diff --git a/docs/en/Change-Logs.md b/docs/en/Change-Logs.md
index 4a06b8fa..ca234c77 100644
--- a/docs/en/Change-Logs.md
+++ b/docs/en/Change-Logs.md
@@ -6,7 +6,14 @@ jQuery and ASP.NET Core + Angular versions beginning from v4.1. See
The change logs in this page are just a summary of major changes. Detailed release notes are shared on the Github repository (only available to the customers).
-### v8.1.0 (2019-12-20)
+
+## v8.2.0 (2020-02-20)
+
+* Webhook Feature
+* Session Lock Screen
+* Periodic Audit Log Deletion
+
+## v8.1.0 (2019-12-20)
* ASP.NET Core 3.1 support
* Multitenant LDAP support
diff --git a/docs/en/Features-Angular-Audit-Logs.md b/docs/en/Features-Angular-Audit-Logs.md
index eb7c15cb..578ecde9 100644
--- a/docs/en/Features-Angular-Audit-Logs.md
+++ b/docs/en/Features-Angular-Audit-Logs.md
@@ -12,6 +12,26 @@ All application service methods and MVC controller actions are automatically log
Audit log report is provided by **AuditLogAppService** class.
+### Periodic Log Deletion
+
+ASP.NET Zero has built-in periodic log deletion system. To enable it, go to `*.Application/Auditing/ExpiredAuditLogDeleterWorker.cs` and set `IsEnabled` to true;
+
+```csharp
+ public class ExpiredAuditLogDeleterWorker : PeriodicBackgroundWorkerBase, ISingletonDependency
+ {
+ ...
+ public const bool IsEnabled = false;//default is false
+ ...
+```
+
+It has two more parameter.
+
+**CheckPeriodAsMilliseconds:** Time to wait between two controls.
+
+**MaxDeletionCount:** The maximum number of records that can be deleted at once.
+
+> Note: To perform smaller operations with more frequent intervals you can decrease `MaxDeletionCount` and `CheckPeriodAsMilliseconds`.
+
## Next
-- [Entity History](Features-Angular-Entity-History)
\ No newline at end of file
+- [Entity History](Features-Angular-Entity-History)
diff --git a/docs/en/Features-Angular-Subscription.md b/docs/en/Features-Angular-Subscription.md
index 2d1a0c0f..2a69f059 100644
--- a/docs/en/Features-Angular-Subscription.md
+++ b/docs/en/Features-Angular-Subscription.md
@@ -27,6 +27,31 @@ When the subscription of a Tenant is expired, **SubscriptionExpirationCheckWorke
* If "**deactive tenant**" option is selected for the Edition of the Tenant, tenant will be disabled and will not be able to use the system.
* If the subscription expires for a tenant who subscribed for trial usage, the tenant will be disabled and will not be able to use the system.
+#### Minimum Update Amount
+
+Since payment systems have accepted the minimum payment amount, you may need to set the minimum payment amount according to your payment system. Settings are located in [`*.Core.Shared/AbpZeroTemplateConsts.cs`](https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Core.Shared/AbpZeroTemplateConsts.cs#L24)
+
+```csharp
+// Note:
+// Minimum accepted payment amount. If a payment amount is less then that minimum value payment progress will continue without charging payment
+// Even though we can use multiple payment methods, users always can go and use the highest accepted payment amount.
+//For example, you use Stripe and PayPal. Let say that Stripe accepts min 5$ and PayPal accepts min 3$. If your payment amount is 4$.
+// User will prefer to use a payment method with the highest accept value which is a Stripe in this case.
+public const decimal MinimumUpgradePaymentAmount = 1M;
+```
+
+ and [`angular/src/shared/AppConsts.ts`](https://github.com/aspnetzero/aspnet-zero-core/blob/dev/angular/src/shared/AppConsts.ts#L31) .
+
+```typescript
+static readonly MinimumUpgradePaymentAmount = 1;
+```
+
+Default value is **1**.
+
+Payment progress will be continued without charging any amount if the payment amount is less than given value.
+
+
+
## Next
* [PayPal Integration](Features-Angular-Subscription-PayPal-Integration)
diff --git a/docs/en/Features-Mvc-Core-Audit-Logs.md b/docs/en/Features-Mvc-Core-Audit-Logs.md
index a9ac0152..6fe6a9c8 100644
--- a/docs/en/Features-Mvc-Core-Audit-Logs.md
+++ b/docs/en/Features-Mvc-Core-Audit-Logs.md
@@ -11,6 +11,26 @@ see all details an audit log:
Audit log report is provided by **AuditLogAppService** class.
