Thanks strix20, looks like I'm swimming against the tide here! If I conceded the need for an email I still don't understand why I also need Firstname and Surname.
Without email verification, how will you prevent a bot service from launching an attack on your site and flooding it with fake accounts? And Don't say reCaptcha (See this whitepaper: here.)
The system requires a unique voucher code tying each registration to a tenant, what would stop a bot service from launching an attack on your site and flooding it with fake EMAIL accounts?
Also, what happens when a user forgets his password? How are you going to allow them to reset if you have no user information to otherwise identify him/her?
The system registers the device along with the user. It is possible to use SMS or notifications in the same way as you would traditionally use email. This can be extended to use 2FA in the same way you would use email.
Moreover, without the ability to contact your users, how are you going to send them information and updates about your platform?
As stated before, by SMS or notification.
I guess i will have to concede on this one and simply add a false (unique) email, firstname and surname to each registration.
Sorry, Aaron, I disagree. To use a service securely we simply need the username and password, that forms the basis of authentication and authorization. To sign up for Zero we need to add first name, surname and email. Not only is this an unnecessary overhead but it also means we are keeping personal details on the user and thus brings us all of the problems with the General Data Protection Regulations (GDPR), due to come into force in May 2018 (FOR ALL ORGANISATIONS WORLDWIDE). Effectively, by forcing the system to keep personal data you are forcing ALL OF YOUR CUSTOMERS under the GDPR umbrella. If you keep to user name and password there are no personal details held in the system and there is no reason to consider GDPR. It's simply nonsense to tell us that in order to create a user in Zero we need username, password, email, first name and surname after which we will use only the first two properties for the purposes of authentication and authorization.
Hi Aaron,
I have worked with this for a while and come to the conclusion that this has to be a design fault. If the user is signing in with an email then the email is a username. The system, as is currently configured, demands a unique email as well as a username and a password and an identifier for a tenant. For an app based solution we have no need for an email and it is an unnecessary overhead. All of these required fields for a new user make the registration process difficult for an app user.
See [https://forum.aspnetboilerplate.com/viewtopic.php?f=5&t=10657&p=26292#p26292]).
Hi Aaron, This was a bit sticky but I found the answer. First i will show you code when everything goes well. To register with the system an Ionic app sends a username, password and voucher code. The call from Ionic uses httpClient:
public onSignUp(AppRegisterModel): Observable<AppRegisterResultModel> {
return this.httpClient.post("http://...//api/services/app/Account/RegisterFromApp", AppRegisterModel)
.map(registerResultModel => registerResultModel)
.catch(this.handleError);
}
AppRegisterModel contains a voucher code unique to each tenant. On the server I find the tenant from the voucher code:
var tenantId = await GetTenantIdFromVoucherCodeAsync(model.VoucherCode);
and then I add the user in a unit of work using the SetTenantId filter and ensure AbpSession uses the same value:
using (_unitOfWorkManager.Current.SetTenantId(tenantId))
{
AbpSession.Use(tenantId, null);
Successful registration returns a tenantId which is saved locally and added to the sign in process.
AppTokenAuthController is a direct copy of TokenAuthController with changes only to the input model and the first method:
[HttpPost]
public async Task<AuthenticateResultModel> AppAuthenticate([FromBody] AppAuthenticateModel model)
{
var loginResult = await GetLoginResultAsync(
model.UserNameOrEmailAddress,
model.Password,
await GetTenancyNameFromTenantId(model.TenantId)
);
AppAuthenticateModel includes TenantId which is added to the JWT token and can now be used securely between an Ionic app and a Zero server. So far so good but if anything goes wrong it's not nice. At the moment my error message returned by a _UserFriendlyException_can be found here:
error.error.error.message;
Despite the fact it's not nice it works perfectly and we get a nice user friendly error message displayed on the Ionic app. I messed with the
[DontWrapResult(WrapOnError = true)]
with different values but the above configuration proved stable.
This also closes [https://forum.aspnetboilerplate.com/viewtopic.php?f=5&t=10636&p=26158#p26158]).
Thanks for your help.
Bob
Yes, exactly the same result.
It does not matter whether I use the WrapOnError qualifier or not, I am still getting the same result.
@ismcagdas, thanks for the consideration but I'm still not sure on best practise. I will add the tenant ref as a claim and then create the access token including this claim. That way the token can be read on every call to the server but I am still faced with the problem of having to create a unit of work and setting AbpSession.TenantId for the ouw for every call made to the server.
The question has to be: During the login and authentication processes how so I set AbpSession.TenantId so I do not have to create a unit of work and setting AbpSession.TenantId for the ouw for every call made to the server?
Thanks, Aaron, that did the trick. Sorry about the niaivety, I am still in the learning -phase.
Hmmm, the problem, Aaron, is that settingsRepository only return those settings for the current tenant, how do I read settings for all tenants to ensure the value is unique?