Security stamp implementation for members (#10140)

* Getting new netcore PublicAccessChecker in place

* Adds full test coverage for PublicAccessChecker

* remove PublicAccessComposer

* adjust namespaces, ensure RoleManager works, separate public access controller, reduce content controller

* Implements the required methods on IMemberManager, removes old migrated code

* Updates routing to be able to re-route, Fixes middleware ordering ensuring endpoints are last, refactors pipeline options, adds public access middleware, ensures public access follows all hops

* adds note

* adds note

* Cleans up ext methods, ensures that members identity is added on both front-end and back ends. updates how UmbracoApplicationBuilder works in that it explicitly starts endpoints at the time of calling.

* Changes name to IUmbracoEndpointBuilder

* adds note

* Fixing tests, fixing error describers so there's 2x one for back office, one for members, fixes TryConvertTo, fixes login redirect

* fixing build

* Updates user manager to correctly validate password hashing and injects the IBackOfficeUserPasswordChecker

* Merges PR

* Fixes up build and notes

* Implements security stamp and email confirmed for members, cleans up a bunch of repo/service level member groups stuff, shares user store code between members and users and fixes the user identity object so we arent' tracking both groups and roles.

* Security stamp for members is now working

* Fixes keepalive, fixes PublicAccessMiddleware to not throw, updates startup code to be more clear and removes magic that registers middleware.

* adds note

* removes unused filter, fixes build

* fixes WebPath and tests

* Looks up entities in one query

* remove usings

* Fix test, remove stylesheet

* Set status code before we write to response to avoid error

* Ensures that users and members are validated when logging in. Shares more code between users and members.

* merge changes

* oops

* Fixes RepositoryCacheKeys to ensure the keys are normalized

* oops didn't mean to commit this

* Fix casing issues with caching, stop boxing value types for all cache operations, stop re-creating string keys in DefaultRepositoryCachePolicy

* oops didn't mean to comit this

* bah, far out this keeps getting recommitted. sorry

Co-authored-by: Bjarke Berg <mail@bergmania.dk>

src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs

@@ -69,7 +69,9 @@ namespace Umbraco.Cms.Infrastructure.Persistence.Repositories.Implement
             get
             {
                 if (_passwordConfigInitialized)
+                {
                     return _passwordConfigJson;
+                }
 
                 var passwordConfig = new UserPasswordSettings
                 {
@@ -456,7 +458,9 @@ ORDER BY colName";
 
             // ensure security stamp if missing
             if (entity.SecurityStamp.IsNullOrWhiteSpace())
+            {
                 entity.SecurityStamp = Guid.NewGuid().ToString();
+            }
 
             var userDto = UserFactory.BuildDto(entity);
 
@@ -504,7 +508,9 @@ ORDER BY colName";
 
             // ensure security stamp if missing
             if (entity.SecurityStamp.IsNullOrWhiteSpace())
+            {
                 entity.SecurityStamp = Guid.NewGuid().ToString();
+            }
 
             var userDto = UserFactory.BuildDto(entity);
 
@@ -540,14 +546,17 @@ ORDER BY colName";
                 .Select(col => col.Key)
                 .ToList();
 
+            if (entity.IsPropertyDirty("SecurityStamp"))
+            {
+                changedCols.Add("securityStampToken");
+            }
+
             // DO NOT update the password if it has not changed or if it is null or empty
             if (entity.IsPropertyDirty("RawPasswordValue") && entity.RawPasswordValue.IsNullOrWhiteSpace() == false)
             {
                 changedCols.Add("userPassword");
 
-                // special case - when using ASP.Net identity the user manager will take care of updating the security stamp, however
-                // when not using ASP.Net identity (i.e. old membership providers), we'll need to take care of updating this manually
-                // so we can just detect if that property is dirty, if it's not we'll set it manually
+                // If the security stamp hasn't already updated we need to force it
                 if (entity.IsPropertyDirty("SecurityStamp") == false)
                 {
                     userDto.SecurityStampToken = entity.SecurityStamp = Guid.NewGuid().ToString();
@@ -563,10 +572,14 @@ ORDER BY colName";
             if (changedCols.Contains("userLogin") || changedCols.Contains("userEmail"))
             {
                 userDto.EmailConfirmedDate = null;
-                userDto.SecurityStampToken = entity.SecurityStamp = Guid.NewGuid().ToString();
-
                 changedCols.Add("emailConfirmedDate");
-                changedCols.Add("securityStampToken");
+                
+                // If the security stamp hasn't already updated we need to force it
+                if (entity.IsPropertyDirty("SecurityStamp") == false)
+                {
+                    userDto.SecurityStampToken = entity.SecurityStamp = Guid.NewGuid().ToString();
+                    changedCols.Add("securityStampToken");
+                }
             }
 
             //only update the changed cols