Dev to Master

.github/workflows/codeql-analysis.yml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v4

.github/workflows/dotnet-core.yml

@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup .NET Core
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: '8.x'
+        dotnet-version: 9.0.x
     - name: Install dependencies
       run: dotnet restore
     - name: Build

src/Hosts/Hosts.CookieAuthentication/Hosts.CookieAuthentication.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net9.0</TargetFramework>
   </PropertyGroup>
 
   <ItemGroup>

src/Hosts/Hosts.IdentityServerAuthentication/Controllers/LoginController.cs

@@ -3,10 +3,10 @@
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
+using Duende.IdentityServer;
+using Duende.IdentityServer.Services;
 using Hosts.Shared.InMemory;
 using IdentityManager2;
-using IdentityServer4;
-using IdentityServer4.Services;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;

src/Hosts/Hosts.IdentityServerAuthentication/Hosts.IdentityServerAuthentication.csproj

@@ -1,11 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net9.0</TargetFramework>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="IdentityServer4" Version="3.1.0" />
+    <PackageReference Include="Duende.IdentityServer" Version="7.4.4" />
   </ItemGroup>
 
   <ItemGroup>

src/Hosts/Hosts.IdentityServerAuthentication/Startup.cs

@@ -2,10 +2,10 @@
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
 using System.Linq;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Test;
 using Hosts.Shared.InMemory;
 using IdentityManager2.Configuration;
-using IdentityServer4.Models;
-using IdentityServer4.Test;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.DependencyInjection;
 

src/Hosts/Hosts.LosthostAuthentication/Hosts.LosthostAuthentication.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net9.0</TargetFramework>
   </PropertyGroup>
 
   <ItemGroup>

src/Hosts/Hosts.Shared/Hosts.Shared.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>netcoreapp3.1</TargetFramework>
+    <TargetFramework>net9.0</TargetFramework>
   </PropertyGroup>
 
   <ItemGroup>

src/IdentityManager2/Api/Controllers/RolesController.cs

@@ -68,6 +68,7 @@ public async Task<IActionResult> GetRolesAsync(string filter = null, int start =
 
         // POST 
         [HttpPost, Route("", Name = IdentityManagerConstants.RouteNames.CreateRole)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> CreateRoleAsync([FromBody] PropertyValue[] properties)
         {
             var meta = await GetMetadataAsync();
@@ -140,6 +141,7 @@ public async Task<IActionResult> GetRoleAsync(string subject)
         }
 
         [HttpDelete, Route("{subject}", Name = IdentityManagerConstants.RouteNames.DeleteRole)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> DeleteRoleAsync(string subject)
         {
             var meta = await GetMetadataAsync();
@@ -163,6 +165,7 @@ public async Task<IActionResult> DeleteRoleAsync(string subject)
         }
 
         [HttpPut, Route("{subject}/properties/{type}", Name = IdentityManagerConstants.RouteNames.UpdateRoleProperty)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> SetPropertyAsync(string subject, string type)
         {
             if (IsNullOrWhiteSpace(subject))

src/IdentityManager2/Api/Controllers/UsersController.cs

@@ -55,6 +55,7 @@ public async Task<IActionResult> GetUsersAsync(string filter = null, int start =
         }
 
         [HttpPost("", Name = IdentityManagerConstants.RouteNames.CreateUser)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> CreateUserAsync([FromBody] PropertyValue[] properties)
         {
             var meta = await GetMetadataAsync();
@@ -135,6 +136,7 @@ public async Task<IActionResult> GetUserAsync(string subject)
         }
 
         [HttpDelete, Route("{subject}", Name = IdentityManagerConstants.RouteNames.DeleteUser)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> DeleteUserAsync(string subject)
         {
             var meta = await GetMetadataAsync();
@@ -164,6 +166,7 @@ public async Task<IActionResult> DeleteUserAsync(string subject)
         }
 
         [HttpPut, Route("{subject}/properties/{type}", Name = IdentityManagerConstants.RouteNames.UpdateUserProperty)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> SetPropertyAsync(string subject, string type)
         {
             if (IsNullOrWhiteSpace(subject))
@@ -194,6 +197,7 @@ public async Task<IActionResult> SetPropertyAsync(string subject, string type)
         }
 
         [HttpPost, Route("{subject}/claims", Name = IdentityManagerConstants.RouteNames.AddClaim)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> AddClaimAsync(string subject, [FromBody] ClaimValue model)
         {
             var meta = await GetMetadataAsync();
@@ -229,6 +233,7 @@ public async Task<IActionResult> AddClaimAsync(string subject, [FromBody] ClaimV
         }
 
         [HttpDelete, Route("{subject}/claims/{type}/{value}", Name = IdentityManagerConstants.RouteNames.RemoveClaim)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> RemoveClaimAsync(string subject, string type, string value)
         {
             type = type.FromBase64UrlEncoded();
@@ -257,6 +262,7 @@ public async Task<IActionResult> RemoveClaimAsync(string subject, string type, s
         }
 
