src/Umbraco.Cms.Api.Delivery/Configuration/ConfigureUmbracoMemberAuthenticationDeliveryApiSwaggerGenOptions.cs

using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using Microsoft.OpenApi;
using Swashbuckle.AspNetCore.SwaggerGen;
using Umbraco.Cms.Api.Common.Security;
using Umbraco.Cms.Api.Delivery.Controllers.Content;
using Umbraco.Cms.Api.Delivery.Filters;

namespace Umbraco.Cms.Api.Delivery.Configuration;

/// <summary>
/// This configures member authentication for the Delivery API in Swagger. Consult the docs for
/// member authentication within the Delivery API for instructions on how to use this.
/// </summary>
/// <remarks>
/// This class is not used by the core CMS due to the required installation dependencies (local login page among other things).
/// </remarks>
public class ConfigureUmbracoMemberAuthenticationDeliveryApiSwaggerGenOptions : IConfigureOptions<SwaggerGenOptions>
{
    private const string AuthSchemeName = "UmbracoMember";

    public void Configure(SwaggerGenOptions options)
    {
        // add security requirements for content API operations
        options.DocumentFilter<DeliveryApiSecurityFilter>();
        options.OperationFilter<DeliveryApiSecurityFilter>();
    }

    private sealed class DeliveryApiSecurityFilter : SwaggerFilterBase<ContentApiControllerBase>, IOperationFilter, IDocumentFilter
    {
        public void Apply(OpenApiOperation operation, OperationFilterContext context)
        {
            if (CanApply(context) is false)
            {
                return;
            }

            var schemaRef = new OpenApiSecuritySchemeReference(AuthSchemeName, context.Document);
            operation.Security ??= new List<OpenApiSecurityRequirement>();
            operation.Security.Add(new OpenApiSecurityRequirement { [schemaRef] = [] });
        }

        public void Apply(OpenApiDocument swaggerDoc, DocumentFilterContext context)
        {
            if (context.DocumentName != DeliveryApiConfiguration.ApiName)
            {
                return;
            }

            swaggerDoc.AddComponent(
                AuthSchemeName,
                new OpenApiSecurityScheme
                {
                    In = ParameterLocation.Header,
                    Name = AuthSchemeName,
                    Type = SecuritySchemeType.OAuth2,
                    Description = "Umbraco Member Authentication",
                    Flows = new OpenApiOAuthFlows
                    {
                        AuthorizationCode = new OpenApiOAuthFlow
                        {
                            AuthorizationUrl = new Uri(Paths.MemberApi.AuthorizationEndpoint, UriKind.Relative),
                            TokenUrl = new Uri(Paths.MemberApi.TokenEndpoint, UriKind.Relative),
                        },
                    },
                });
        }
    }
}
-												Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API

* Make SwaggerRouteTemplatePipelineFilter UI config overridable

* Enable token revocation + rename logout endpoint to signout

* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger

* Correct notification handling when (un)protecting content

* Fixing integration test framework

* Cleanup test to not execute some composers twice

* Update paths to match docs

* Return Forbidden when a member is authorized but not allowed to access the requested resource

* Cleanup

* Rename RequestMemberService to RequestMemberAccessService

* Rename badly named variable

* Review comments

* Hide the auth controller from Swagger

* Remove semaphore

* Add security requirements for content API operations in Swagger

* Hide the back-office auth endpoints from Swagger

* Fix merge

* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)

* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)

* Make "items by IDs" endpoint support member auth

* Add 401 and 403 to "items by IDs" endpoint responses

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
											
										
										
											2023-09-26 09:22:45 +02:00
+								using Microsoft.Extensions.DependencyInjection;
 								using Microsoft.Extensions.Options;
-												Update Swashbuckle to v10 (#20925)

* Update Swashbuckle to v10

* Regenerate backoffice api client

* Add missing space for consistency

* Simplify nullability check

* Small improvement

Didn't notice that these classes were internal, so tried keeping compatibility, but it wasn't needed.

* Fix failing integration test

* Apply suggestions from code review

Co-authored-by: Andy Butland <abutland73@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Remove unnecessary comma

---------

Co-authored-by: Andy Butland <abutland73@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
											
										
										
											2025-11-24 12:06:03 +01:00
+								using Microsoft.OpenApi;
-												Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API

* Make SwaggerRouteTemplatePipelineFilter UI config overridable

* Enable token revocation + rename logout endpoint to signout

* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger

* Correct notification handling when (un)protecting content

* Fixing integration test framework

* Cleanup test to not execute some composers twice

* Update paths to match docs

* Return Forbidden when a member is authorized but not allowed to access the requested resource

* Cleanup

* Rename RequestMemberService to RequestMemberAccessService

* Rename badly named variable

* Review comments

* Hide the auth controller from Swagger

* Remove semaphore

* Add security requirements for content API operations in Swagger

* Hide the back-office auth endpoints from Swagger

* Fix merge

* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)

* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)

* Make "items by IDs" endpoint support member auth

* Add 401 and 403 to "items by IDs" endpoint responses

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
											
										
										
											2023-09-26 09:22:45 +02:00
+								using Swashbuckle.AspNetCore.SwaggerGen;
 								using Umbraco.Cms.Api.Common.Security;
 								using Umbraco.Cms.Api.Delivery.Controllers.Content;
 								using Umbraco.Cms.Api.Delivery.Filters;
 								namespace Umbraco.Cms.Api.Delivery.Configuration;
 								/// <summary>
 								/// This configures member authentication for the Delivery API in Swagger. Consult the docs for
 								/// member authentication within the Delivery API for instructions on how to use this.
 								/// </summary>
 								/// <remarks>
 								/// This class is not used by the core CMS due to the required installation dependencies (local login page among other things).
 								/// </remarks>
 								public class ConfigureUmbracoMemberAuthenticationDeliveryApiSwaggerGenOptions : IConfigureOptions<SwaggerGenOptions>
 								{
-												Fix security scheme issues in Delivery API OpenAPI spec (#17401)


											
										
										
											2024-11-04 14:07:18 +01:00
+								    private const string AuthSchemeName = "UmbracoMember";
-												Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API

* Make SwaggerRouteTemplatePipelineFilter UI config overridable

* Enable token revocation + rename logout endpoint to signout

* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger

* Correct notification handling when (un)protecting content

* Fixing integration test framework

* Cleanup test to not execute some composers twice

* Update paths to match docs

* Return Forbidden when a member is authorized but not allowed to access the requested resource

* Cleanup

* Rename RequestMemberService to RequestMemberAccessService

* Rename badly named variable

* Review comments

* Hide the auth controller from Swagger

* Remove semaphore

* Add security requirements for content API operations in Swagger

* Hide the back-office auth endpoints from Swagger

* Fix merge

* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)

* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)

* Make "items by IDs" endpoint support member auth

* Add 401 and 403 to "items by IDs" endpoint responses

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
											
										
										
											2023-09-26 09:22:45 +02:00
 								    public void Configure(SwaggerGenOptions options)
 								    {
 								        // add security requirements for content API operations
-												Fix security scheme issues in Delivery API OpenAPI spec (#17401)


											
										
										
											2024-11-04 14:07:18 +01:00
+								        options.DocumentFilter<DeliveryApiSecurityFilter>();
-												Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API

* Make SwaggerRouteTemplatePipelineFilter UI config overridable

* Enable token revocation + rename logout endpoint to signout

* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger

* Correct notification handling when (un)protecting content

* Fixing integration test framework

* Cleanup test to not execute some composers twice

* Update paths to match docs

* Return Forbidden when a member is authorized but not allowed to access the requested resource

* Cleanup

* Rename RequestMemberService to RequestMemberAccessService

* Rename badly named variable

* Review comments

* Hide the auth controller from Swagger

* Remove semaphore

* Add security requirements for content API operations in Swagger

* Hide the back-office auth endpoints from Swagger

* Fix merge

* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)

* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)

* Make "items by IDs" endpoint support member auth

* Add 401 and 403 to "items by IDs" endpoint responses

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
											
										
										
											2023-09-26 09:22:45 +02:00
+								        options.OperationFilter<DeliveryApiSecurityFilter>();
 								    }
-												Make internal & private classes sealed where possible, to avoid code for virtual dispatch (#19719)


											
										
										
											2025-07-21 08:32:54 +02:00
+								    private sealed class DeliveryApiSecurityFilter : SwaggerFilterBase<ContentApiControllerBase>, IOperationFilter, IDocumentFilter
-												Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API

* Make SwaggerRouteTemplatePipelineFilter UI config overridable

* Enable token revocation + rename logout endpoint to signout

* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger

* Correct notification handling when (un)protecting content

* Fixing integration test framework

* Cleanup test to not execute some composers twice

* Update paths to match docs

* Return Forbidden when a member is authorized but not allowed to access the requested resource

* Cleanup

* Rename RequestMemberService to RequestMemberAccessService

* Rename badly named variable

* Review comments

* Hide the auth controller from Swagger

* Remove semaphore

* Add security requirements for content API operations in Swagger

* Hide the back-office auth endpoints from Swagger

* Fix merge

* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)

* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)

* Make "items by IDs" endpoint support member auth

* Add 401 and 403 to "items by IDs" endpoint responses

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
											
										
										
											2023-09-26 09:22:45 +02:00
+								    {
 								        public void Apply(OpenApiOperation operation, OperationFilterContext context)
 								        {
 								            if (CanApply(context) is false)
 								            {
 								                return;
 								            }
-												Update Swashbuckle to v10 (#20925)

* Update Swashbuckle to v10

* Regenerate backoffice api client

* Add missing space for consistency

* Simplify nullability check

* Small improvement

Didn't notice that these classes were internal, so tried keeping compatibility, but it wasn't needed.

