src/Umbraco.Web.Common/Middleware/PreviewAuthenticationMiddleware.cs

using System.Security.Claims;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Umbraco.Cms.Core;
using Umbraco.Cms.Core.Preview;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;
using Umbraco.Cms.Web.Common.AspNetCore;
using Umbraco.Cms.Web.Common.Security;
using Umbraco.Extensions;

namespace Umbraco.Cms.Web.Common.Middleware;

/// <summary>
///     Ensures that preview pages (front-end routed) are authenticated with the back office identity appended to the
///     principal alongside any default authentication that takes place
/// </summary>
public class PreviewAuthenticationMiddleware : IMiddleware
{
    private readonly ILogger<PreviewAuthenticationMiddleware> _logger;
    private readonly IPreviewTokenGenerator _previewTokenGenerator;
    private readonly IPreviewService _previewService;


    public PreviewAuthenticationMiddleware(
        ILogger<PreviewAuthenticationMiddleware> logger,
        IPreviewTokenGenerator previewTokenGenerator,
        IPreviewService previewService)
    {
        _logger = logger;
        _previewTokenGenerator = previewTokenGenerator;
        _previewService = previewService;
    }

    /// <inheritdoc />
    public async Task InvokeAsync(HttpContext context, RequestDelegate next)
    {
        HttpRequest request = context.Request;

        // do not process if client-side request
        if (request.IsClientSideRequest())
        {
            await next(context);
            return;
        }

        try
        {
            var isPreview = request.HasPreviewCookie()
                            && !request.IsBackOfficeRequest();

            if (isPreview)
            {
                Attempt<ClaimsIdentity> backOfficeIdentityAttempt = await _previewService.TryGetPreviewClaimsIdentityAsync();

                if (backOfficeIdentityAttempt.Success)
                {
                    // Ok, we've got a real ticket, now we can add this ticket's identity to the current
                    // Principal, this means we'll have 2 identities assigned to the principal which we can
                    // use to authorize the preview and allow for a back office User.
                    context.User.AddIdentity(backOfficeIdentityAttempt.Result!);
                }
                else
                {
                    _logger.LogDebug("Could not transform previewCookie value into a claimsIdentity");
                }
            }
        }
        catch (Exception ex)
        {
            // log any errors and continue the request without preview
            _logger.LogError("Unable to perform preview authentication: {message}", ex.Message);
        }
        finally
        {
            await next(context);
        }
    }
}
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`using System.Security.Claims;`
			`using Microsoft.AspNetCore.Authentication;`
Getting front end routing poc going 2020-12-08 16:33:50 +11:00			`using Microsoft.AspNetCore.Authentication.Cookies;`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`using Microsoft.AspNetCore.Http;`
			`using Microsoft.Extensions.DependencyInjection;`
Move preview authorization middleware to fix preview 2021-02-19 11:45:58 +01:00			`using Microsoft.Extensions.Logging;`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`using Microsoft.Extensions.Options;`
V14: Untangle the preview functionality from the auth cookie (#16308) * AB40660 - untangle the preview cookie from the auth cookie * Clean up * Allow anonymous to end preview sessions * Some refinements * update OpenApi.json * Fix enter preview test * correct tests to match new expectations of the preview cookie * sync preview tests with correct expectations of access level --------- Co-authored-by: Sven Geusens <sge@umbraco.dk> Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> 2024-05-17 16:06:26 +02:00			`using Umbraco.Cms.Core;`
			`using Umbraco.Cms.Core.Preview;`
			`using Umbraco.Cms.Core.Security;`
			`using Umbraco.Cms.Core.Services;`
			`using Umbraco.Cms.Web.Common.AspNetCore;`
			`using Umbraco.Cms.Web.Common.Security;`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`using Umbraco.Extensions;`

v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`namespace Umbraco.Cms.Web.Common.Middleware;`

