src/Umbraco.Cms.Api.Delivery/Configuration/ConfigureUmbracoMemberAuthenticationDeliveryApiSwaggerGenOptions.cs

using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using Microsoft.OpenApi.Models;
using Swashbuckle.AspNetCore.SwaggerGen;
using Umbraco.Cms.Api.Common.Security;
using Umbraco.Cms.Api.Delivery.Controllers.Content;
using Umbraco.Cms.Api.Delivery.Filters;

namespace Umbraco.Cms.Api.Delivery.Configuration;

/// <summary>
/// This configures member authentication for the Delivery API in Swagger. Consult the docs for
/// member authentication within the Delivery API for instructions on how to use this.
/// </summary>
/// <remarks>
/// This class is not used by the core CMS due to the required installation dependencies (local login page among other things).
/// </remarks>
public class ConfigureUmbracoMemberAuthenticationDeliveryApiSwaggerGenOptions : IConfigureOptions<SwaggerGenOptions>
{
    private const string AuthSchemeName = "Umbraco Member";

    public void Configure(SwaggerGenOptions options)
    {
        options.AddSecurityDefinition(
            AuthSchemeName,
            new OpenApiSecurityScheme
            {
                In = ParameterLocation.Header,
                Name = AuthSchemeName,
                Type = SecuritySchemeType.OAuth2,
                Description = "Umbraco Member Authentication",
                Flows = new OpenApiOAuthFlows
                {
                    AuthorizationCode = new OpenApiOAuthFlow
                    {
                        AuthorizationUrl = new Uri(Paths.MemberApi.AuthorizationEndpoint, UriKind.Relative),
                        TokenUrl = new Uri(Paths.MemberApi.TokenEndpoint, UriKind.Relative)
                    }
                }
            });

        // add security requirements for content API operations
        options.OperationFilter<DeliveryApiSecurityFilter>();
    }

    private class DeliveryApiSecurityFilter : SwaggerFilterBase<ContentApiControllerBase>, IOperationFilter
    {
        public void Apply(OpenApiOperation operation, OperationFilterContext context)
        {
            if (CanApply(context) is false)
            {
                return;
            }

            operation.Security = new List<OpenApiSecurityRequirement>
            {
                new OpenApiSecurityRequirement
                {
                    {
                        new OpenApiSecurityScheme
                        {
                            Reference = new OpenApiReference
                            {
                                Type = ReferenceType.SecurityScheme,
                                Id = AuthSchemeName,
                            }
                        },
                        new string[] { }
                    }
                }
            };
        }
    }
}
-												Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API

* Make SwaggerRouteTemplatePipelineFilter UI config overridable

* Enable token revocation + rename logout endpoint to signout

* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger

* Correct notification handling when (un)protecting content

* Fixing integration test framework

* Cleanup test to not execute some composers twice

* Update paths to match docs

* Return Forbidden when a member is authorized but not allowed to access the requested resource

* Cleanup

* Rename RequestMemberService to RequestMemberAccessService

* Rename badly named variable

* Review comments

* Hide the auth controller from Swagger

* Remove semaphore

* Add security requirements for content API operations in Swagger

* Hide the back-office auth endpoints from Swagger

* Fix merge

* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)

* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)

* Make "items by IDs" endpoint support member auth

* Add 401 and 403 to "items by IDs" endpoint responses

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
											
										
										
											2023-09-26 09:22:45 +02:00
+								using Microsoft.Extensions.DependencyInjection;
 								using Microsoft.Extensions.Options;
 								using Microsoft.OpenApi.Models;
 								using Swashbuckle.AspNetCore.SwaggerGen;
 								using Umbraco.Cms.Api.Common.Security;
 								using Umbraco.Cms.Api.Delivery.Controllers.Content;
 								using Umbraco.Cms.Api.Delivery.Filters;
 								namespace Umbraco.Cms.Api.Delivery.Configuration;
 								/// <summary>
 								/// This configures member authentication for the Delivery API in Swagger. Consult the docs for
 								/// member authentication within the Delivery API for instructions on how to use this.
 								/// </summary>
 								/// <remarks>
 								/// This class is not used by the core CMS due to the required installation dependencies (local login page among other things).
 								/// </remarks>
 								public class ConfigureUmbracoMemberAuthenticationDeliveryApiSwaggerGenOptions : IConfigureOptions<SwaggerGenOptions>
 								{
 								    private const string AuthSchemeName = "Umbraco Member";
 								    public void Configure(SwaggerGenOptions options)
 								    {
 								        options.AddSecurityDefinition(
 								            AuthSchemeName,
 								            new OpenApiSecurityScheme
 								            {
 								                In = ParameterLocation.Header,
 								                Name = AuthSchemeName,
 								                Type = SecuritySchemeType.OAuth2,
 								                Description = "Umbraco Member Authentication",
 								                Flows = new OpenApiOAuthFlows
 								                {
 								                    AuthorizationCode = new OpenApiOAuthFlow
 								                    {
 								                        AuthorizationUrl = new Uri(Paths.MemberApi.AuthorizationEndpoint, UriKind.Relative),
 								                        TokenUrl = new Uri(Paths.MemberApi.TokenEndpoint, UriKind.Relative)
 								                    }
 								                }
 								            });
 								        // add security requirements for content API operations
 								        options.OperationFilter<DeliveryApiSecurityFilter>();
 								    }
 								    private class DeliveryApiSecurityFilter : SwaggerFilterBase<ContentApiControllerBase>, IOperationFilter
 								    {
 								        public void Apply(OpenApiOperation operation, OperationFilterContext context)
 								        {
 								            if (CanApply(context) is false)
 								            {
 								                return;
 								            }
 								            operation.Security = new List<OpenApiSecurityRequirement>
 								            {
 								                new OpenApiSecurityRequirement
 								                {
 								                    {
 								                        new OpenApiSecurityScheme
 								                        {
 								                            Reference = new OpenApiReference
 								                            {
 								                                Type = ReferenceType.SecurityScheme,
 								                                Id = AuthSchemeName,
 								                            }
 								                        },
 								                        new string[] { }
 								                    }
 								                }
 								            };
 								        }
 								    }
 								}