+### Periodic Log Deletion
+
+ASP.NET Zero has built-in periodic log deletion system. To enable it, go to `*.Application/Auditing/ExpiredAuditLogDeleterWorker.cs` and set `IsEnabled` to true;
+
+```csharp
+ public class ExpiredAuditLogDeleterWorker : PeriodicBackgroundWorkerBase, ISingletonDependency
+ {
+ ...
+ public const bool IsEnabled = false;//default is false
+ ...
+```
+
+It has two more parameter.
+
+**CheckPeriodAsMilliseconds:** Time to wait between two controls.
+
+**MaxDeletionCount:** The maximum number of records that can be deleted at once.
+
+> Note: To perform smaller operations with more frequent intervals you can decrease `MaxDeletionCount` and `CheckPeriodAsMilliseconds`.
+
## Next
-- [Entity History](Features-Mvc-Core-Entity-History)
\ No newline at end of file
+- [Entity History](Features-Mvc-Core-Entity-History)
diff --git a/docs/en/Features-Mvc-Core-Subscription.md b/docs/en/Features-Mvc-Core-Subscription.md
index f6f381e8..62bdd362 100644
--- a/docs/en/Features-Mvc-Core-Subscription.md
+++ b/docs/en/Features-Mvc-Core-Subscription.md
@@ -27,6 +27,29 @@ When the subscription of a Tenant is expired, **SubscriptionExpirationCheckWorke
* If "**deactive tenant**" option is selected for the Edition of the Tenant, tenant will be disabled and will not be able to use the system.
* If the subscription expires for a tenant who subscribed for trial usage, the tenant will be disabled and will not be able to use the system.
+#### Minimum Update Amount
+
+Since payment systems have accepted the minimum payment amount, you may need to set the minimum payment amount according to your payment system. Settings are located in [`*.Core.Shared/AbpZeroTemplateConsts.cs`](https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Core.Shared/AbpZeroTemplateConsts.cs#L24)
+
+```csharp
+// Note:
+// Minimum accepted payment amount. If a payment amount is less then that minimum value payment progress will continue without charging payment
+// Even though we can use multiple payment methods, users always can go and use the highest accepted payment amount.
+//For example, you use Stripe and PayPal. Let say that Stripe accepts min 5$ and PayPal accepts min 3$. If your payment amount is 4$.
+// User will prefer to use a payment method with the highest accept value which is a Stripe in this case.
+public const decimal MinimumUpgradePaymentAmount = 1M;
+```
+
+ and [`angular/src/shared/AppConsts.ts`](https://github.com/aspnetzero/aspnet-zero-core/blob/dev/angular/src/shared/AppConsts.ts#L31) .
+
+```typescript
+static readonly MinimumUpgradePaymentAmount = 1;
+```
+
+Default value is **1**.
+
+Payment progress will be continued without charging any amount if the payment amount is less than given value.
+
## Next
- [PayPal Integration](Features-Mvc-Core-Subscription-PayPal)
diff --git a/docs/en/Features-Webhooks.md b/docs/en/Features-Webhooks.md
new file mode 100644
index 00000000..b85d2c7b
--- /dev/null
+++ b/docs/en/Features-Webhooks.md
@@ -0,0 +1,23 @@
+# Webhooks
+
+ASP.NET ZERO has built-in webhook system designed with pub/sub pattern.
+
+In **Webhook Subscriptions** page, you can see all of your webhook subscriptions:
+
+
+
+You can click a row to see detail of a subscription.
+
+
+
+In **Webhook Subscription Detail** page, you can edit, activate or deactivate a subscription. You can also see all webhook send attempts that your subscription received.
+
+
+
+You can resend a webhook with same parameter or view webhook event.
+
+
+
+In **Webhook Event Detail** page, you can see the detail of a created webhook. And you can see all send attempts for all of your subscriptions.
+
+For more information. You can check [ASP.NET Boilerplate webhook documentation](https://aspnetboilerplate.com/Pages/Documents/Webhook-System).
