I am trying to setup reset tokens using custom blazor page.
The token generation works just fine, using
var code = await _userManager.GeneratePasswordResetTokenAsync(user);
It generated the following code
CfDJ8HVZ73lJc0lGiTBiTdeoRRd//Zc1LM0Q4P+8t7DLaBzwlQ2DuvY2HQ5CWE/E8b3VdlZZYIelpwwrCFz579CeCcQTf+YIPli7KpPTuUpMcTHDs5pAw3XifV7x+5Y/Q6WAPdixXuHE8We9QQRxl7Hnba2vjoJ5fCZ9FMHKpkOq3mxDhgYi/gba2Vse3/R87ztVrisEguYvYQ8h5f2MAVMiCB+H0TakjKjpj2ANAD9wQ2H8
Sending it through the mail requires encoding as can bee seen at this link , giving me
var callbackUrl = _globals.AppUrl
+ "/user/reset/"
+ System.Web.HttpUtility.UrlEncode(code);
Now the mail send successfully, and the URL is successfully encoded.
However, when opening the page, I get an 404.11 error
The request filtering module is configured to deny a request that contains a double escape sequence.
Page declaration:
#page "/user/reset/{Code}"
Example URL:
https://localhost:44303/user/reset/CfDJ8HVZ73lJc0lGiTBiTdeoRRfumtSdRgb46HPXLklW0j42IyjqN8rv%2fapJG158YfIrR7dVRNRF2YxJydegd2CMlvm93FTcjkuBwnVPC3N9AtSigiy8VOqeW1nNrRth73urJ23D0V6M2c%2fzE1%2bTuFs8KbB%2fnCG5CE3UnFXG5HleeA%2fwtlyzLgbP4Zrbi5XZ4Q0w4%2b1j83J%2fXvQUqg%2fO5raSkmcO3cb1TGnDWz%2fwqxW%2fbNOe
Question
Does ASP Core Identity include characters which cannot be sent by email by default? (I'd assume the '+' character). And can we exclude then from generation? Or is there another way to manipulate the URL preventing this error. I prefer to keep double escape character filter ON, as it increases security
Edit
When encoding the entire url as follows:
var callbackUrl = _globals.AppUrl
+ "/user/reset/"
+ code;
callbackUrl = HtmlEncoder.Default.Encode(callbackUrl);
A 404 error occurs, because the code contains a '/', which does not fit my routing
var callbackUrl =
_globals.AppUrl
+ "/user/reset/"
+ code;
**callbackUrl = HtmlEncoder.Default.Encode(callbackUrl);**
**Update for this**
var callbackUrl = _globals.AppUrl
+ "/user/reset/"
+ code;
**callbackUrl = {callbackUrl};**
Related
I have a client that Connects to Asp.net Webapi2,Using Identity & OAuth2 for Authentication.
In Authentication Process , whenever Password Field Contains '+' character.The Server Just Ignore this Character!!!(And Most Other Sign Chars Mentioned In Test below)
string data = "grant_type=password&username=" + username + "&password=" + password;
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(data);
data.PostToUrl();//This Is just pseudoCode
In Server Debug:
Sent Data : password=test+1
Received Data : password=test 1
test2
Sent Data : "+_)(&^%$##!~"
Received Data :" _)("
Thanks.
What is the issue? With HTTP URL a + is equivalent to a space. In fact %20 can also be used.
