From 407e7a24da814633223b6d2db66982346e25c498 Mon Sep 17 00:00:00 2001
From: Kenn Jacobsen <kja@umbraco.dk>
Date: Mon, 26 May 2025 12:25:04 +0200
Subject: [PATCH] Fix rare concurrency issue in back-office auth middleware
 (#19418)

---
 .../BackOfficeAuthorizationInitializationMiddleware.cs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Cms.Api.Management/Middleware/BackOfficeAuthorizationInitializationMiddleware.cs b/src/Umbraco.Cms.Api.Management/Middleware/BackOfficeAuthorizationInitializationMiddleware.cs
index e4d3c236de..5bf884899c 100644
--- a/src/Umbraco.Cms.Api.Management/Middleware/BackOfficeAuthorizationInitializationMiddleware.cs
+++ b/src/Umbraco.Cms.Api.Management/Middleware/BackOfficeAuthorizationInitializationMiddleware.cs
@@ -65,13 +65,21 @@ public class BackOfficeAuthorizationInitializationMiddleware : IMiddleware
             return;
         }
 
-        if (_knownHosts.Add($"{context.Request.Scheme}://{context.Request.Host}") is false)
+        var host = $"{context.Request.Scheme}://{context.Request.Host}";
+        if (_knownHosts.Contains(host))
         {
             return;
         }
 
         await _firstBackOfficeRequestLocker.WaitAsync();
 
+        // NOTE: _knownHosts is not thread safe; check again after entering the semaphore
+        if (_knownHosts.Add(host) is false)
+        {
+            _firstBackOfficeRequestLocker.Release();
+            return;
+        }
+
         // ensure we explicitly add UmbracoApplicationUrl if configured (https://github.com/umbraco/Umbraco-CMS/issues/16179)
         if (_webRoutingSettings.UmbracoApplicationUrl.IsNullOrWhiteSpace() is false)
         {