* Fix failing integration test

* Apply suggestions from code review

Co-authored-by: Andy Butland <abutland73@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Remove unnecessary comma

---------

Co-authored-by: Andy Butland <abutland73@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
											
										
										
											2025-11-24 12:06:03 +01:00
+								            var schemaRef = new OpenApiSecuritySchemeReference(AuthSchemeName, context.Document);
 								            operation.Security ??= new List<OpenApiSecurityRequirement>();
 								            operation.Security.Add(new OpenApiSecurityRequirement { [schemaRef] = [] });
-												Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API

* Make SwaggerRouteTemplatePipelineFilter UI config overridable

* Enable token revocation + rename logout endpoint to signout

* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger

* Correct notification handling when (un)protecting content

* Fixing integration test framework

* Cleanup test to not execute some composers twice

* Update paths to match docs

* Return Forbidden when a member is authorized but not allowed to access the requested resource

* Cleanup

* Rename RequestMemberService to RequestMemberAccessService

* Rename badly named variable

* Review comments

* Hide the auth controller from Swagger

* Remove semaphore

* Add security requirements for content API operations in Swagger

* Hide the back-office auth endpoints from Swagger

* Fix merge

* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)

* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)

* Make "items by IDs" endpoint support member auth

* Add 401 and 403 to "items by IDs" endpoint responses

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
											
										
										
											2023-09-26 09:22:45 +02:00
+								        }
-												Fix security scheme issues in Delivery API OpenAPI spec (#17401)


											
										
										
											2024-11-04 14:07:18 +01:00
 								        public void Apply(OpenApiDocument swaggerDoc, DocumentFilterContext context)
 								        {
 								            if (context.DocumentName != DeliveryApiConfiguration.ApiName)
 								            {
 								                return;
 								            }
-												Delivery API: Missing Member Open API security scheme references (#21020)

Use AddComponent for OpenAPI security scheme registration

Fixes security requirements being serialized as empty objects in the
OpenAPI document by using the document's AddComponent method instead
of directly manipulating the SecuritySchemes dictionary.
											
										
										
											2025-12-01 17:24:28 +01:00
+								            swaggerDoc.AddComponent(
-												Fix security scheme issues in Delivery API OpenAPI spec (#17401)


											
										
										
											2024-11-04 14:07:18 +01:00
+								                AuthSchemeName,
 								                new OpenApiSecurityScheme
 								                {
 								                    In = ParameterLocation.Header,
 								                    Name = AuthSchemeName,
 								                    Type = SecuritySchemeType.OAuth2,
 								                    Description = "Umbraco Member Authentication",
 								                    Flows = new OpenApiOAuthFlows
 								                    {
 								                        AuthorizationCode = new OpenApiOAuthFlow
 								                        {
 								                            AuthorizationUrl = new Uri(Paths.MemberApi.AuthorizationEndpoint, UriKind.Relative),
-												Update Swashbuckle to v10 (#20925)

* Update Swashbuckle to v10

* Regenerate backoffice api client

* Add missing space for consistency

* Simplify nullability check

* Small improvement

Didn't notice that these classes were internal, so tried keeping compatibility, but it wasn't needed.

* Fix failing integration test

* Apply suggestions from code review

Co-authored-by: Andy Butland <abutland73@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Remove unnecessary comma

---------

Co-authored-by: Andy Butland <abutland73@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
											
										
										
											2025-11-24 12:06:03 +01:00
+								                            TokenUrl = new Uri(Paths.MemberApi.TokenEndpoint, UriKind.Relative),
 								                        },
 								                    },
-												Fix security scheme issues in Delivery API OpenAPI spec (#17401)


											
										
										
											2024-11-04 14:07:18 +01:00
+								                });
 								        }
-												Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API

* Make SwaggerRouteTemplatePipelineFilter UI config overridable

* Enable token revocation + rename logout endpoint to signout

* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger

* Correct notification handling when (un)protecting content

* Fixing integration test framework

* Cleanup test to not execute some composers twice

* Update paths to match docs

* Return Forbidden when a member is authorized but not allowed to access the requested resource

* Cleanup

* Rename RequestMemberService to RequestMemberAccessService

* Rename badly named variable

* Review comments

* Hide the auth controller from Swagger

* Remove semaphore

* Add security requirements for content API operations in Swagger

* Hide the back-office auth endpoints from Swagger

* Fix merge

* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)

* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)

* Make "items by IDs" endpoint support member auth

* Add 401 and 403 to "items by IDs" endpoint responses

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
											
										
										
											2023-09-26 09:22:45 +02:00
+								    }
 								}