Well, could this pose a slight security risk if I have access to all functions?
When I am logged in as a user of tenant AAA, I can access, for example, xxx.yyy.zzz:8077/api/services/app/Account/IsTenantAvailable (the backend public address, which is not hidden).
I can send the following request body:
{ "tenancyName": "BBB" }
In response, I receive another tenant's ID from the database. This confirms that the other tenant exists in the system.
Now, I can check if a user exists by calling the following function:
Endpoint: /api/services/app/CommonLookup/FindUsers
Request body:
{ "maxResultCount": 1000, "skipCount": 2147483647, "filter": "UserName", "tenantId": 999, "excludeCurrentUser": true }
Response:
{ "result": { "totalCount": 1, "items": [] }, "targetUrl": null, "success": true, "error": null, "unAuthorizedRequest": false, "__abp": true }
Is there a way to restrict the use of the web API only to the Angular client and block other requestors, or limit it only to host members?
Hi, I am trying to solve this issue. Currently, in the appconfig.production.json file in my Angular project, I have entries:
{ "remoteServiceBaseUrl": "https://xxx.yyy.zzz:9002", "appBaseUrl": "https://xxx.yyy.zzz:9012", "localeMappings": { .....
The appconfig.production.json file in the backend .NET Core looks like this:
{ "ConnectionStrings": { "Default": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" }, "App": { "ServerRootAddress": "http://localhost:9901/", <- I am not sure it is important. "ClientRootAddress": "http://localhost:4200/",<- I am not sure it is important. "CorsOrigins":"http://localhost:9001,http://xxx.yyy.zzz:9001,https://localhost:9002,https://xxx.yyy.zzz:9002, http://localhost:9011,http://xxx.yyy.zzz:9011,https://localhost:9012,https://xxx.yyy.zzz:9012" }
After accessing this page from the outside, everything works fine
I think that this is not the correct procedure because remoteServiceBaseUrl is a public address.
I have started making changes.
First, I want to set up the backend to run on localhost so that it will not be accessible from the outside.
Angular appsettings.production.json:
{ "remoteServiceBaseUrl": "http://localhost:9001", "appBaseUrl": "https://xxx.yyy.zzz:9012", "localeMappings": { "angular": [
.net core appsettings.production.json:
{ "ConnectionStrings": {XXXXXXXXXXXXXXXXXXXXXXXXXX }, "App": { "ServerRootAddress": "http://localhost:9001/", "ClientRootAddress": " https://xxx.yyy.zzz:9012//", "CorsOrigins":" "CorsOrigins":"http://localhost:9001,http://xxx.yyy.zzz:9001,https://localhost:9002,https://xxx.yyy.zzz:9002, http://localhost:9011,http://xxx.yyy.zzz:9011,https://localhost:9012,https://xxx.yyy.zzz:9012" } }
and now:
I can use the HTTPS protocol for the backend (https://localhost:9002), but the result is the same.:
For additional information, my certificate is a wildcard certificate that does not include localhost.
How do we make the backend invisible from the outside? I tried to use IIS reverse proxy, but I don't know how to configure the rules to make it work properly.
Yes, you are right, inside secret.json the name of the database was wrong. Thank you.
I did it. I remove these folders from FlaskOne.Web.Host ( there is appsettings.json, the start project) and all other projects from the solution. Then I rebuild all.
I set the breakpoint here (I am not sure, is it an important place ? but here, the database name is wrong. ):
the exception during the debug is here
Under is copied details :
System.InvalidOperationException
HResult=0x80131509
Message=An exception has been raised that is likely due to a transient failure. Consider enabling transient error resiliency by adding 'EnableRetryOnFailure' to the 'UseSqlServer' call.