\ No newline at end of file
diff --git a/docs/en/HealthChecks.md b/docs/en/HealthChecks.md
index 9d2793c5..708664a1 100644
--- a/docs/en/HealthChecks.md
+++ b/docs/en/HealthChecks.md
@@ -16,7 +16,7 @@ Health checks settings are located in the `appsettings.json` file
"HealthChecks": [
{
"Name": "MyCompanyName.AbpZeroTemplate.Web.MVC", //your app name
- "Uri": "http://localhost:62114/healthz" /* your_project_url/healthz
+ "Uri": "http://localhost:62114/health" /* your_project_url/health
you should change that url before you publish your project*/
}
],
@@ -30,7 +30,7 @@ Health checks settings are located in the `appsettings.json` file
-> Note: If you enable Health Checks UI, don't forget to change your `healthz` URL before you publish your website.
+> Note: If you enable Health Checks UI, don't forget to change your `health` URL before you publish your website.
@@ -100,19 +100,19 @@ After adding your new health check here, you will be able to see its status in J
Health checks UI endpoint: http://localhost:62114/healthchecks-ui (if it is enabled)
- Health checks JSON result endpoint: http://localhost:62114/healthz (if it is enabled)
+ Health checks JSON result endpoint: http://localhost:62114/health (if it is enabled)
- *Host project (Available in ASP.NET Core versions but designed for Angular project)*
Health checks UI endpoint: http://localhost:22742/healthchecks-ui (if it is enabled)
- Health checks JSON result endpoint: http://localhost:22742/healthz (if it is enabled)
+ Health checks JSON result endpoint: http://localhost:22742/health (if it is enabled)
- *Public Website*
Health checks UI endpoint: http://localhost:45776/healthchecks-ui (if it is enabled)
- Health checks JSON result endpoint: http://localhost:45776/healthz (if it is enabled)
+ Health checks JSON result endpoint: http://localhost:45776/health (if it is enabled)
see also:
https://github.com/xabaril/AspNetCore.Diagnostics.HealthChecks
diff --git a/docs/en/Security-Report-Core.md b/docs/en/Security-Report-Core.md
index 7e757fbb..e593fa7c 100644
--- a/docs/en/Security-Report-Core.md
+++ b/docs/en/Security-Report-Core.md
@@ -1,18 +1,16 @@
# ASP.NET ZERO Penetration Test Report
-Asp.Net Zero (v5) has been scanned for vulnerabilities with the latest version of [OWASP ZAP (v2.7.0)](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project). The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular security tools and is actively maintained by hundreds of international volunteers.
+ASP.NET Zero (v8.1) has been scanned for vulnerabilities with the latest version of [OWASP ZAP (v2.9.0)](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project). The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular security tools and is actively maintained by hundreds of international volunteers.
-The automated scanner has been reported several alerts. Asp.Net Zero Team has fixed the positive alerts regarding the report. On the other hand most of the alerts can be stated as false-positive. The reasons for the false-positive alerts that are subject to these issues are clearly stated below.
+The automated scanner has been reported several alerts. ASP.NET Zero Team has fixed the positive alerts regarding the report. On the other hand most of the alerts can be stated as false-positive. The reasons for the false-positive alerts that are subject to these issues are clearly stated below.
## Summary of Alerts
-
-
### Path Traversal
-##### High (Medium)
+##### Risk: High
#### Description
@@ -20,39 +18,13 @@ The Path Traversal attack technique allows an attacker access to files, director
#### Comment
-The report has stated some CSS, JS links are open to path traversal attack. But these alerts are false-positive. You can see the reasons why they are evaluated as false-positive.
-
-- URL: [http://localhost:62114/view-resources/Areas/App/Views/_Bundles/app-layout-libs.css](http://localhost:62114/view-resources/Areas/App/Views/_Bundles/app-layout-libs.css)
- - Method: `GET`
- - Parameter: `.AspNetCore.Antiforgery.DPAjufeZt_4`
- - Attack: `c:/`
- - Evidence: `etc`
-
- When we inspect the below response, it returns **etc** only in comments. And this is exactly not a path.
-
- 
-
-
-- URL: [http://localhost:62114/view-resources/Areas/App/Views/_Bundles/app-layout-libs.js](http://localhost:62114/view-resources/Areas/App/Views/_Bundles/app-layout-libs.js)
- - Method: `GET`
- - Parameter: `.AspNetCore.Antiforgery.DPAjufeZt_4`
- - Attack: `c:/Windows/system.ini`
- - Evidence: `[drivers]`
-
- When we inspect the below response it returns **[drivers]** as array. And this is not a path as well!
