Admin ( default development user) active in deployed production app

mcanavar · March 10, 2020, 12:22pm

Hi ,

I have deployed my app to the production server, but the Admin (default development ASP Identity) user is still able to login .
Do we have to do extra step to disable this user in production environment ?

b.r.

enchev · March 10, 2020, 12:45pm

Are you using Radzen to deploy the app? If not please remove admin/admin credentials from AuthController Login method.

mcanavar · March 10, 2020, 2:08pm

Hi,
I'm using radzen to deploy to IIS from Windows machine.

enchev · March 10, 2020, 2:14pm

When deploying from Radzen admin/admin credentials are removed from the Login method of AuthController, unless this file is in your application ignore list.

The login for deployed app looks like this:

[HttpPost]
[AllowAnonymous]
public async Task<IActionResult> Login([FromBody]JObject data)
{
    var username = data.GetValue("UserName", StringComparison.OrdinalIgnoreCase);
    var password = data.GetValue("Password", StringComparison.OrdinalIgnoreCase);

    if (username == null || password == null)
    {
        return Error("Invalid user name or password.");
    }

    var user = await userManager.FindByNameAsync(username.ToObject<string>());

    if (user == null)
    {
        return Error("Invalid user name or password.");
    }

    var validPassword = await userManager.CheckPasswordAsync(user, password.ToObject<string>());

    if (!validPassword)
    {
        return Error("Invalid user name or password.");
    }
    var principal = await signInManager.CreateUserPrincipalAsync(user);

    return Jwt(principal.Claims);
}

The login for locally run app is:

[HttpPost]
[AllowAnonymous]
public async Task<IActionResult> Login([FromBody]JObject data)
{
    var username = data.GetValue("UserName", StringComparison.OrdinalIgnoreCase);
    var password = data.GetValue("Password", StringComparison.OrdinalIgnoreCase);

    if (username == null || password == null)
    {
        return Error("Invalid user name or password.");
    }

    if (username.ToObject<string>() == "admin" && password.ToObject<string>() == "admin")
    {
        var claims = new List<Claim>() {
                new Claim(ClaimTypes.Name, "admin"),
                new Claim(ClaimTypes.Email, "admin")
                };

        this.roleManager.Roles.ToList().ForEach(r => claims.Add(new Claim(ClaimTypes.Role, r.Name)));

        return Jwt(claims);
    }

    var user = await userManager.FindByNameAsync(username.ToObject<string>());

    if (user == null)
    {
        return Error("Invalid user name or password.");
    }

    var validPassword = await userManager.CheckPasswordAsync(user, password.ToObject<string>());

    if (!validPassword)
    {
        return Error("Invalid user name or password.");
    }
    var principal = await signInManager.CreateUserPrincipalAsync(user);

    return Jwt(principal.Claims);
}

mcanavar · March 10, 2020, 2:22pm

Thank you , I will check this and give you feedback.

mcanavar · March 11, 2020, 9:12am

It was in my application ignore list .. I will remove the admin check ,