Hello
I have created a controller called AttachmentController that inherit from AbpController, I use it to download files from disk, and it works fine. Files are downloaded by clicking download-links on a page, these links have href set to my action ( /download?filename=myfile.xml).
The code of my download action looks like this:
[HttpGet]
public async Task<IActionResult> Download(string filename)
{
if (filename == null)
throw new UserFriendlyException(L("File_Name_Missing_Error"));
var path = Path.Combine(_appFolders.AttachmentsFolder, filename);
var memory = new MemoryStream();
using (var stream = new FileStream(path, FileMode.Open))
{
await stream.CopyToAsync(memory);
}
memory.Position = 0;
return File(memory, MimeTypes.GetMimeType(filename), filename);
}
My issue is that when I decorate my controller with [AbpMvcAuthorize] to prevent any anonymous access to files and to be able to filter which user can access which attachment the link does not work (AbpSession.UserId is NULL in AuthorizationHelper and it tries to redirect me to loginpage).
Is there any way i can force the authorization header to be passed in the GET? Or any other ideas that I can try out?
/MÃ¥rten
7 Answer(s)
-
0
Did you log in?
-
0
Yes
-
0
there shouldn't be problem on MVC because when you click the link your browser sends the authentication cookie with the request. check your request against the cookies. and check if Google Chrome is blocking cookies by an extension.
-
0
I disabled authentication and set a breakpoint in my controller and checked cookies. I do indeed get a
"Abp.AuthToken"sent to my controller.But still when i enable authentication I get an error saying I have to sign in from AuthorizationHelper:
if (!AbpSession.UserId.HasValue) { throw new AbpAuthorizationException( LocalizationManager.GetString(AbpConsts.LocalizationSourceName, CurrentUserDidNotLoginToTheApplication") ); } -
0
I have found a workaround now that is working but it feels more like a bad hack. http://www.alexhadik.com/blog/2016/7/7/l8ztp8kr5lbctf5qns4l8t3646npqh
-
0
You can do it like below;
return this.http.get(AppConsts.remoteServiceBaseUrl + '/FileUploadComponents/DownloadFile?id=' + id + '&' + AppConsts.authorization.encrptedAuthTokenName + '=' + encodeURIComponent(encryptedAuthToken));This adds "enc_auth_token" to query string and in that way, your request will be authenticated.
-
0
Thanks for pointing me in the right direction, was hoping that something like that existed.
Also for that solution to work I had to modify
AuthConfigurer.csso that the token is actually checked in url:var path = context.HttpContext.Request.Path.Value; if (path.Contains("/Chat/GetUploadedObject") || path.Contains("/Attachment/Download")) { return SetToken(context, false); }
