Activities of "mdepouw"

Of the objects in local storage, either ANZ or ABP, can you please describe there purpose? Or point me to documentation? Thanks!

I'm receiving:

[16:23:22 ERR] An unhandled exception has occurred while executing the request. Castle.MicroKernel.Handlers.HandlerException: Can't create component 'Microsoft.AspNetCore.Mvc.ApiExplorer.IApiDescriptionProvider_f22d71e2-de89-4d40-b537-4c49d264c67e' as it has dependencies to be satisfied.

'Microsoft.AspNetCore.Mvc.ApiExplorer.IApiDescriptionProvider_f22d71e2-de89-4d40-b537-4c49d264c67e' is waiting for the following dependencies:

• Service 'Microsoft.Extensions.DependencyInjection.IServiceProviderIsService' which was not registered.

  at Castle.MicroKernel.Handlers.DefaultHandler.AssertNotWaitingForDependency() at Castle.MicroKernel.Handlers.DefaultHandler.ResolveCore(CreationContext context, Boolean requiresDecommission, Boolean instanceRequired, Burden& burden) at

on startup and apparently the fix is updating to ABP v8.3: https://stackoverflow.com/a/78049494/185123

1. Is that correct?
2. if so, when will zero be upgrading to that version?

thanks!

Our SAST scanning has recently flagged a bunch of XSS issues. Are you aware of these issues/findings? Have they already been addressed in the latest release by chance? Thanks!!

Here's one example:

"Result message: Unsanitized user input in dynamic HTML insertion (XSS) Snippet: KTUtil.setHTML(the.element, the.options.content); Rule name: javascript_lang_dangerous_insert_html Rule full description:

Description

Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.

Remediations

• Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.

  import sanitizeHtml from 'sanitize-html';
  
  const html = `<strong>${user.Input}</strong>`;
  document.body.innerHTML = sanitizeHtml(html);
  

References

• OWASP XSS explained
• https://docs.bearer.com/reference/rules/javascript_lang_dangerous_insert_html/

Files flagged

complaining about being too long, I'll reply to this post

For the items cached, is there any documentation of what these entities hold? If not, can you provide a brief desc of them? We're most interested in anything security related. Items like token_validity_key, Asp.Net.Identity.SecurityStamp, etc. Thanks!!

| Key | Desc | | --------------------------------------------- | ---- | | AspNet.Identity.SecurityStamp | | | token_validity_key | | | AbpZeroMultiTenantLocalizationDictionaryCache | | | AppUserFriendCache | | | AbpZeroUserPermissions | | | AbpZeroTenantFeatures | | | AbpZeroLanguages | | | AbpZeroTenantCache | | | AbpZeroRolePermissions | | | TempFileCacheName | | | AbpTenantSettingsCache | | | AbpApplicationSettingsCache | | | AbpZeroEditionFeatures | | | AbpUserSettingsCache | |

reference: What is cached? #12136 | Support Center | ASP.NET Zero Support https://support.aspnetzero.com/QA/Questions/12136/What-is-cached

Can you provide us with any specific details about what is cached? It seems like many entities are cached, right? Is there a list or high level list? Any documentation we can refer to?

Also, what about Output caching middleware in ASP.NET Core, is that also utilized?

We want to deploy our application in a distributed fashion but don't want to enable distributed caching.

From reading the documentation I'm not seeing an option to disable it. Is that true? What about a workaround like setting it to 0mins?

ASP.NET Core provides different kind of caching features. In-memory cache stores your objects in the memory of the local server and is only available to the application that stored the object. Non-sticky sessions in a clustered environment should use the distributed caching except some specific scenarios (for example, you can cache a local CSS file into memory. It is read-only data and it is the same in all application instances. You can cache it in memory for performance reasons without any problem).

version: Angular version of Zero using QueryStringTenantResolver

Is there a set of API(s) I can call to switch a user from one tenant to another? I reviewed the behavior of linked accounts and tried doing something similar by calling Logout() but I'm having trouble if I call Logout() on a user that is not logged in as that issues a 302 (on a ajax call). I also have trouble calling Logout() if the user's token has expired.

Use case:

1. user A logins into tenant X
2. user A then clicks a link for another tenant Y

Current working solution In AppPreBootstrap.ts I'm checking for a specific query parameter to trigger:

abp.auth.clearRefreshToken();
abp.auth.clearToken();
AppPreBootstrap.resolveTenancyName(AppConsts.appBaseUrlFormat);
location.href = AppConsts.appBaseUrlFormat;

In the login page, I'm automatically redirecting to the IDP which recognizes the user is already signed in & returns back to our app

In this solution, I'm not calling Logout() on the server. Are there any potential problems you see by not calling it?

Alternative solution: call Logout() in AppPreBootstrap.ts

1. How can I determine if the user is currently logged-in so I can only call Logout() when they are
2. How can I determine if the token is expired?

I assume both of those would involve reading some values from session storage?

Thanks!

I've seen a few links like this now:

source

bad link: https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1858%22%3Ehttps://github.com/aspnetboilerplate/as

I'm confused as to why we don't have access to the source code for Abp.AspNetZeroCore.Web. Shouldn't that source be available in one of the private repo's in https://github.com/aspnetzero? If we have an active license don't we have access to the source code?

What am I misunderstanding?

reference other posts about this topic:

https://support.aspnetzero.com/QA/Questions/4571#answer-86b1a766-de44-49d6-aa29-fa0f014f9e5d

yeah this package is closed source due to licensing purposes.

and https://support.aspnetzero.com/QA/Questions/8511/Access-to-the-AbpAspNetZeroCoreWeb

Is there a way to configure multiple OpenID Connect providers out the box?

reference: Authentication configuration:

{
  "Authentication": {
    "AllowSocialLoginSettingsPerTenant": false,
    "Facebook": {
      "IsEnabled": "false",
      "AppId": "",
      "AppSecret": ""
    },
    "Twitter": {
      "IsEnabled": "false",
      "ApiKey": "",
      "ApiKeySecret": ""
    },
    "Google": {
      "IsEnabled": "false",
      "ClientId": "",
      "ClientSecret": "",
      "UserInfoEndpoint": "https://www.googleapis.com/oauth2/v2/userinfo"
    },
    "Microsoft": {
      "IsEnabled": "false",
      "ConsumerKey": "",
      "ConsumerSecret": ""
    },
    "OpenId": {
      "IsEnabled": "true",
      "ClientId": "4fb5e652-dc58-4370-95ca-fdfb3ba46273",
      "Authority": "https://spottedmahnb2c.b2clogin.com/spottedmahnb2c.onmicrosoft.com/B2C_1_BlahNewFormat/v2.0/",
      "Issuer": "https://spottedmahnb2c.b2clogin.com/80033dfd-6eab-42c4-bdf2-4e223d4b396f/v2.0/",
      "LoginUrl": "https://spottedmahnb2c.b2clogin.com/spottedmahnb2c.onmicrosoft.com/B2C_1_BlahNewFormat/oauth2/v2.0/authorize",
      "ValidateIssuer": "true",
      "ResponseType": "id_token",
      "ClaimsMapping": [{
          "claim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
          "key": "name"
        }, {
          "claim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
          "key": "emails"
        }
      ]
    },
    "WsFederation": {
      "IsEnabled": "false",
      "Authority": "",
      "ClientId": "",
      "Tenant": "",
      "MetaDataAddress": ""
    },
    "JwtBearer": {
      "IsEnabled": "true",
      "SecurityKey": "DemoProjectDemo_blah",
      "Issuer": "DemoProjectDemo",
      "Audience": "DemoProjectDemo"
    }
  }
}