When sending data in a query always use UrlEncode; as in
var q = string.Format("grant_type=password&username={0}&password={1}",
HttpUtility.UrlEncode(username),
HttpUtility.UrlEncode(password));
HttpServerUtility.UrlEncode
this will help solve the problem with special characters such as + anad #
To use it you'll need to add a reference to System.Web (Project Explorer > References > Add reference > System.Web)
Once you've done that you can use it to encode any items you wish
I have a page for registering students and an email activation link is sent after submitting records. I have included the link for activation but it gets the whole url and includes it in the email. Can someone show how to solve the issue as currently it sends the whole page url in the email? Here is a sample of what is send to email:
localhost:89192/Staff/Register.aspx?rwndrnd=0.6363636646446373333CompleteRegistration.aspx?id=8901b88k1-81fa-8u10-m96e-892f6aea6710
Below is how am getting the current url
activationUrl = HttpContext.Current.Request.Url.Host+""+"://CompleteAccount.aspx?id=" + id.ToString();
Simply use
activationUrl = Request.Url.AbsoluteUri
Also, Request.Url.ToString() returns the full url (including querystring)
I'm working with my first api here and I'm trying to get through the Oauth authorization so i can start working with the api. When trying to get the short life access key with the following code surveymonkey is telling me I have an invalid uri. The api key and username are replaced with dummies
string url = "https://api.surveymonkey.net/oauth/authorize";
string api_key = "api_key=sdwertyujgfv3f24qqa4kfyd";
string client_id = "client_id=XXX";
string redirect_uri="redirect_uri=http://localhost";
url = url + "?" + redirect_uri +"&" + client_id + "&" + api_key;
System.Diagnostics.Process.Start(url);
What is the uri and how do i use is in this situation.
You can not bitly a localhost link. You could try with 127.0.0.1 instead just to get it to work. But ultimately once the app is deployed it's hostname will not be localhost so it will work if that was the only obstacle.
There are lots of sample applications in MVC but the current project I'm working on requires that I use web forms.
I can authorize the application using the javascript method but I want to use server side. Below is what I started with on the page.load
dynamic parameters = new ExpandoObject();
parameters.client_id = AppId;
parameters.client_secret = appSecret;
parameters.response_type = "code";
//parameters.state = state;
parameters.redirect_uri = "http://fb.local/page.aspx";
// The requested response: an access token (token), an authorization code (code), or both (code token).
parameters.response_type = "token";
// list of additional display modes can be found at http://developers.facebook.com/docs/reference/dialogs/#display
//parameters.display = "popup";
// add the 'scope' parameter only if we have extendedPermissions.
if (!string.IsNullOrWhiteSpace(ExtendedPermissions))
parameters.scope = ExtendedPermissions;
// generate the login url
var fb = new FacebookClient();
var loginUrl = fb.GetLoginUrl(parameters);
Response.Redirect(loginUrl.AbsoluteUri, true);
I can authorize but I'm not able to get the access token from the URL.
On the next page I can view source and see the access token in the url bar but I'm not sure how to go about getting it into the code. once I have the token, I'm all set.
page.aspx#access_token=AAACrxQhmdpY
I used to this code on my page load and works, its not a very clean code, but you may figure out how to change it for your best use. so the algorithm is that when the page loads you redirect the user to Facebook authentication page using response.redirect to a string that contains three parameters:your app ID(appid), what permissions you are asking your user(scope), where you want Facebook to redirect the user after authorization, and a parameter as state which i guess it should be a random number. so after the user authorized your application he/she will be redirected to your page, with a request URL that contains the same state you prepared Facebook with(and you can use to identify who which request was which if there are many requests i guess) and also a new "code" parameter which you pass on to Facebook to obtain access token, you can use Facebook c# sdk to obtain the access token.in my code there is a line that says "if code is not null, go to alireza" and alireza is a line tag after the response.redirect code, this is because you dont want the process to be repeated all over and over (and of course probably the browser show an error).
int intstate;
string strstate;
string redirecturltofb;
string scope;
string appid;
code = Request.QueryString["code"];
if (!String.IsNullOrWhiteSpace(code))
{
goto alireza;
}
appid = "424047057656831";
scope = "user_about_me,user_activities,user_groups,email,publish_stream,user_birthday";
intstate = 45;
strstate = Convert.ToString(intstate);
redirecturltofb = "https://www.facebook.com/dialog/oauth?client_id=" + appid + "&redirect_uri=http://test5-2.apphb.com/&scope=" + scope + "&state=" + strstate;
Response.Redirect(redirecturltofb);
You have to use Javascript SDK to get access token back to code behind.
Use FB.Init as in http://csharpsdk.org/docs/web/getting-started
and do post back on certain conditions to get the access token.
Thank you,
Dharmendra
I have an s3 bucket called foo.example.com, which is all CNAMEd correctly.
I'm switching to the latest AWS .net SDK.
I wish to generate pre signed url like:
http://foo.example.com/myfile.txt?s3_params_here
Note the vanity cname there.