Source=Microsoft.EntityFrameworkCore.SqlServer
StackTrace:
at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.Execute[TState,TResult](TState state, Func3 operation, Func
3 verifySucceeded)
at Microsoft.EntityFrameworkCore.ExecutionStrategyExtensions.Execute[TState,TResult](IExecutionStrategy strategy, TState state, Func2 operation, Func
2 verifySucceeded)
at Microsoft.EntityFrameworkCore.RelationalDatabaseFacadeExtensions.BeginTransaction(DatabaseFacade databaseFacade, IsolationLevel isolationLevel)
at Abp.EntityFrameworkCore.Uow.DbContextEfCoreTransactionStrategy.CreateDbContext[TDbContext](String connectionString, IDbContextResolver dbContextResolver)
at Abp.EntityFrameworkCore.Uow.EfCoreUnitOfWork.GetOrCreateDbContext[TDbContext](Nullable1 multiTenancySide, String name) at Abp.EntityFrameworkCore.Uow.UnitOfWorkExtensions.GetDbContext[TDbContext](IActiveUnitOfWork unitOfWork, Nullable
1 multiTenancySide, String name)
at Abp.EntityFrameworkCore.Uow.UnitOfWorkDbContextProvider1.GetDbContext(Nullable
1 multiTenancySide)
at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase3.GetContext() at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase
3.<GetQueryableAsync>b__8_0(Type key)
at System.Collections.Concurrent.ConcurrentDictionary2.GetOrAdd(TKey key, Func
2 valueFactory)
at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase3.<GetQueryableAsync>d__8.MoveNext() at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase
3.<GetAllAsync>d__21.MoveNext()
at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase3.<GetAllListAsync>d__27.MoveNext() at Abp.Configuration.SettingStore.<>c__DisplayClass3_0.<<GetAllListAsync>b__0>d.MoveNext() at Abp.Domain.Uow.UnitOfWorkManagerExtensions.<WithUnitOfWorkAsync>d__3
1.MoveNext()
at Abp.Configuration.SettingStore.<GetAllListAsync>d__3.MoveNext()
at Abp.Configuration.SettingManager.<<GetApplicationSettingsAsync>b__64_0>d.MoveNext()
at Abp.Runtime.Caching.TypedCacheWrapper2.<>c__DisplayClass21_0.<<GetAsync>b__0>d.MoveNext() at Abp.Runtime.Caching.AbpCacheBase
2.<GetAsync>d__17.MoveNext()
at Abp.Runtime.Caching.TypedCacheWrapper2.<GetAsync>d__21.MoveNext() at Abp.Configuration.SettingManager.<GetApplicationSettingsAsync>d__64.MoveNext() at Abp.Configuration.SettingManager.<GetSettingValueForApplicationOrNullAsync>d__58.MoveNext() at Abp.Configuration.SettingManager.<GetSettingValueInternalAsync>d__54.MoveNext() at FlaskOne.Web.UiCustomization.UiThemeCustomizerFactory.<GetCurrentUiCustomizer>d__3.MoveNext() in D:\RW\PROGRAMING\PROJECTS\FLASK_ONE\SaaS\aspnet-core\src\FlaskOne.Web.Core\UiCustomization\UiThemeCustomizerFactory.cs:line 27 at FlaskOne.Sessions.SessionAppService.<<GetCurrentLoginInformations>b__8_0>d.MoveNext() in D:\RW\PROGRAMING\PROJECTS\FLASK_ONE\SaaS\aspnet-core\src\FlaskOne.Application\Sessions\SessionAppService.cs:line 76 at Abp.Domain.Uow.UnitOfWorkManagerExtensions.<WithUnitOfWorkAsync>d__3
1.MoveNext()
at FlaskOne.Sessions.SessionAppService.<GetCurrentLoginInformations>d__8.MoveNext() in D:\RW\PROGRAMING\PROJECTS\FLASK_ONE\SaaS\aspnet-core\src\FlaskOne.Application\Sessions\SessionAppService.cs:line 57
at FlaskOne.Web.Session.PerRequestSessionCache.<GetCurrentLoginInformationsAsync>d__3.MoveNext() in D:\RW\PROGRAMING\PROJECTS\FLASK_ONE\SaaS\aspnet-core\src\FlaskOne.Web.Core\Session\PerRequestSessionCache.cs:line 33
at FlaskOne.Web.Controllers.UiController.<Index>d__7.MoveNext() in D:\RW\PROGRAMING\PROJECTS\FLASK_ONE\SaaS\aspnet-core\src\FlaskOne.Web.Host\Controllers\UiController.cs:line 47
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.<Execute>d__0.MoveNext()
at System.Runtime.CompilerServices.ValueTaskAwaiter`1.GetResult()
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<
This exception was originally thrown at this call stack: [External Code]
Inner Exception 1: SqlException: Cannot open database "FlaskOneDb13V" requested by the login. The login failed. Login failed for user 'DESKTOP-760V5B6\r.wielgus'.
