the abp suite tool at locked versions.

Uninstalling cli does not uninstall version 3.3.1. After uninstalling and reinstalling version 3.2.1, version 3.3.1 is still loaded. After uninstall the suite I can not reinstall anything but the latest.

The following is not a great solution. https://support.abp.io/QA/Questions/287/How-can-I-install-a-specific-version-of-ABP-Suite

The above method still produces new solutions which reference 3.3.1, not 3.2.1

@liangshiwei the image you posted does not appear

"hi jason.smith Can you create a new quesion?"

"closing the issue, you can always reopen if you need help on the same issue."

Sure. Please note this adds a full weekend to turn around now. Why not create a new issue and address start to address the issue there. Creating a new issue.

@alper the Angular user interface works fine, its just direct calls to the REST API no longer work.

I have not tested in MVC. As we are not using MVC in our project.

OK. This line is confusing. Same documentation.

All your clients, including non-browser clients, should care about obtaining and sending the antiforgery token in every request. In fact, non-browser clients has no CSRF risk and should not care about this.

Should insomnia care about sending the cookie? Its never given it though.

CSRF-Anti-Forgery.md has the following comments:

Antiforgery token validation is only enabled for razor pages by default and not enabled for HTTP APIs. You need to enable it yourself for the Controllers. You can use the [ValidateAntiForgeryToken] attribute for a specific API Controller/Action or the [AutoValidateAntiforgeryToken] attribute to prevent attacks globally.

The check is occurring on a controller without this attrbute set. Is this a bug?