Activities of "alper"

Also see

ABP Commercial vs ASP.NET Zero

https://docs.abp.io/en/commercial/latest/aspnet-zero-vs-abp-commercial

After disabling linker as shown below, close the solution and delete all bin & obj folders

first time heard this issue. did you add any extra deployment steps? or did you modify anything else? because a new ASPNET Zero Xamarin project deploys successfully.

close Visual Studio delete bin & obj folders

I know that there's a cookie but it's not being used natively by browser. Angular client creates a custom AJAX request and passes the value from cookie to the request header. Therefore CSRF steps are not applied. Browser must send the cookie natively to make a CSRF attack. The attacker website cannot reach your HTTP flagged cookie and read the values. I hope it's clear.

that's for MVC templates, I guess you can safetly remove that filter. cookie consent widget is a standard widget that comes in all templates, because some users add extra cookies for their angular client. but be aware that these cookies will not send to host because in Angular, we do AJAX request (which is a custom request). CSRF is related with requests that browser sends by clicking a button, submitting a form. In Angular we are not using the request communication that way. Also you don't need to make penetration test for your Angular client. Penetration tests are mostly done for the server-side.

A CSRF attack can be implemented in 2 ways

1- session persistence (if the application uses Cookies) 2- relaxed origin policies (CORS) (if the host is allowed to get requests from any client)

In ASP.NET Zero Angular applications, cookie is not being used so you are not affected "session persistence". (it uses HTTP WebAPIs) On the other hand if you are hosting your host and angular client in different domains and allowed to get request from any client then, yes you may be effected. But this is a misconfiguration issue apart from the framework itself.

let's track this issue from the original issue see https://github.com/aspnetzero/aspnet-zero-core/issues/3558#issuecomment-754440061

this is a solution but if there's a callback method RegisterForRemoteNotifications() method, you can call FinishLaunching in there. Otherwise 3 sec maybe issue when using slow networks.

this is your JWT token

tenantId :8 user: admin

@ismcagdas is this valid?

{
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "admin",
  "AspNet.Identity.SecurityStamp": "RL4BX7FXEDLIBK3SODYYMKCINAQLJD3D",
  "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Admin",
  "http://www.aspnetboilerplate.com/identity/claims/tenantId": "8",
  "sub": "1",
  "jti": "315e1388-55a3-41a9-8238-7300ee78d45b",
  "iat": 1609947531,
  "token_validity_key": "de66206f-e80f-4f9d-aeea-3b54cadd4465",
  "user_identifier": "1@8",
  "token_type": "1",
  "nbf": 1609947531,
  "exp": 1641483531,
  "iss": "Decisively",
  "aud": "Decisively"
}