Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

AbpSession on anonymous request #4293


User avatar
0
JeffMH created

I have an email going out that will "approve" a request by a user. Because I know I will get that look like "what, why you doing this", let me quickly explain.

Think of this as a fancy bug tracker (it's more complicate than that)

  1. User requests that someone do something for them (Add me to this item please).
  2. This sends an email to the person in charge that says, Mr. Nacho requests that you give them access to Item 1234. Click the link to approve request.
  3. The user will be on their phone 9 times out of 10, I don't want them to login. The link has a special hashed code, I check the code, and see "who are you and what action are you performing".
  4. I validate that the URL is valid, and it hasn't been clicked before, and execute the request.

So, my problem is that AbpSession is null because the request that is running is anonymous. But I need to impersonate the user that is making the request. As the code gets into the repository layer, things start to check for current user for things like audit fields and whatnot and starts to fail. I also have some custom code that saves history of records and it needs a current user in order to run correctly.

Can I accomplish this? I copied code out of the Impersonate functions to sign in as a user, but when I execute _authenticationManager.SignOutAllAndSignIn(), AbpSession does not change. I assume the Claim does not populate in Identity until you call back into the server, which means AbpSession does not ever populate.

Help! (Using the asp.net / angular 1.x version FYI).


3 Answer(s)
  • User Avatar
    0
    JeffMH created

    FYI, I have the UserId of the user that is clicking the link. So, I know who I am trying to impersonate. Right now, I am:

    1. Validate URL / hash
    2. If !SignedIn, sign in as User.
    3. Do work
    4. Invalidate URL
    5. If I signed in manually, sign out
    6. I'm done.

    the Hash that is passed in points to a record in the database with the necessary information to know everything I need to accomplish the requested task. I just need AbpSession.GetUserId() to return a valid UserId.

    Sorry, just wanted to provide a little more info.

  • User Avatar
    0
    aaron created
    Support Team

    That sounds easily handled by Overriding Current Session Values:

    [AbpAllowAnonymous]
    public void ApproveRequest()
    {
        // 1. Validate URL / hash
        
        using (_session.Use(42, null)) // 2. Always override current session values
        {
            var tenantId = _session.TenantId; // 42
            var userId = _session.UserId;     // null
    
            // 3. Do work
            // 4. Invalidate URL
    
        } // 5. Overriding is automatically disposed
    
        // 6. I'm done.
    }
    

    when I execute _authenticationManager.SignOutAllAndSignIn(), AbpSession does not change. I assume the Claim does not populate in Identity until you call back into the server, which means AbpSession does not ever populate.

    Correct, that populates the cookie for subsequent requests.

  • User Avatar
    0
    JeffMH created

    I need to put a dollar in the "didn't read the documentation" jar! Thanks man! I will give this a try.