Base solution for your next web application
Open Closed

Authorize HttpGet on AbpController #6699


User avatar
0
peabmw created

Hello

I have created a controller called AttachmentController that inherit from AbpController, I use it to download files from disk, and it works fine. Files are downloaded by clicking download-links on a page, these links have href set to my action ( /download?filename=myfile.xml).

The code of my download action looks like this:

[HttpGet]
public async Task<IActionResult> Download(string filename)
{
    if (filename == null)
        throw new UserFriendlyException(L("File_Name_Missing_Error"));

    var path = Path.Combine(_appFolders.AttachmentsFolder, filename);

    var memory = new MemoryStream();
    using (var stream = new FileStream(path, FileMode.Open))
    {
        await stream.CopyToAsync(memory);
    }

    memory.Position = 0;
    return File(memory, MimeTypes.GetMimeType(filename), filename);
}

My issue is that when I decorate my controller with [AbpMvcAuthorize] to prevent any anonymous access to files and to be able to filter which user can access which attachment the link does not work (AbpSession.UserId is NULL in AuthorizationHelper and it tries to redirect me to loginpage).

Is there any way i can force the authorization header to be passed in the GET? Or any other ideas that I can try out?

/MÃ¥rten


7 Answer(s)
  • User Avatar
    0
    aaron created
    Support Team

    Did you log in?

  • User Avatar
    0
    peabmw created

    Yes

  • User Avatar
    0
    alper created
    Support Team

    there shouldn't be problem on MVC because when you click the link your browser sends the authentication cookie with the request. check your request against the cookies. and check if Google Chrome is blocking cookies by an extension.

  • User Avatar
    0
    peabmw created

    I disabled authentication and set a breakpoint in my controller and checked cookies. I do indeed get a "Abp.AuthToken" sent to my controller.

    But still when i enable authentication I get an error saying I have to sign in from AuthorizationHelper:

     if (!AbpSession.UserId.HasValue)
    {
        throw new AbpAuthorizationException(
            LocalizationManager.GetString(AbpConsts.LocalizationSourceName, CurrentUserDidNotLoginToTheApplication")
            );
    }
    
  • User Avatar
    0
    peabmw created

    I have found a workaround now that is working but it feels more like a bad hack. http://www.alexhadik.com/blog/2016/7/7/l8ztp8kr5lbctf5qns4l8t3646npqh

  • User Avatar
    0
    ismcagdas created
    Support Team

    You can do it like below;

    return this.http.get(AppConsts.remoteServiceBaseUrl + '/FileUploadComponents/DownloadFile?id=' + id + '&' + AppConsts.authorization.encrptedAuthTokenName + '=' + encodeURIComponent(encryptedAuthToken));

    This adds "enc_auth_token" to query string and in that way, your request will be authenticated.

  • User Avatar
    0
    peabmw created

    Thanks for pointing me in the right direction, was hoping that something like that existed.

    Also for that solution to work I had to modify AuthConfigurer.cs so that the token is actually checked in url:

    var path = context.HttpContext.Request.Path.Value;
    if (path.Contains("/Chat/GetUploadedObject") || path.Contains("/Attachment/Download"))
    {
        return SetToken(context, false);
    }