But all the time, the database name is FlaskOneDb13V.
On my developer computer, I changed appsettings.json for the connection string
{ "ConnectionStrings": { "Default": "Trusted_Connection=True;Database=FlaskOneDb;Server=xxxx\SQLEXPRESS;TrustServerCertificate=True;" }, ....
the previous version was
{ "ConnectionStrings": { "Default": "Trusted_Connection=True;Database=FlaskOneDb13V;Server=xxxx\SQLEXPRESS;TrustServerCertificate=True;" },... The name FlaskOneDb13 is not mentioned anywhere in the solution.
On the SQL server, I changed the name of the database to "FlaskOneDb13V__" and I have "FlaskOneDb"
Now, I have a problem with the connection to FlaskOneDb: here is a fragment of the log file:
ERROR 2025-01-28 15:11:03,361 [1 ] .EntityFrameworkCore.Database.Connection - An error occurred using the connection to database 'FlaskOneDb13V' on server 'DESKTOP-760V5B6\SQLEXPRESS'.
ERROR 2025-01-28 15:11:03,361 [11 ] .EntityFrameworkCore.Database.Connection - An error occurred using the connection to database 'FlaskOneDb13V' on server 'DESKTOP-760V5B6\SQLEXPRESS'.
WARN 2025-01-28 15:11:03,420 [11 ] Abp.BackgroundJobs.BackgroundJobManager - System.InvalidOperationException: An exception has been raised that is likely due to a transient failure. Consider enabling transient error resiliency by adding 'EnableRetryOnFailure' to the 'UseSqlServer' call.
---> Microsoft.Data.SqlClient.SqlException (0x80131904): Cannot open database "FlaskOneDb13V" requested by the login. The login failed.
Login failed for user 'DESKTOP-760V5B6\r.wielgus'.
at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) at Microsoft.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource
1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
at Microsoft.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) at Microsoft.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource
1 retry, DbConnectionOptions userOptions)
at Microsoft.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource1 retry, SqlConnectionOverrides overrides) at Microsoft.Data.SqlClient.SqlConnection.Open(SqlConnectionOverrides overrides) at Microsoft.Data.SqlClient.SqlConnection.Open() at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerConnection.OpenDbConnection(Boolean errorsExpected) at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.OpenInternal(Boolean errorsExpected) at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.Open(Boolean errorsExpected) at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.BeginTransaction(IsolationLevel isolationLevel) at Microsoft.EntityFrameworkCore.RelationalDatabaseFacadeExtensions.<>c__DisplayClass28_0.<BeginTransaction>b__0(DatabaseFacade database) at Microsoft.EntityFrameworkCore.ExecutionStrategyExtensions.<>c__DisplayClass12_0
2.<Execute>b__0(DbContext _, TState s)
at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.Execute[TState,TResult](TState state, Func3 operation, Func
3 verifySucceeded)
ClientConnectionId:4ffae8c0-938d-4d6f-8d0b-aefea7443b86
Error Number:4060,State:1,Class:11
--- End of inner exception stack trace ---
at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.Execute[TState,TResult](TState state, Func3 operation, Func
3 verifySucceeded)
at Microsoft.EntityFrameworkCore.ExecutionStrategyExtensions.Execute[TState,TResult](IExecutionStrategy strategy, TState state, Func2 operation, Func
2 verifySucceeded)
at Microsoft.EntityFrameworkCore.RelationalDatabaseFacadeExtensions.BeginTransaction(DatabaseFacade databaseFacade, IsolationLevel isolationLevel)
at Abp.EntityFrameworkCore.Uow.DbContextEfCoreTransactionStrategy.CreateDbContext[TDbContext](String connectionString, IDbContextResolver dbContextResolver)
at Abp.EntityFrameworkCore.Uow.EfCoreUnitOfWork.GetOrCreateDbContext[TDbContext](Nullable1 multiTenancySide, String name) at Abp.EntityFrameworkCore.Uow.UnitOfWorkExtensions.GetDbContext[TDbContext](IActiveUnitOfWork unitOfWork, Nullable
