Activities of "Josh.Cunningham"
This was initially observed by new users (who were set up with no phone number) going to "Personal info" tab of the "/Account/Manage" page, clicking "Verify" (on their email) and then clicking "Submit" (without having made any changes). The submit changes the user's phone number from NULL to an empty string which creates a "ChangePhoneNumber" security log and updates the security stamp, this results in the verification email that was just sent being immediately invalid.
- ABP Framework version: v7.3.2
- UI Type: MVC
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): yes
- Exception message and full stack trace:
- Steps to reproduce the issue:
- Create new user (without phone number)
- Log in as new user
- Go to "My account" ("/Account/Manage")
- Go to "Personal info" tab
- Click "Verify" (for email)
- Click "Submit"
- Click link in verification email - results in "Invalid token"
I believe this is caused by how the form is submitted by serializing the form which results in the null phone number becoming an empty string.
I have resolved this with the following change:
[Dependency(ReplaceServices = true)]
public class CustomProfileAppService : ProfileAppService
{
// Constructor omitted for brevity
public override async Task<ProfileDto> UpdateAsync(UpdateProfileDto input)
{
if (string.IsNullOrEmpty(input.PhoneNumber))
{
var user = await UserManager.GetByIdAsync(CurrentUser.GetId());
if (string.IsNullOrEmpty(user.PhoneNumber))
{
input.PhoneNumber = user.PhoneNumber;
}
}
return await base.UpdateAsync(input);
}
}
We are immediately providing user training to ensure this does not occur whilst we release this change as this has been reported multiple times, however, whilst what they are doing is unnecessary, I do not think it is unreasonable that they would not expect the steps they are taking to invalidate their verification token.
I have noticed that on submitting the "/Identity/Users/EditModal" the security stamp is changed every time. Which leads me to believe that it is being updated unnecessarily beyond the scenario that ours users have encountered.
Additionally it would be nice to have some visibility of when and why the security stamp changes in the security logs. The ChangePhoneNumber log is already present, and was key to us being able to diagnose what had happened here, but other changes (such as roles/permissions) which I believe to be valid reasons for the security stamp to change are not present in the security logs. It would also be nice to have a security log for when the security stamp has changed (even if this were always inferable from the other logs).
Thank you very much
When the "Allow users to change their email addresses" Identity Management setting is disabled users are not able to verify their email in the "Personal info" tab of the "Account" page.
Our site is quite tightly controlled and users are created by an administrator and not able to change their email. There also doesn't appear to be a way for administrators to trigger this email on behalf of a user that I can see.
I am aware that if we require emails to be verified then they would be able to verify it on login but at present we do not want this.
Is there any way to configure this so that the user is able to verify their email but not change it?
Currently I am working around the issue using the following javascript (any comments, criticisms or suggestions would be appreciated):
$(function () {
const $email = $('#PersonalSettingsForm').find("#Email")
if ($email) {
if ($email.parent().find("#VerifyEmailButton").length == 0 && $email.attr("data-email-verified") === "False") {
$email[0].insertAdjacentHTML('afterend', `
<button id="VerifyEmailButton" style="" class="btn btn-warning" type="button" data-busy-text="Processing...">
<i class="me-1 fa fa-vcard"></i> Verify
</button>
`);
}
if ($email.parent().find("#EmailVerified").length == 0 && $email.attr("data-email-verified") === "True") {
$email[0].insertAdjacentHTML('afterend', `
<span class="input-group-text" id="EmailVerified" style="">
<i class="me-1 text-success fa fa-check-square"></i><span class="text-success">Verified</span>
</span>
`);
}
}
});
- ABP Framework version: v7.3.2
- UI Type: MVC
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): yes
- Exception message and full stack trace:
- Steps to reproduce the issue:
Yes that did exactly what I wanted, Thank you very much for your help Anjali
We have recently upgraded to 7.3.2 as we are very excited to leverage the newly added ability to use authenticator apps for 2FA.
It all works great out the box, however we have observed that the default "Account Name" that appears in the authenticator app is taken from the web application name. We would like to be able to customise this per deployment as we have a separate web application that handles our authorization that is deployed for multiple clients. Unfortunately it is not feasible for us to do a build per deployment so we cannot do this by changing the assembly name. We have not been able to determine any way in which this can be configured but I am hoping that there is a way that we have missed?
