Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Consume app service in production parallel to the web client #11739


User avatar
0
lalande1988 created

Hello,

[v12.2.0 with ASP.NET Core and JQuery]

On top of the web page functionality (Web.Mvc) I want to allow a subset of the APIs to be remotely consumed by customers. For testing I am using Cors (code below) and expect that the API can be consumed with Postman to start with. (Actually, I think Cors is not needed with Postman, only with Swagger).

When I use Postman on the dev machine (localhost), everything works as expected: I get the access token and with that I can call an app service, like GetUsers (as in your doc). When I deploy the app and call https://myexamplepage.co.uk/api/TokenAuth/Authenticate I get an internal error (500) reported.

The log file:

ERROR 2023-10-04 16:57:05.970 [74 ] idateAntiforgeryTokenAuthorizationFilter - The required antiforgery header value "X-XSRF-TOKEN" does not exist. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery header X-XSRF-TOKEN is not present. at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext) on Abp.AspNetCore.Mvc.Antiforgery.AbpValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)

A logging statement confirms that on the test (production) server I never get inside the Authenticate() method of the TokenAuthController.

I wonder why there is a need for antiforgery / why it is checked and missing?

Any ideas how I can fix this or at least a starting point to get a better understanding?

Thanks and best regards

services.AddCors(options => { options.AddPolicy(_corsPolicy, builder => { builder .WithOrigins("*") .AllowAnyHeader() .AllowAnyMethod(); }); });

_corsPolicy is an arbitrary string


4 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @lalande1988

    You are right, CORS is not needed if the client is not a web app. Could you share request headers which you try on production ? Are you using Postman to test the production endpoint ?

  • User Avatar
    0
    lalande1988 created

    Hi @ismcagdas,

    thank you!

    Yes, Postman, please see the headers below. I can share the real link (via mail?) to you if you would like to see for yourself?

    body:

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @lalande1988

    Does this work if you remove User-Agent header ? If not, please share the URL with [email protected].

    Thanks,

  • User Avatar
    0
    lalande1988 created

    Hi @ismcagdas,

    Excellent, this one worked, thank you very much!

    Kind regards,