Base solution for your next web application
Starts in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Hangfire Dashboard is throwing 401 unuathorized. #7817


User avatar
0
MellowoodMedical created

Hi ,

I have the set up below for hangfire dashboard authorization on angular and core application. Both are hosted seperatly.


app.UseHangfireDashboard("/hangfire", new DashboardOptions
            {
                Authorization = new[] { new Url.HangfireAuthorizationFilter() }
            });
            app.UseHangfireServer();
            
   The HangfireAuthorizationFilter make use of the [AbpAuthtoken] which is set after login to api directly.
   
    public bool Authorize(DashboardContext context)
        {
            try
            {
                var cookies = context.GetHttpContext().Request.Cookies;
                var token = cookies["Abp.AuthToken"];
                _logger.Info($"hangfire authorization token  {token}");
                JwtSecurityTokenHandler jwtSecurityTokenHandler = new JwtSecurityTokenHandler();
                TokenValidationParameters tokenValidationParameters = new TokenValidationParameters
                {
                    ValidAudience = _configuration.Audience,
                    ValidIssuer = _configuration.Issuer,
                    IssuerSigningKey = _configuration.SecurityKey
                };

                SecurityToken principal;
                var _ = jwtSecurityTokenHandler.ValidateToken(token, tokenValidationParameters, out principal);

                //httpContext.User
                // Allow all authenticated users to see the Dashboard (potentially dangerous).
                return _.Identity.IsAuthenticated && _.IsInRole("Admin");
            }
            catch(Exception ex)
            {
                _logger.Error("Exception on hangfire authorization ", ex);
                return false;
            }
        }
        

Still getting 401 exception on /hangfire. Any thoughts?


12 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team

    If your angular and api are two websites, the cookie cannot be passed by default. Can you look at the browser console?

  • User Avatar
    0
    MellowoodMedical created

    @maliming , Thanks for responding. There is an update on the issue. Now getting 500 exception and the details below.

    Actually i am trying to access the dashbord from api by appending /hangfire and there is no angular involved here. One I authorize the API, A cookie[Abp.Athtoken] is set on Abp.swagger js file.

    After this I call hangfire dashboard by /hangfire and I could see in the network request, no cookie is passed . Now I get the below exception in the request.

    ERROR 2019-10-10 15:32:40,445 [4 ] Default - Exception on hangfire authorization System.ArgumentNullException: IDX10000: The parameter 'token' cannot be a 'null' or an empty object. Parameter name: token at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at PatientPortal.Web.Url.HangfireAuthorizationFilter.Authorize(DashboardContext context) in D:\a\1\s\src\PatientPortal.Web.Host\Url\HangfireAuthorizationFilter.cs:line 42

    Why we are not passing cookie with hangfire request? Please let me know if any further info is needed.

  • User Avatar
    0
    maliming created
    Support Team

    Yes, because api and angular are two separate websites, cookies are not shared by default.

    You can consider using a separate login page on the api site, such as the swagger login feature in zero.

    Or set the cookie to be shared under two domain names.

    I suggest you use the first solution. see https://support.aspnetzero.com/QA/Questions/6516#answer-89202404-fa79-3baf-06d3-39ec371959ab

  • User Avatar
    0
    MellowoodMedical created

    I am Using swagger login feature for this as mentioned above. The steps are below,

    • go to swagger UI of API [https://{tenantname}.api.mellowoodmedical.com/swagger/index.html].
    • Authorize using admin username and password.[leveraging swagger login feature in zero as adviced]
    • The above action will set return token from 'Authorize' method of 'TokenAuthController'. Setting this token as 'Abp.AuthToken' cookie on 'abp.js' file .
    • Try to access [https://{tenantname}.api.mellowoodmedical.com/hangfire] where the request executes 'Authorize' method of HangfireAuthorizationFilter which is implemented on the initial question. Here, we are getting the token as null .Looking at the request, there is not cookie passed with the request.

    So** I am not trying to access hangfire from angular projects**. Only API project is involved on this action. Could you please advice why the cookie is passing/null in the above scenario?

  • User Avatar
    0
    maliming created
    Support Team
    public static bool HangfireDashboardEnabled = true;
    

  • User Avatar
    0
    MellowoodMedical created

    @maliming ,This is great. Could you please let me know how can I find the version of ABP Zero am using to check if I need to upgrade it to v6.8.0 to resolve the issue?

    And where should I put 'HangfireDashboardEnabled = true'? in configure method?

    Do we have any doumentation on how to implement these changes to view the hangfire dashboard ?

    I could only see the below changes on 6.8.0

    . Any help would be appreciated.

    The below is the version info of my project

  • User Avatar
    0
    maliming created
    Support Team

    You can view it on github. https://github.com/aspnetzero/aspnet-zero-core/releases/tag/v6.8.0 https://github.com/aspnetzero/aspnet-zero-core/pull/2245

  • User Avatar
    0
    MellowoodMedical created

    I was not able to view this contents as its showing 404. Do I need any credentials to login to github?

    Could you also look into the below issue?

    1. Could you please let me know how can I find the version of ABP Zero am using to check if I need to upgrade it to v6.8.0 to resolve the issue?

    2. where should I put 'HangfireDashboardEnabled = true'? in configure method?

    3. Do we have any doumentation on how to implement these changes to view the hangfire dashboard ?

  • User Avatar
    1
    maliming created
    Support Team

    I was not able to view this contents as its showing 404. Do I need any credentials to login to github?

    https://docs.aspnetzero.com/en/aspnet-core-angular/latest/Getting-Started-Angular#run-api-host

    https://aspnetzero.com/LicenseManagement

  • User Avatar
    0
    MellowoodMedical created

    I was able to access the contents and it turns out to be the version. I am using v6.6.1 and the fix is available on 6.8.0.

    Do we have any workarounds to show the hangfire dashboard in my case without upgrading to 6.8.0?

  • User Avatar
    1
    maliming created
    Support Team

    Do we have any workarounds to show the hangfire dashboard in my case without upgrading to 6.8.0?

    I suggest you refer to the code in PR (https://github.com/aspnetzero/aspnet-zero-core/pull/2245) to implement it, so that you can upgrade the version of zero later.

  • User Avatar
    0
    MellowoodMedical created

    our update is on the road map. so we can close this. thanks for the reply.