I have:
string bucketName = "foo.example.com";
AmazonS3Client s3Client = new AmazonS3Client("bar", "xxx",
new AmazonS3Config
{
ServiceURL = bucketName,
CommunicationProtocol = Protocol.HTTP
});
string key = "myfile.txt";
GetPreSignedUrlRequest request = new GetPreSignedUrlRequest()
.WithBucketName(bucketName)
.WithKey(key)
.WithExpires(DateTime.Now.AddMinutes(5))
.WithProtocol(Protocol.HTTP);
string url = s3Client.GetPreSignedURL(request);
the url I get is something like:
http://foo.example.com.foo.example.com/myfile.txt?AWSAccessKeyId=bar&Expires=1331069777&Signature=234KoUUvfE1nCcs2vLj9RQUhqF8%3D
Which is clearly wrong.
I've tried a buch of different variations with ServiceURL, bucketname, etc, but nothing seems to work.
I can't find any good documentation - what is the correct way to do this?
Thanks.
Update [workaround]
I've meanwhile resolved the contradicting test results of mine, which stem from respectively unsystematic testing and URL manipulations. The following workaround does the trick for me (i.e. tested and reproducible), simply starting from your solution:
string bucketName = "foo.example.com";
// [...]
GetPreSignedUrlRequest request = new GetPreSignedUrlRequest()
.WithBucketName(bucketName)
.WithKey(key)
.WithExpires(DateTime.Now.AddMinutes(32))
.WithProtocol(Protocol.HTTP);
Now this yields the erroneous URL with a duplicate domain name, i.e. http://foo.example.com.foo.example.com/myfile.txt?[...]
The duplicate can simply be removed though, e.g.:
string url = s3Client.GetPreSignedURL(request);
// KLUDGE: remove duplicate domain name.
url = url.Replace(bucketName + "." + bucketName, bucketName);
This yields a proper working pre-signed URL for me (i.e. http://foo.example.com/myfile.txt?[...]) by working around the encountered limitation regarding the desired approach outlined below.
Justification
Manipulating the generated URL like so seems odd, but this not having an effect on the query string authentication is in line with how these signatures are created, see Query String Request Authentication Alternative, where you'll find the pseudo-grammar that illustrates the query string request authentication method:
StringToSign = HTTP-VERB + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Expires + "\n" +
CanonicalizedAmzHeaders +
CanonicalizedResource;
That is, the domain name isn't used for the signature creation at all, rather only information regarding the resource itself; section Example Query String Request Authentication right below the referenced pseudo-grammar fragment illustrates this with an actual resource.
Assessment
I don't know whether there is still a misunderstanding on our part or whether this might just be a bug in the AWS SDK for .NET, see e.g. Why is my S3 pre-signed request invalid when I set a response header override that contains a “+”? for a related bug resolved via a similar workaround as well, which has meanwhile been fixed though; accordingly, this should likely be escalated to the AWS forums and/or support channels to get an appropriate answer or solution.
Good luck!
Desired answer [dysfunctional]
The S3 CNAME handling implies the bucket name already, so all you need to do is removing your bucket name from GetPreSignedUrlRequest, i.e. it should look like so:
GetPreSignedUrlRequest request = new GetPreSignedUrlRequest()
.WithKey(key)
.WithExpires(DateTime.Now.AddMinutes(5))
.WithProtocol(Protocol.HTTP);
I've tested this with a bucket of mine and it works as expected like so.
the presignedURL returns an URL object after signing the request. I have used the same and >dont have real issues, but there are some things to consider:
Ensure the object URL you are considering does not have a '//' it could easily happen if >you start the storage path starts with a "/", you would have stored the object in a path some >thing like https:///x/y/z/abc.png the key for such a resource is x/y/z/abc.png >and not /x/y/z/abc.png
If the above is ensured, then from the URL object that is returned get the query parameters >from the URL object url.getQuery() will return the query parameters which contains the >signature information, just suffix this with your original awsURL and things should work with >out any encoding issues.
Hope this helps..
Essentially you need to use url.getQuery on the returned url object rather than simply affixing it to the end of your bucket.
https://forums.aws.amazon.com/thread.jspa?threadID=70521