From bbd935a0b89c822900be4275bc7921884f0ec1d4 Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Fri, 6 Aug 2021 11:26:31 +0200
Subject: [PATCH] Updates based on review feedback

---
 .../Configuration/Models/BasicAuthSettings.cs |  3 +-
 .../UmbracoBuilder.BackOfficeAuth.cs          |  2 +-
 .../BasicAuthAuthenticationMiddleware.cs      | 20 ++----------
 .../Extensions/HttpContextExtensions.cs       | 31 +++++++++++++++++++
 4 files changed, 36 insertions(+), 20 deletions(-)

diff --git a/src/Umbraco.Core/Configuration/Models/BasicAuthSettings.cs b/src/Umbraco.Core/Configuration/Models/BasicAuthSettings.cs
index d8daa61cb5..054619d843 100644
--- a/src/Umbraco.Core/Configuration/Models/BasicAuthSettings.cs
+++ b/src/Umbraco.Core/Configuration/Models/BasicAuthSettings.cs
@@ -1,6 +1,7 @@
 // Copyright (c) Umbraco.
 // See LICENSE for more details.
 
+using System;
 using System.ComponentModel;
 using System.Net;
 
@@ -21,6 +22,6 @@ namespace Umbraco.Cms.Core.Configuration.Models
         public bool Enabled { get; set; } = StaticEnabled;
 
 
-        public string[] AllowedIPs { get; set; } = new string[0];
+        public string[] AllowedIPs { get; set; } = Array.Empty<string>();
     }
 }
diff --git a/src/Umbraco.Web.BackOffice/DependencyInjection/UmbracoBuilder.BackOfficeAuth.cs b/src/Umbraco.Web.BackOffice/DependencyInjection/UmbracoBuilder.BackOfficeAuth.cs
index 8c57ab9978..c7d7df33a7 100644
--- a/src/Umbraco.Web.BackOffice/DependencyInjection/UmbracoBuilder.BackOfficeAuth.cs
+++ b/src/Umbraco.Web.BackOffice/DependencyInjection/UmbracoBuilder.BackOfficeAuth.cs
@@ -50,7 +50,7 @@ namespace Umbraco.Extensions
             builder.Services.ConfigureOptions<ConfigureBackOfficeCookieOptions>();
 
             builder.Services.AddSingleton<BackOfficeExternalLoginProviderErrorMiddleware>();
-            builder.Services.AddScoped<BasicAuthAuthenticationMiddleware>();
+            builder.Services.AddSingleton<BasicAuthAuthenticationMiddleware>();
 
             builder.Services.AddUnique<IBackOfficeAntiforgery, BackOfficeAntiforgery>();
             builder.Services.AddUnique<IPasswordChanger<BackOfficeIdentityUser>, PasswordChanger<BackOfficeIdentityUser>>();
diff --git a/src/Umbraco.Web.BackOffice/Middleware/BasicAuthAuthenticationMiddleware.cs b/src/Umbraco.Web.BackOffice/Middleware/BasicAuthAuthenticationMiddleware.cs
index 719dfed6c0..bd594169d2 100644
--- a/src/Umbraco.Web.BackOffice/Middleware/BasicAuthAuthenticationMiddleware.cs
+++ b/src/Umbraco.Web.BackOffice/Middleware/BasicAuthAuthenticationMiddleware.cs
@@ -51,25 +51,11 @@ namespace Umbraco.Cms.Web.Common.Middleware
                 return;
             }
 
-
-            string authHeader = context.Request.Headers["Authorization"];
-            if (authHeader != null && authHeader.StartsWith("Basic"))
+            if (context.TryGetBasicAuthCredentials(out var username, out var password))
             {
-                //Extract credentials
-                var encodedUsernamePassword = authHeader.Substring(6).Trim();
-                var encoding = Encoding.UTF8;
-                var usernamePassword = encoding.GetString(Convert.FromBase64String(encodedUsernamePassword));
-
-                var seperatorIndex = usernamePassword.IndexOf(':');
-
-                var username = usernamePassword.Substring(0, seperatorIndex);
-                var password = usernamePassword.Substring(seperatorIndex + 1);
-
-
                 IBackOfficeSignInManager backOfficeSignInManager =
                     context.RequestServices.GetRequiredService<IBackOfficeSignInManager>();
 
-
                 SignInResult signInResult =
                     await backOfficeSignInManager.PasswordSignInAsync(username, password, false, true);
 
@@ -89,12 +75,10 @@ namespace Umbraco.Cms.Web.Common.Middleware
             }
         }
 
-
-
         private static void SetUnauthorizedHeader(HttpContext context)
         {
             context.Response.StatusCode = 401;
-            context.Response.Headers.Add("WWW-Authenticate", "Basic realm=\"Umbraco as a Service login\"");
+            context.Response.Headers.Add("WWW-Authenticate", "Basic realm=\"Umbraco login\"");
         }
     }
 }
diff --git a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
index 4b3915f387..afd0c5be48 100644
--- a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
+++ b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Security.Claims;
+using System.Text;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
@@ -11,6 +12,36 @@ namespace Umbraco.Extensions
     {
 
 
+        /// <summary>
+        /// Try to get the basic auth username and password from the http context.
+        /// </summary>
+        public static bool TryGetBasicAuthCredentials(this HttpContext httpContext, out string username, out string password)
+        {
+            username = null;
+            password = null;
+
+            if ( httpContext.Request.Headers.TryGetValue("Authorization", out var authHeaders))
+            {
+                var authHeader = authHeaders.ToString();
+                if (authHeader is not null && authHeader.StartsWith("Basic"))
+                {
+                    //Extract credentials
+                    var encodedUsernamePassword = authHeader.Substring(6).Trim();
+                    var encoding = Encoding.UTF8;
+                    var usernamePassword = encoding.GetString(Convert.FromBase64String(encodedUsernamePassword));
+
+                    var seperatorIndex = usernamePassword.IndexOf(':');
+
+                    username = usernamePassword.Substring(0, seperatorIndex);
+                    password = usernamePassword.Substring(seperatorIndex + 1);
+                }
+
+                return true;
+            }
+
+            return false;
+        }
+
         /// <summary>
         /// Runs the authentication process
         /// </summary>