Update security stamps on logout (#14362)

Co-authored-by: Zeegaan <nge@umbraco.dk>

src/Umbraco.Web.Common/DependencyInjection/UmbracoBuilder.MembersIdentity.cs

@@ -65,6 +65,7 @@ public static partial class UmbracoBuilderExtensions
 
         services.ConfigureOptions<ConfigureSecurityStampOptions>();
         services.ConfigureOptions<ConfigureMemberCookieOptions>();
+        services.AddScoped<MemberSecurityStampValidator>();
 
         services.AddUnique<IMemberExternalLoginProviders, MemberExternalLoginProviders>();
 

src/Umbraco.Web.Common/Security/ConfigureMemberCookieOptions.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using Umbraco.Cms.Core.Routing;
 using Umbraco.Cms.Core.Services;
@@ -47,6 +48,14 @@ public sealed class ConfigureMemberCookieOptions : IConfigureNamedOptions<Cookie
 
                 return Task.CompletedTask;
             },
+            OnValidatePrincipal = async ctx =>
+            {
+                // We need to resolve the BackOfficeSecurityStampValidator per request as a requirement (even in aspnetcore they do this)
+                MemberSecurityStampValidator securityStampValidator =
+                    ctx.HttpContext.RequestServices.GetRequiredService<MemberSecurityStampValidator>();
+
+                await securityStampValidator.ValidateAsync(ctx);
+            },
             OnRedirectToAccessDenied = ctx =>
             {
                 ctx.Response.StatusCode = StatusCodes.Status403Forbidden;

src/Umbraco.Web.Common/Security/MemberSecurityStampValidator.cs

@@ -0,0 +1,26 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Umbraco.Cms.Core.Security;
+
+namespace Umbraco.Cms.Web.Common.Security;
+
+/// <summary>
+///     A security stamp validator for the back office
+/// </summary>
+public class MemberSecurityStampValidator : SecurityStampValidator<MemberIdentityUser>
+{
+    public MemberSecurityStampValidator(
+        IOptions<MemberSecurityStampValidatorOptions> options,
+        MemberSignInManager signInManager, ISystemClock clock, ILoggerFactory logger)
+        : base(options, signInManager, clock, logger)
+    {
+    }
+
+    public override Task ValidateAsync(CookieValidatePrincipalContext context)
+    {
+        return base.ValidateAsync(context);
+    }
+}

src/Umbraco.Web.Common/Security/MemberSecurityStampValidatorOptions.cs

@@ -0,0 +1,7 @@
+using Microsoft.AspNetCore.Identity;
+
+namespace Umbraco.Cms.Web.Common.Security;
+
+public class MemberSecurityStampValidatorOptions : SecurityStampValidatorOptions
+{
+}

src/Umbraco.Web.Common/Security/UmbracoSignInManager.cs

@@ -238,6 +238,14 @@ public abstract class UmbracoSignInManager<TUser> : SignInManager<TUser>
     /// <inheritdoc />
     public override async Task SignOutAsync()
     {
+        // Update the security stamp to sign out everywhere.
+        TUser? user = await UserManager.GetUserAsync(Context.User);
+
+        if (user is not null)
+        {
+            await UserManager.UpdateSecurityStampAsync(user);
+        }
+
         // override to replace IdentityConstants.ApplicationScheme with custom auth types
         // code taken from aspnetcore: https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Core/src/SignInManager.cs
         await Context.SignOutAsync(AuthenticationType);