V13: Fix members while using basic auth. (#18206)

* Flow additional identities to new principal * Add extension to more easily get member identity * Ensure the member is used instead of the backoffice user in `MemberManager` * Update snippet * Fix the comment that I broke * Update src/Umbraco.Web.Common/Extensions/MemberClaimsPrincipalExtensions.cs Co-authored-by: Andy Butland <abutland73@gmail.com> --------- Co-authored-by: Andy Butland <abutland73@gmail.com>
2025-02-03 19:48:08 +01:00
parent e7411244fd
commit b4a9dc0770
4 changed files with 47 additions and 14 deletions
--- a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
+++ b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
@@ -62,9 +62,16 @@ public static class HttpContextExtensions
        // Update the HttpContext's user with the authenticated user's principal to ensure
        // that subsequent requests within the same context will recognize the user
        // as authenticated.
-        if (result.Succeeded)
+        if (result is { Succeeded: true, Principal.Identity: not null })
        {
-            httpContext.User = result.Principal;
+            // We need to get existing identities that are not the backoffice kind and flow them to the new identity
+            // Otherwise we can't log in as both a member and a backoffice user
+            // For instance if you've enabled basic auth.
+            ClaimsPrincipal? authenticatedPrincipal = result.Principal;
+            IEnumerable<ClaimsIdentity> existingIdentities = httpContext.User.Identities.Where(x => x.IsAuthenticated && x.AuthenticationType != authenticatedPrincipal.Identity.AuthenticationType);
+            authenticatedPrincipal.AddIdentities(existingIdentities);
+
+            httpContext.User = authenticatedPrincipal;
        }

        return result;