Add member auth to the Delivery API (#14730)

* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API * Make SwaggerRouteTemplatePipelineFilter UI config overridable * Enable token revocation + rename logout endpoint to signout * Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger * Correct notification handling when (un)protecting content * Fixing integration test framework * Cleanup test to not execute some composers twice * Update paths to match docs * Return Forbidden when a member is authorized but not allowed to access the requested resource * Cleanup * Rename RequestMemberService to RequestMemberAccessService * Rename badly named variable * Review comments * Hide the auth controller from Swagger * Remove semaphore * Add security requirements for content API operations in Swagger * Hide the back-office auth endpoints from Swagger * Fix merge * Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that) * Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment) * Make "items by IDs" endpoint support member auth * Add 401 and 403 to "items by IDs" endpoint responses --------- Co-authored-by: Bjarke Berg <mail@bergmania.dk> Co-authored-by: Elitsa <elm@umbraco.dk>
2023-09-26 09:22:45 +02:00
parent 624f9a0508
commit 83321a8fad
50 changed files with 1521 additions and 276 deletions
--- a/src/Umbraco.Infrastructure/Security/IMemberApplicationManager.cs
+++ b/src/Umbraco.Infrastructure/Security/IMemberApplicationManager.cs
@@ -0,0 +1,8 @@
+namespace Umbraco.Cms.Infrastructure.Security;
+
+public interface IMemberApplicationManager
+{
+    Task EnsureMemberApplicationAsync(IEnumerable<Uri> loginRedirectUrls, IEnumerable<Uri> logoutRedirectUrls, CancellationToken cancellationToken = default);
+
+    Task DeleteMemberApplicationAsync(CancellationToken cancellationToken = default);
+}
--- a/src/Umbraco.Infrastructure/Security/OpenIdDictApplicationManagerBase.cs
+++ b/src/Umbraco.Infrastructure/Security/OpenIdDictApplicationManagerBase.cs
@@ -0,0 +1,37 @@
+using OpenIddict.Abstractions;
+
+namespace Umbraco.Cms.Infrastructure.Security;
+
+public abstract class OpenIdDictApplicationManagerBase
+{
+    private readonly IOpenIddictApplicationManager _applicationManager;
+
+    protected OpenIdDictApplicationManagerBase(IOpenIddictApplicationManager applicationManager)
+        => _applicationManager = applicationManager;
+
+    protected async Task CreateOrUpdate(OpenIddictApplicationDescriptor clientDescriptor, CancellationToken cancellationToken)
+    {
+        var identifier = clientDescriptor.ClientId ??
+                         throw new ApplicationException($"ClientId is missing for application: {clientDescriptor.DisplayName ?? "(no name)"}");
+        var client = await _applicationManager.FindByClientIdAsync(identifier, cancellationToken);
+        if (client is null)
+        {
+            await _applicationManager.CreateAsync(clientDescriptor, cancellationToken);
+        }
+        else
+        {
+            await _applicationManager.UpdateAsync(client, clientDescriptor, cancellationToken);
+        }
+    }
+
+    protected async Task Delete(string identifier, CancellationToken cancellationToken)
+    {
+        var client = await _applicationManager.FindByClientIdAsync(identifier, cancellationToken);
+        if (client is null)
+        {
+            return;
+        }
+
+        await _applicationManager.DeleteAsync(client, cancellationToken);
+    }
+}