If not is there a way to disable 2FA using authenticator apps whilst maintaining 2FA via email?
- ABP Framework version: v7.3.2
- UI Type: MVC
- Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): yes
- Exception message and full stack trace:
- Steps to reproduce the issue:
Throwing a UserFriendlyException from a local domain event results in http response with detail "Error: response status is 200".
- ABP Framework version: v5.3.2
- UI type: MVC
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): Tiered
- Exception message and stack trace:
2022-07-18 10:09:34.558 +01:00 [WRN] An exception occurred, but response has already started!
2022-07-18 10:09:34.581 +01:00 [ERR] An unhandled exception has occurred while executing the request.
Volo.Abp.UserFriendlyException: Cannot create a Book
at Acme.BookStore.Books.BookCreateHandler.HandleEventAsync(EntityCreatedEventData1 eventData) in C:\_git\AbpDomainEventException\src\Acme.BookStore.Domain\Books\Book.cs:line 22
at Volo.Abp.EventBus.EventHandlerInvoker.InvokeAsync(IEventHandler eventHandler, Object eventData, Type eventType)
at Volo.Abp.EventBus.EventBusBase.TriggerHandlerAsync(IEventHandlerFactory asyncHandlerFactory, Type eventType, Object eventData, List1 exceptions, InboxConfig inboxConfig)
at Volo.Abp.EventBus.EventBusBase.ThrowOriginalExceptions(Type eventType, List1 exceptions)
at Volo.Abp.EventBus.EventBusBase.TriggerHandlersAsync(Type eventType, Object eventData)
at Volo.Abp.EventBus.Local.LocalEventBus.PublishAsync(LocalEventMessage localEventMessage)
at Volo.Abp.EventBus.Local.LocalEventBus.PublishToEventBusAsync(Type eventType, Object eventData)
at Volo.Abp.EventBus.EventBusBase.PublishAsync(Type eventType, Object eventData, Boolean onUnitOfWorkComplete)
at Volo.Abp.EventBus.UnitOfWorkEventPublisher.PublishLocalEventsAsync(IEnumerable1 localEvents)
at Volo.Abp.Uow.UnitOfWork.CompleteAsync(CancellationToken cancellationToken)
at Volo.Abp.AspNetCore.Uow.AbpUnitOfWorkMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
\-\-\- End of stack trace from previous location \-\-\-
at Volo.Abp.AspNetCore.ExceptionHandling.AbpExceptionHandlingMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Volo.Abp.AspNetCore.ExceptionHandling.AbpExceptionHandlingMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
\-\-\- End of stack trace from previous location \-\-\-
at Volo.Abp.AspNetCore.MultiTenancy.MultiTenancyMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
\-\-\- End of stack trace from previous location \-\-\-
at Microsoft.AspNetCore.Builder.ApplicationBuilderAbpJwtTokenMiddlewareExtension.<>c\_\_DisplayClass0\_0.<b\_\_0>d.MoveNext()
\-\-\- End of stack trace from previous location \-\-\-
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
\-\-\- End of stack trace from previous location \-\-\-
at Volo.Abp.AspNetCore.Tracing.AbpCorrelationIdMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
\-\-\- End of stack trace from previous location \-\-\-
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
\-\-\- End of stack trace from previous location \-\-\-
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Watch.BrowserRefresh.BrowserRefreshMiddleware.InvokeAsync(HttpContext context)
at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT\`\`1.ProcessRequestAsync()
2022-07-18 10:09:34.581 +01:00 [WRN] The response has already started, the error page middleware will not be executed.
- Repro Steps:
- Created a new solution (Acme.BookStore) with ABP CLI
- Generated CRUD entity (Book) and pages with ABP Suite
- Created a LocalEventHandler to handle EntityCreatedEventData for the generated entity that throws a UserFriendlyException
- Doing POST /api/app/books via swagger results in a response with with an undocumented code and details stating "Error: response status is 200":
- Creating an entity from the generated create modal displays a dialog stating "An error has occurred! Error detail not sent by server":
- We would like both of these scenarios to display a more appropriate response, any help would be greatly appreciated
Thanks in advance