-
- 
-
-- URL: [http://localhost:62114/Account/Login](http://localhost:62114/Account/Login)
- - Method: `POST`
- - Parameter: `Expires`
- - Attack: `/Login`
+* Url: [http://localhost:62114/api/services/app/Role/GetRoles?permissions[X]=GetRoles](http://localhost:62114/api/services/app/Role/GetRoles?permissions%5B0%5D=Pages&permissions%5B1%5D=Pages.Administration&permissions%5B2%5D=Pages.Administration.AuditLogs&permissions%5B3%5D=GetRoles&permissions%5B4%5D=Pages.Administration.HangfireDashboard&permissions%5B5%5D=Pages.Administration.Languages&permissions%5B6%5D=Pages.Administration.Languages.ChangeTexts&permissions%5B7%5D=Pages.Administration.Languages.Create&permissions%5B8%5D=Pages.Administration.Languages.Delete&permissions%5B9%5D=Pages.Administration.Languages.Edit&permissions%5B10%5D=Pages.Administration.Host.Maintenance&permissions%5B11%5D=Pages.Administration.OrganizationUnits&permissions%5B12%5D=Pages.Administration.OrganizationUnits.ManageMembers&permissions%5B13%5D=Pages.Administration.OrganizationUnits.ManageOrganizationTree&permissions%5B14%5D=Pages.Administration.OrganizationUnits.ManageRoles&permissions%5B15%5D=Pages.Administration.Roles&permissions%5B16%5D=Pages.Administration.Roles.Create&permissions%5B17%5D=Pages.Administration.Roles.Delete&permissions%5B18%5D=Pages.Administration.Roles.Edit&permissions%5B19%5D=Pages.Administration.Host.Settings&permissions%5B20%5D=Pages.Administration.Users&permissions%5B21%5D=Pages.Administration.Users.ChangePermissions&permissions%5B22%5D=Pages.Administration.Users.Create&permissions%5B23%5D=Pages.Administration.Users.Delete&permissions%5B24%5D=Pages.Administration.Users.Edit&permissions%5B25%5D=Pages.Administration.Users.Impersonation&permissions%5B26%5D=Pages.Administration.Users.Unlock&permissions%5B27%5D=Pages.Administration.UiCustomization&permissions%5B28%5D=Pages.DemoUiComponents&permissions%5B29%5D=Pages.Editions&permissions%5B30%5D=Pages.Editions.Create&permissions%5B31%5D=Pages.Editions.Delete&permissions%5B32%5D=Pages.Editions.Edit&permissions%5B33%5D=Pages.Editions.MoveTenantsToAnotherEdition&permissions%5B34%5D=Pages.Tenants&permissions%5B35%5D=Pages.Tenants.ChangeFeatures&permissions%5B36%5D=Pages.Tenants.Create&permissions%5B37%5D=Pages.Tenants.Delete&permissions%5B38%5D=Pages.Tenants.Edit&permissions%5B39%5D=Pages.Tenants.Impersonation)
- The **Expires** header contains date/time after which the response is considered stale. Invalid dates, like the value 0, represent a date in the past and mean that the resource is already expired. The attack request sends Expires parameter as **"/Login"**, this doesn't leak any information about paths and th response returns a valid JSON
+ * Parameter: permissions[3]
- `{"result":null,"targetUrl":"/App","success":true,"error":null,"unAuthorizedRequest":false,"__abp":true}`
+ * Attack: GetRoles
- 
+ This request is false-positive because the tool is checking whether a request can get data with unexpected parameter. Since `admin` role has all permissions as a default, response always has `admin` role.
### Recommendation
@@ -66,147 +38,127 @@ If you use **MapPath** to map a supplied virtual path to a physical path on the
-### SQL Injection
+### Application Error Disclosure
-##### High (Medium)
+##### Risk: Medium
#### Description
-SQL Injection refers to an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious *payload*) that control a web application's database server.
+This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
#### Comment
-Asp.Net Zero uses `Entity Framework` as data access technology. And `Entity Framework` uses parameterized queries which prevents SQL injections by default.
+- URL: http://localhost:62114/AbpScripts/GetScripts?v=637170099309929078
+ - Method: `GET`
+
+ This request is false-positive because the tool is checking whether the response contains **"internal error"** text. The response of `GetScripts` contains translations which includes **"internal error"** text.
