Custom Login module can call IUserService.GetUserAsync and AddUserAsync, but is 403 forbidden to call UpdateUserAsync

[lanthonyneville]

Following on from #4220, I am creating a custom Login module that authenticates against an external auth system.

The basic idea is to check credentials against the external auth system, get back user details (name etc), then create/update a matching Oqtane user (with a random complex pwd, because not guaranteed that the given pwd will meet Oqtane standards), then log this user into Oqtane.

The call to IUserService.GetUserAsync and AddUserAsync work fine. However, the call to UpdateUserAsync fails with 403 Forbidden.

Is this inconsistency a bug, or by design, or is there something I can do to grant the module permission to make this call?

One more question - AddUserAsync works, but only if I turn on user registration in site settings. I would rather not have it turned on to avoid any chance that users self-register (e.g. a site admin puts the regular Login module on an accessible page) ... is there another way to add users programatically (I guess I could make my own API that adds via the user repository ... just wondering if there is a quick way)?

Log details for UpdateUserAsync failure:
Url Category Feature Function Level Message
/api/User/9 Oqtane.Services.UserService, Oqtane.Client, Version=5.1.1.0, Culture=neutral, PublicKeyToken=null UserService Update Warning Request /api/User/9 Failed With Status 403 - Forbidden

[sbwalker]

@lanthonyneville this is by design - the Oqtane API must be secure by default. If you need to bypass the default security for your specific use case you will need to create your own API Controllers in your module which calls UserManager.

[lanthonyneville]

OK, so the Oqtane API knows the current user context (authenticated or not and authorisations)? So AddUserAsync is the programatic equivalent of anonymous user's registering themself (if registration is enabled in site), so is allowed, but no unauthenticated user can update a user's details, so this is disallowed?

[sbwalker]

@lanthonyneville unauthenticated users should not be allowed to call a core API to modify content on the server ie. POST, PUT, DELETE. This is extremely risky from a security perspective. AddUserAsync has an option to allow for unauthenticated registration via a setting (in conjunction with some other validation in the API to try and prevent abuse).

If you think about this logically... if the UpdateUserAsync method was open to anonymous users it would mean that any unauthenticated client (ie. bots, etc...) could make PUT requests to the server and update details for any of your users. This would be a major security vulnerability,.

[lanthonyneville]

Right - I understand now ... the current (browsing) user is the client identity for API requests. I was thinking of the API as a private tool for my use as a module developer, like the module itself had some kind of privileged access rights so could do whatever it needed to do 😊

[sbwalker]

@lanthonyneville Oqtane is a SPA application (client/server) which means there is a distinct client and a public server API