1 multiTenancySide, String name)
at Abp.EntityFrameworkCore.Uow.UnitOfWorkDbContextProvider1.GetDbContext(Nullable
1 multiTenancySide)
at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase3.GetContext() at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase
3.<GetQueryable>b__7_0(Type key)
at System.Collections.Concurrent.ConcurrentDictionary2.GetOrAdd(TKey key, Func
2 valueFactory)
at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase3.GetQueryable() at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase
3.GetAll()
at Abp.BackgroundJobs.BackgroundJobStore.<>c__DisplayClass7_0.<GetWaitingJobsAsync>b__0()
at Abp.Domain.Uow.UnitOfWorkManagerExtensions.WithUnitOfWork[TResult](IUnitOfWorkManager manager, Func1 action, UnitOfWorkOptions options) at Abp.BackgroundJobs.BackgroundJobStore.GetWaitingJobsAsync(Int32 maxResultCount) at Abp.BackgroundJobs.BackgroundJobManager.DoWorkAsync() at Abp.Threading.BackgroundWorkers.AsyncPeriodicBackgroundWorkerBase.Timer_Elapsed(AbpAsyncTimer timer) System.InvalidOperationException: An exception has been raised that is likely due to a transient failure. Consider enabling transient error resiliency by adding 'EnableRetryOnFailure' to the 'UseSqlServer' call. ---> Microsoft.Data.SqlClient.SqlException (0x80131904): Cannot open database "FlaskOneDb13V" requested by the login. The login failed. Login failed for user 'DESKTOP-760V5B6\r.wielgus'. at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) at Microsoft.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource
1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
at Microsoft.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) at Microsoft.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource
1 retry, DbConnectionOptions userOptions)
at Microsoft.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) at Microsoft.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource
1 retry, SqlConnectionOverrides overrides)
at Microsoft.Data.SqlClient.SqlConnection.Open(SqlConnectionOverrides overrides)
at Microsoft.Data.SqlClient.SqlConnection.Open()
at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerConnection.OpenDbConnection(Boolean errorsExpected)
at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.OpenInternal(Boolean errorsExpected)
at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.Open(Boolean errorsExpected)
at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.BeginTransaction(IsolationLevel isolationLevel)
at Microsoft.EntityFrameworkCore.RelationalDatabaseFacadeExtensions.<>c__DisplayClass28_0.<BeginTransaction>b__0(DatabaseFacade database)
at Microsoft.EntityFrameworkCore.ExecutionStrategyExtensions.<>c__DisplayClass12_02.<Execute>b__0(DbContext _, TState s) at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.Execute[TState,TResult](TState state, Func
3 operation, Func3 verifySucceeded) ClientConnectionId:4ffae8c0-938d-4d6f-8d0b-aefea7443b86 Error Number:4060,State:1,Class:11 --- End of inner exception stack trace --- at Microsoft.EntityFrameworkCore.SqlServer.Storage.Internal.SqlServerExecutionStrategy.Execute[TState,TResult](TState state, Func
3 operation, Func3 verifySucceeded) at Microsoft.EntityFrameworkCore.ExecutionStrategyExtensions.Execute[TState,TResult](IExecutionStrategy strategy, TState state, Func
2 operation, Func2 verifySucceeded) at Microsoft.EntityFrameworkCore.RelationalDatabaseFacadeExtensions.BeginTransaction(DatabaseFacade databaseFacade, IsolationLevel isolationLevel) at Abp.EntityFrameworkCore.Uow.DbContextEfCoreTransactionStrategy.CreateDbContext[TDbContext](String connectionString, IDbContextResolver dbContextResolver) at Abp.EntityFrameworkCore.Uow.EfCoreUnitOfWork.GetOrCreateDbContext[TDbContext](Nullable
1 multiTenancySide, String name)
