Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API * Make SwaggerRouteTemplatePipelineFilter UI config overridable * Enable token revocation + rename logout endpoint to signout * Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger * Correct notification handling when (un)protecting content * Fixing integration test framework * Cleanup test to not execute some composers twice * Update paths to match docs * Return Forbidden when a member is authorized but not allowed to access the requested resource * Cleanup * Rename RequestMemberService to RequestMemberAccessService * Rename badly named variable * Review comments * Hide the auth controller from Swagger * Remove semaphore * Add security requirements for content API operations in Swagger * Hide the back-office auth endpoints from Swagger * Fix merge * Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that) * Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment) * Make "items by IDs" endpoint support member auth * Add 401 and 403 to "items by IDs" endpoint responses --------- Co-authored-by: Bjarke Berg <mail@bergmania.dk> Co-authored-by: Elitsa <elm@umbraco.dk>
2023-09-26 09:22:45 +02:00
parent 624f9a0508
commit 83321a8fad
50 changed files with 1521 additions and 276 deletions
--- a/src/Umbraco.Core/Configuration/Models/DeliveryApiSettings.cs
+++ b/src/Umbraco.Core/Configuration/Models/DeliveryApiSettings.cs
@@ -54,6 +54,19 @@ public class DeliveryApiSettings
    /// </summary>
    public MediaSettings Media { get; set; } = new ();

+    /// <summary>
+    ///     Gets or sets the member authorization settings for the Delivery API.
+    /// </summary>
+    public MemberAuthorizationSettings? MemberAuthorization { get; set; } = null;
+
+    /// <summary>
+    ///     Gets a value indicating if any member authorization type is enabled for the Delivery API.
+    /// </summary>
+    /// <remarks>
+    ///     This method is intended for future extension - see remark in <see cref="MemberAuthorizationSettings"/>.
+    /// </remarks>
+    public bool MemberAuthorizationIsEnabled() => MemberAuthorization?.AuthorizationCodeFlow?.Enabled is true;
+
    /// <summary>
    ///     Typed configuration options for the Media APIs of the Delivery API.
    /// </summary>
@@ -84,4 +97,45 @@ public class DeliveryApiSettings
        [DefaultValue(StaticPublicAccess)]
        public bool PublicAccess { get; set; } = StaticPublicAccess;
    }
+
+    /// <summary>
+    ///     Typed configuration options for member authorization settings for the Delivery API.
+    /// </summary>
+    /// <remarks>
+    ///     This class is intended for future extension, if/when adding support for additional
+    ///     authorization flows (i.e. non-interactive authorization flows).
+    /// </remarks>
+    public class MemberAuthorizationSettings
+    {
+        /// <summary>
+        ///     Gets or sets the Authorization Code Flow configuration for the Delivery API.
+        /// </summary>
+        public AuthorizationCodeFlowSettings? AuthorizationCodeFlow { get; set; } = null;
+    }
+
+    /// <summary>
+    ///     Typed configuration options for the Authorization Code Flow settings for the Delivery API.
+    /// </summary>
+    public class AuthorizationCodeFlowSettings
+    {
+        /// <summary>
+        ///     Gets or sets a value indicating whether Authorization Code Flow should be enabled for the Delivery API.
+        /// </summary>
+        /// <value><c>true</c> if Authorization Code Flow should be enabled; otherwise, <c>false</c>.</value>
+        [DefaultValue(StaticEnabled)]
+        public bool Enabled { get; set; } = StaticEnabled;
+
+        /// <summary>
+        ///     Gets or sets the URLs allowed to use as redirect targets after a successful login (session authorization).
+        /// </summary>
+        /// <value>The URLs allowed as redirect targets.</value>
+        public Uri[] LoginRedirectUrls { get; set; } = Array.Empty<Uri>();
+
+        /// <summary>
+        ///     Gets or sets the URLs allowed to use as redirect targets after a successful logout (session termination).
+        /// </summary>
+        /// <value>The URLs allowed as redirect targets.</value>
+        /// <remarks>These are only required if logout is to be used.</remarks>
+        public Uri[] LogoutRedirectUrls { get; set; } = Array.Empty<Uri>();
+    }
 }