			`/// <summary>`
			`/// Ensures that preview pages (front-end routed) are authenticated with the back office identity appended to the`
			`/// principal alongside any default authentication that takes place`
			`/// </summary>`
			`public class PreviewAuthenticationMiddleware : IMiddleware`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`{`
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`private readonly ILogger<PreviewAuthenticationMiddleware> _logger;`
V14: Untangle the preview functionality from the auth cookie (#16308) * AB40660 - untangle the preview cookie from the auth cookie * Clean up * Allow anonymous to end preview sessions * Some refinements * update OpenApi.json * Fix enter preview test * correct tests to match new expectations of the preview cookie * sync preview tests with correct expectations of access level --------- Co-authored-by: Sven Geusens <sge@umbraco.dk> Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> 2024-05-17 16:06:26 +02:00			`private readonly IPreviewTokenGenerator _previewTokenGenerator;`
			`private readonly IPreviewService _previewService;`
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00
V14: Untangle the preview functionality from the auth cookie (#16308) * AB40660 - untangle the preview cookie from the auth cookie * Clean up * Allow anonymous to end preview sessions * Some refinements * update OpenApi.json * Fix enter preview test * correct tests to match new expectations of the preview cookie * sync preview tests with correct expectations of access level --------- Co-authored-by: Sven Geusens <sge@umbraco.dk> Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> 2024-05-17 16:06:26 +02:00
			`public PreviewAuthenticationMiddleware(`
			`ILogger<PreviewAuthenticationMiddleware> logger,`
			`IPreviewTokenGenerator previewTokenGenerator,`
			`IPreviewService previewService)`
			`{`
			`_logger = logger;`
			`_previewTokenGenerator = previewTokenGenerator;`
			`_previewService = previewService;`
			`}`
Move preview authorization middleware to fix preview 2021-02-19 11:45:58 +01:00
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`/// <inheritdoc />`
			`public async Task InvokeAsync(HttpContext context, RequestDelegate next)`
			`{`
			`HttpRequest request = context.Request;`
Move preview authorization middleware to fix preview 2021-02-19 11:45:58 +01:00
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`// do not process if client-side request`
			`if (request.IsClientSideRequest())`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`{`
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`await next(context);`
			`return;`
			`}`
Move preview authorization middleware to fix preview 2021-02-19 11:45:58 +01:00
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`try`
			`{`
			`var isPreview = request.HasPreviewCookie()`
			`&& !request.IsBackOfficeRequest();`
Move preview authorization middleware to fix preview 2021-02-19 11:45:58 +01:00
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`if (isPreview)`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`{`
V14: Untangle the preview functionality from the auth cookie (#16308) * AB40660 - untangle the preview cookie from the auth cookie * Clean up * Allow anonymous to end preview sessions * Some refinements * update OpenApi.json * Fix enter preview test * correct tests to match new expectations of the preview cookie * sync preview tests with correct expectations of access level --------- Co-authored-by: Sven Geusens <sge@umbraco.dk> Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> 2024-05-17 16:06:26 +02:00			`Attempt<ClaimsIdentity> backOfficeIdentityAttempt = await _previewService.TryGetPreviewClaimsIdentityAsync();`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00
V14: Untangle the preview functionality from the auth cookie (#16308) * AB40660 - untangle the preview cookie from the auth cookie * Clean up * Allow anonymous to end preview sessions * Some refinements * update OpenApi.json * Fix enter preview test * correct tests to match new expectations of the preview cookie * sync preview tests with correct expectations of access level --------- Co-authored-by: Sven Geusens <sge@umbraco.dk> Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> 2024-05-17 16:06:26 +02:00			`if (backOfficeIdentityAttempt.Success)`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`{`
V14: Untangle the preview functionality from the auth cookie (#16308) * AB40660 - untangle the preview cookie from the auth cookie * Clean up * Allow anonymous to end preview sessions * Some refinements * update OpenApi.json * Fix enter preview test * correct tests to match new expectations of the preview cookie * sync preview tests with correct expectations of access level --------- Co-authored-by: Sven Geusens <sge@umbraco.dk> Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> 2024-05-17 16:06:26 +02:00			`// Ok, we've got a real ticket, now we can add this ticket's identity to the current`
			`// Principal, this means we'll have 2 identities assigned to the principal which we can`
			`// use to authorize the preview and allow for a back office User.`
			`context.User.AddIdentity(backOfficeIdentityAttempt.Result!);`
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`}`
V14: Untangle the preview functionality from the auth cookie (#16308) * AB40660 - untangle the preview cookie from the auth cookie * Clean up * Allow anonymous to end preview sessions * Some refinements * update OpenApi.json * Fix enter preview test * correct tests to match new expectations of the preview cookie * sync preview tests with correct expectations of access level --------- Co-authored-by: Sven Geusens <sge@umbraco.dk> Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> 2024-05-17 16:06:26 +02:00			`else`
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`{`
V14: Untangle the preview functionality from the auth cookie (#16308) * AB40660 - untangle the preview cookie from the auth cookie * Clean up * Allow anonymous to end preview sessions * Some refinements * update OpenApi.json * Fix enter preview test * correct tests to match new expectations of the preview cookie * sync preview tests with correct expectations of access level --------- Co-authored-by: Sven Geusens <sge@umbraco.dk> Co-authored-by: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com> 2024-05-17 16:06:26 +02:00			`_logger.LogDebug("Could not transform previewCookie value into a claimsIdentity");`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`}`
			`}`
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`}`
			`catch (Exception ex)`
			`{`
			`// log any errors and continue the request without preview`
Temp/15591 serilog string conventions (#15592) * Updaets `MigrationPlanExecutor.cs` to use serilog convention for strings * Updaets `ExamineManagementController.cs` to use serilog convention for strings * Updaets `HelpController.cs` to use serilog convention for strings * Updaets `PreviewAuthenticationMiddleware.cs` to use serilog convention for strings 2024-01-22 01:57:58 +00:00			`_logger.LogError("Unable to perform preview authentication: {message}", ex.Message);`
v10: Fix build warnings in Web.Common (#12349) * Run code cleanup * Run dotnet format * Start manual cleanup in Web.Common * Finish up manual cleanup * Fix tests * Fix up InMemoryModelFactory.cs * Inject proper macroRenderer * Update src/Umbraco.Web.Common/Filters/JsonDateTimeFormatAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Update src/Umbraco.Web.Common/Filters/ValidateUmbracoFormRouteStringAttribute.cs Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> * Fix based on review Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk> Co-authored-by: Mole <nikolajlauridsen@protonmail.ch> 2022-05-09 09:39:46 +02:00			`}`
			`finally`
			`{`
			`await next(context);`
Migrates preview auth Middleware Migrates UriExtensionsTests to netcore, fixes preview controller bits, adds tests for preview path for back office route check, fixes virtual paths for views, 2020-08-07 00:48:32 +10:00			`}`
			`}`
			`}`