at Abp.EntityFrameworkCore.Uow.UnitOfWorkExtensions.GetDbContext[TDbContext](IActiveUnitOfWork unitOfWork, Nullable1 multiTenancySide, String name) at Abp.EntityFrameworkCore.Uow.UnitOfWorkDbContextProvider
1.GetDbContext(Nullable1 multiTenancySide) at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase
3.GetContext()
at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase3.<GetQueryable>b__7_0(Type key) at System.Collections.Concurrent.ConcurrentDictionary
2.GetOrAdd(TKey key, Func2 valueFactory) at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase
3.GetQueryable()
at Abp.EntityFrameworkCore.Repositories.EfCoreRepositoryBase3.GetAll() at Abp.BackgroundJobs.BackgroundJobStore.<>c__DisplayClass7_0.<GetWaitingJobsAsync>b__0() at Abp.Domain.Uow.UnitOfWorkManagerExtensions.WithUnitOfWork[TResult](IUnitOfWorkManager manager, Func
1 action, UnitOfWorkOptions options)
at Abp.BackgroundJobs.BackgroundJobStore.GetWaitingJobsAsync(Int32 maxResultCount)
at Abp.BackgroundJobs.BackgroundJobManager.DoWorkAsync()
at Abp.Threading.BackgroundWorkers.AsyncPeriodicBackgroundWorkerBase.Timer_Elapsed(AbpAsyncTimer timer)
thx
Hi, Hi, I downloaded my project's new release 13.3 of angular and .net core two days ago. On the angular project, I run the Yarn command. I got this error (@angular/animations@18.2.3):
yarn yarn install v1.22.17 info No lockfile found. [1/4] Resolving packages... warning adal-angular@1.0.18: This package is no longer supported. Please migrate to @azure/msal-angular. warning eslint > @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead warning eslint > file-entry-cache > flat-cache > rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported warning eslint > file-entry-cache > flat-cache > rimraf > glob@7.2.3: Glob versions prior to v9 are no longer supported warning eslint > @humanwhocodes/config-array > @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead warning eslint > file-entry-cache > flat-cache > rimraf > glob > inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. warning karma > glob@7.2.3: Glob versions prior to v9 are no longer supported warning karma > rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported warning karma-coverage-istanbul-reporter > istanbul-lib-source-maps > rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported warning karma-coverage-istanbul-reporter > istanbul-lib-source-maps > rimraf > glob@7.2.3: Glob versions prior to v9 are no longer supported warning shx > shelljs > glob@7.2.3: Glob versions prior to v9 are no longer supported [2/4] Fetching packages... error @angular/animations@18.2.3: The engine "node" is incompatible with this module. Expected version "^18.19.1 || ^20.11.1 || >=22.0.0". Got "20.10.0" error Found incompatible module. info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
Can it be a problem or not?
We would like to give tenants only limited option to manage permissions / roles. As part of the process, we have very granular permissions created in the solution, while only very limited part should be avaible for tenant to manage.
That is why we considered to deny tenants access to manage permissions but let them only manage some selected set or roles (which role configuration would remain on host level) but as far as we understand, assigning permissions to roles for particular tenants cannot be managed centrally on host level ? (could you please confirm) ?
So the scenario would be as follows: Host user can predefine and configure roles that could be used on the tenant level tenant user can assign a role to particular users but cannot see / edit granular permissions Or alternatively can we somehow filter the list of permissions available for tenant to configure to avoid confusion ?
Can this be done in the settings or does it need to be programmed? If coding, how do you approach it? Are there any tips?