         [HttpPost, Route("{subject}/roles/{role}", Name = IdentityManagerConstants.RouteNames.AddRole)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> AddRoleAsync(string subject, string role)
         {
             var meta = await GetMetadataAsync();
@@ -282,6 +288,7 @@ public async Task<IActionResult> AddRoleAsync(string subject, string role)
         }
 
         [HttpDelete, Route("{subject}/roles/{role}", Name = IdentityManagerConstants.RouteNames.RemoveRole)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> RemoveRoleAsync(string subject, string role)
         {
             var meta = await GetMetadataAsync();

src/IdentityManager2/Areas/IdentityManager/Pages/Index.cshtml

@@ -13,6 +13,7 @@
     <link rel="shortcut icon" type="image/x-icon" href="@Model.PathBase/assets/Content.favicon.ico" />
 </head>
 <body lang="en" ng-app="ttIdmApp" ng-csp ng-controller="LayoutCtrl" ng-cloak>
+    @Html.AntiForgeryToken()
 
     <div ng-include="'@Model.PathBase/assets/Templates.navbar.html'"></div>
 

src/IdentityManager2/Assets/Content/Style.less

@@ -65,9 +65,9 @@ img.logo-footer {
     }
 }
 
-.center-block.pagination {
-    //width:300px;
-}
+// .center-block.pagination {
+//     //width:300px;
+// }
 
 .pager-text {
     margin-top: 26px;
@@ -96,9 +96,9 @@ img.logo-footer {
         top: 15px;
     }
 
-    .subject {
-        //color: @gray-light;
-    }
+    // .subject {
+    //     //color: @gray-light;
+    // }
 }
 
 @-moz-keyframes pulse {
@@ -195,8 +195,8 @@ img.logo-footer {
         width: 200px;
     }
 
-    span {
-    }
+    // span {
+    // }
 }
 .modal-backdrop.show {
     opacity: .5;

src/IdentityManager2/Assets/Scripts/App/ttIdm.js

@@ -1,4 +1,5 @@
-/// <reference path="../Libs/angular.min.js" />
+/*global angular*/
+/// <reference path="../Libs/angular.min.js" />
 
 (function (angular) {
     const app = angular.module("ttIdm", []);
@@ -10,6 +11,25 @@
             return {
                 'request': function(config) {
                     idmErrorService.clear();
+
+                    // Add anti-forgery token for non-GET requests
+                    if (config.method && config.method !== 'GET') {
+                        try {
+                            const rvt = document.querySelector('input[name="__RequestVerificationToken"]');
+                            if (rvt) {
+                                const token = rvt.value;
+                                if (token) {
+                                    if (!config.headers) {
+                                        config.headers = {};
+                                    }
+                                    config.headers.RequestVerificationToken = token;
+                                }
+                            }
+                        } catch (e) {
+                            console.error("Failed to extract antiforgery token:", e);
+                        }
+                    }
+
                     return config;
                 },
                 'responseError': function(response) {

src/IdentityManager2/Assets/Scripts/App/ttIdmApp.js

@@ -1,9 +1,13 @@
-/// <reference path="../Libs/angular.min.js" />
+/*global angular*/
+/// <reference path="../Libs/angular.min.js" />
 /// <reference path="../Libs/angular-route.min.js" />
 
 (function (angular) {
     const app = angular.module("ttIdmApp", ["ngRoute", "ttIdm", "ttIdmUI", "ttIdmUsers", "ttIdmRoles"]);
-    function config(PathBase, $routeProvider) {
+    function config(PathBase, $routeProvider, $locationProvider) {
+        // Configure hash prefix to empty string for compatibility with Angular 1.3.x URLs
+        $locationProvider.hashPrefix('');
+
         $routeProvider
             .when("/", {
                 templateUrl: PathBase + "/assets/Templates.home.html"
@@ -15,7 +19,7 @@
                 redirectTo: "/"
             });
     }
-    config.$inject = ["PathBase", "$routeProvider"];
+    config.$inject = ["PathBase", "$routeProvider", "$locationProvider"];
     app.config(config);
 
     function LayoutCtrl($rootScope, PathBase, idmApi, $location, $window, idmErrorService, ShowLoginButton,

src/IdentityManager2/Assets/Scripts/App/ttIdmRoles.js

@@ -1,4 +1,5 @@
-/// <reference path="../Libs/angular.min.js" />
+/*global angular*/
+/// <reference path="../Libs/angular.min.js" />
 /// <reference path="../Libs/angular-route.min.js" />
 
 (function (angular) {
@@ -111,7 +112,7 @@
                         $scope.tab = 1;
                     }
                 }, feedback.errorHandler);
-        };
+        }
         loadRole();
 
         $scope.setProperty = function (property) {