Without login in I can access all the endpoints via the swagger ui

abpframework / abp

Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.

https://abp.io

GNU Lesser General Public License v3.0

12.94k stars 3.45k forks source link

Without login in I can access all the endpoints via the swagger ui #13875

Open gerryge opened 2 years ago

gerryge commented 2 years ago

Your ABP Framework version. 6.0.0-rc.3
Your User Interface type (Angular/MVC/React... etc.) if the issue is related to a specific UI NO UI
Your database provider(EF Core/MongoDB) EF Core
Steps needed to reproduce the problem.
1. abp new ApiDemo -u none --preview
2. run the ApiDemo.DbMigrator application to create the database
3. run the ApiDemo.HttpApi.Host

The issue is that, I can access all endpints without login in. api

realLiangshiwei commented 2 years ago

I can't reproduce it, please check the request body in the network tab, I'm thinking maybe you've logged into the app and it's sending cookies

gerryge commented 2 years ago

I can't reproduce it, please check the request body in the network tab, I'm thinking maybe you've logged into the app and it's sending cookies

You can try to login in then login out, you should reproduce it.

realLiangshiwei commented 2 years ago

This is a problem with swagger UI: https://github.com/swagger-api/swagger-ui/issues/7203

We will fix it when the swagger UI supports the logout flow.

enisn commented 2 years ago

I think you have cookies from mvc application. Can you make sure you can access all endpoints after clearing all cookies?

gerryge commented 2 years ago

@enisn Thank you for your reply. I have no UI actually, this is caused by the logout function doesn't clean the cookies.