-- URL: [http://localhost:62114/Account/Login](http://localhost:62114/Account/Login)
- - Method: `POST`
- - Parameter: `User-Agent`
- - Attack: `Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 OR 1=1 -- `
+ 
- This request is false-positive because the tool is checking whether the response is changed or not. The **.AspNetCore.Identity.Application** cookie value is changing in every post request, that's why tool suspects of SQL Injection. But it's clearly not a SQL Injection attack. (The other instances of Login page SQL Inject attacks are not listed as they are same.)
+* URL: http://localhost:62114/Error?statusCode=401
-### Recommendation
+ * Method: `Get`
+
+ This request is false-positive because the tool is checking whether the response contains **"internal error"** text. The response contains that but without sensitive information.
-Do not trust client side input, even if there is client side validation in place. Check all data on the server side. Always use parametrized queries when you use directly T-SQLs or Stored Procedures.
+ 
-- https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
+ASP.NET Zero never returns error details, if only developer sends it deliberatively. When the project runs on development, exceptions are being sent to client. But publishing application in release mode prevents exception details to be sent. While `MVC` project shows a custom error page, `Host` project sends a JSON with message "*An internal error occurred during your request!*"
-### Cross Site Scripting (Reflected)
+### Absence of Anti-CSRF Tokens
-##### High (Low)
+##### Risk: Low
#### Description
-Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance.
+In short, CSRF abuses the **trust** relationship between **browser and server**. This means that anything that a server uses in order to establish trust with a browser (e.g., cookies, but also HTTP/Windows Authentication) is exactly what allows CSRF to take place - but this only the first piece for a successful CSRF attack.
#### Comment
-There are several attacks that are marked as suspicious. When it's inspected these attack instances, it can be seen that the response is JSON and reflected value is handled as string in alert dialogs. The scripts are not being evaluated by JavaScript. Therefore these instances are false-positive.
+ASP.NET Boilerplate has it's own [built-in AntiForgery system](https://aspnetboilerplate.com/Pages/Documents/XSRF-CSRF-Protection). ASP.NET Zero uses ajax to post most of the forms. All URLs listed is false-positive. ASP.NET Zero post them via using ajax and their ajax requests has **X-XSRF-TOKEN** header.
-- URL: [http://localhost:62114/api/services/app/User/GetUsers?filter=&permission=&role=&maxResultCount=10&skipCount=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E](http://localhost:62114/api/services/app/User/GetUsers?filter=&permission=&role=&maxResultCount=10&skipCount=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E)
- - Method: `GET`
- - Parameter: `skipCount`
- - Attack: ``
- - Evidence: ``
+### Application Error Disclosure
-### Recommendation
+##### Risk: Low
-When you return a HTML content page, be sure that you encode the response. Before putting untrusted data inside an HTML element ensure it is HTML encoded.
+#### Description
-- Never put untrusted data into your HTML input, unless you follow the rest of the steps below. Untrusted data is any data that may be controlled by an attacker, HTML form inputs, query strings, HTTP headers, even data sourced from a database as an attacker may be able to breach your database even if they cannot breach your application.
-- Before putting untrusted data inside an HTML element ensure it is HTML encoded. HTML encoding takes characters such as < and changes them into a safe form like `<`
-- Before putting untrusted data into an HTML attribute ensure it is HTML attribute encoded. HTML attribute encoding is a superset of HTML encoding and encodes additional characters such as " and '.
-- Before putting untrusted data into JavaScript place the data in an HTML element whose contents you retrieve at runtime. If this is not possible then ensure the data is JavaScript encoded. JavaScript encoding takes dangerous characters for JavaScript and replaces them with their hex, for example < would be encoded as `\u003C`.
-- Before putting untrusted data into a URL query string ensure it is URL encoded.
- - http://projects.webappsec.org/Cross-Site-Scripting
- - http://cwe.mitre.org/data/definitions/79.html
+This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.
+#### Comment
+ASP.NET Boilerplate has it's own [built-in exception handling system](https://aspnetboilerplate.com/Pages/Documents/Handling-Exceptions). When an exception happens ASP.NET Boilerplate catches it and throws user friendly exception. This requests are false-positive because the tool is checking whether the response return **"HTTP 501 (Internal Server Error)"**. But returned errors don't contains internal error.
-### X-Frame-Options Header Not Set
+- URL: http://localhost:62114/api/services/app/Edition/CreateEdition
-##### Medium (Medium)
+ - Method: `Post`
-#### Description
+ - Evidence: HTTP/1.1 500 Internal Server Error
-The `X-Frame-Options` HTPP header can be used to indicate whether or not a browser should be allowed to render a page in a ``, `