Merge branch 'v12/dev' into contrib

src/Umbraco.Web.Common/DependencyInjection/UmbracoBuilder.MembersIdentity.cs

@@ -65,6 +65,7 @@ public static partial class UmbracoBuilderExtensions
 
         services.ConfigureOptions<ConfigureSecurityStampOptions>();
         services.ConfigureOptions<ConfigureMemberCookieOptions>();
+        services.AddScoped<MemberSecurityStampValidator>();
 
         services.AddUnique<IMemberExternalLoginProviders, MemberExternalLoginProviders>();
 

src/Umbraco.Web.Common/Profiler/WebProfiler.cs

@@ -29,7 +29,7 @@ public class WebProfiler : IProfiler
     public void Start()
     {
         MiniProfiler.StartNew();
-        MiniProfilerContext.Value = MiniProfiler.Current;
+        MiniProfilerContext.Value = MiniProfiler.Current!;
     }
 
     public void Stop(bool discardResults = false) => MiniProfilerContext.Value?.Stop(discardResults);
@@ -84,7 +84,7 @@ public class WebProfiler : IProfiler
 
                 if (cookieValue is not null)
                 {
-                    AddSubProfiler(MiniProfiler.FromJson(cookieValue));
+                    AddSubProfiler(MiniProfiler.FromJson(cookieValue)!);
                 }
 
                 // If it is a redirect to a relative path (local redirect)

src/Umbraco.Web.Common/Profiler/WebProfilerHtml.cs

@@ -34,7 +34,7 @@ public class WebProfilerHtml : IProfilerHtml
 
         var result = StackExchange.Profiling.Internal.Render.Includes(
             profiler,
-            context is not null ? context.Request.PathBase + path : null,
+            context is not null ? context.Request.PathBase + path : string.Empty,
             true,
             new List<Guid> { profiler.Id },
             RenderPosition.Right,

src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Umbraco.Cms.Core.Routing;
 using Umbraco.Cms.Core.Services;
@@ -47,6 +48,14 @@ public sealed class ConfigureMemberCookieOptions : IConfigureNamedOptions<Cookie
 
                 return Task.CompletedTask;
             },
+            OnValidatePrincipal = async ctx =>
+            {
+                // We need to resolve the BackOfficeSecurityStampValidator per request as a requirement (even in aspnetcore they do this)
+                MemberSecurityStampValidator securityStampValidator =
+                    ctx.HttpContext.RequestServices.GetRequiredService<MemberSecurityStampValidator>();
+
+                await securityStampValidator.ValidateAsync(ctx);
+            },
             OnRedirectToAccessDenied = ctx =>
             {
                 ctx.Response.StatusCode = StatusCodes.Status403Forbidden;

src/Umbraco.Web.Common/Security/MemberSecurityStampValidator.cs

@@ -0,0 +1,26 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Umbraco.Cms.Core.Security;
+
+namespace Umbraco.Cms.Web.Common.Security;
+
+/// <summary>
+///     A security stamp validator for the back office
+/// </summary>
+public class MemberSecurityStampValidator : SecurityStampValidator<MemberIdentityUser>
+{
+    public MemberSecurityStampValidator(
+        IOptions<MemberSecurityStampValidatorOptions> options,
+        MemberSignInManager signInManager, ISystemClock clock, ILoggerFactory logger)
+        : base(options, signInManager, clock, logger)
+    {
+    }
+
+    public override Task ValidateAsync(CookieValidatePrincipalContext context)
+    {
+        return base.ValidateAsync(context);
+    }
+}

src/Umbraco.Web.Common/Security/MemberSecurityStampValidatorOptions.cs

@@ -0,0 +1,7 @@
+using Microsoft.AspNetCore.Identity;
+
+namespace Umbraco.Cms.Web.Common.Security;
+
+public class MemberSecurityStampValidatorOptions : SecurityStampValidatorOptions
+{
+}

src/Umbraco.Web.Common/Security/UmbracoSignInManager.cs

@@ -241,6 +241,14 @@ public abstract class UmbracoSignInManager<TUser> : SignInManager<TUser>
     /// <inheritdoc />
     public override async Task SignOutAsync()
     {
+        // Update the security stamp to sign out everywhere.
+        TUser? user = await UserManager.GetUserAsync(Context.User);
+
+        if (user is not null)
+        {
+            await UserManager.UpdateSecurityStampAsync(user);
+        }
+
         // override to replace IdentityConstants.ApplicationScheme with custom auth types
         // code taken from aspnetcore: https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Core/src/SignInManager.cs
         await Context.SignOutAsync(AuthenticationType);

src/Umbraco.Web.Common/Umbraco.Web.Common.csproj

@@ -14,11 +14,11 @@
     <PackageReference Include="Asp.Versioning.Mvc" Version="7.0.0" />
     <PackageReference Include="Asp.Versioning.Mvc.ApiExplorer" Version="7.0.0" />
     <PackageReference Include="Dazinator.Extensions.FileProviders" Version="2.0.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="7.0.5" />
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="7.0.5" />
-    <PackageReference Include="MiniProfiler.AspNetCore.Mvc" Version="4.2.22" />
-    <PackageReference Include="Smidge.InMemory" Version="4.2.1" />
-    <PackageReference Include="Smidge.Nuglify" Version="4.2.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="7.0.7" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="7.0.7" />
+    <PackageReference Include="MiniProfiler.AspNetCore.Mvc" Version="4.3.8" />
+    <PackageReference Include="Smidge.InMemory" Version="4.3.0" />
+    <PackageReference Include="Smidge.Nuglify" Version="4.3.0" />
   </ItemGroup>
 
   <ItemGroup>