From ec6ac41e56c81487c05530169730587b02b53606 Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Fri, 27 Nov 2020 15:58:00 +1100
Subject: [PATCH] FIxes more of the auth procedure

---
 .../Controllers/AuthenticationController.cs          | 12 ++++++++----
 .../Security/BackOfficeSignInManager.cs              |  3 ++-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
index e9f9c9fa69..0d338291e9 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
@@ -216,7 +216,7 @@ namespace Umbraco.Web.BackOffice.Controllers
                 return 0;
             }
 
-            var remainingSeconds = HttpContext.User.GetRemainingAuthSeconds();
+            var remainingSeconds = result.Principal.GetRemainingAuthSeconds();
             if (remainingSeconds <= 30)
             {
                 var username = result.Principal.FindFirst(ClaimTypes.Name)?.Value;
@@ -572,13 +572,17 @@ namespace Umbraco.Web.BackOffice.Controllers
         /// </summary>
         /// <returns></returns>
         [ValidateAngularAntiForgeryToken]
-        public IActionResult PostLogout()
+        public async Task<IActionResult> PostLogout()
         {
-            HttpContext.SignOutAsync(Constants.Security.BackOfficeAuthenticationType);
+            // force authentication to occur since this is not an authorized endpoint
+            var result = await HttpContext.AuthenticateAsync(Constants.Security.BackOfficeAuthenticationType);
+            if (!result.Succeeded) return Ok();
+
+            await _signInManager.SignOutAsync();
 
             _logger.LogInformation("User {UserName} from IP address {RemoteIpAddress} has logged out", User.Identity == null ? "UNKNOWN" : User.Identity.Name, HttpContext.Connection.RemoteIpAddress);
 
-            var userId = int.Parse(User.Identity.GetUserId());
+            var userId = int.Parse(result.Principal.Identity.GetUserId());
             var args = _userManager.RaiseLogoutSuccessEvent(User, userId);
             if (!args.SignOutRedirectUrl.IsNullOrWhiteSpace())
             {
diff --git a/src/Umbraco.Web.BackOffice/Security/BackOfficeSignInManager.cs b/src/Umbraco.Web.BackOffice/Security/BackOfficeSignInManager.cs
index df838856f1..bb4928b1f4 100644
--- a/src/Umbraco.Web.BackOffice/Security/BackOfficeSignInManager.cs
+++ b/src/Umbraco.Web.BackOffice/Security/BackOfficeSignInManager.cs
@@ -200,7 +200,8 @@ namespace Umbraco.Web.Common.Security
 
             await Context.SignOutAsync(Constants.Security.BackOfficeAuthenticationType);
             await Context.SignOutAsync(Constants.Security.BackOfficeExternalAuthenticationType);
-            await Context.SignOutAsync(Constants.Security.BackOfficeTwoFactorAuthenticationType);
+            // TODO: Put this back in when we implement it
+            //await Context.SignOutAsync(Constants.Security.BackOfficeTwoFactorAuthenticationType);
         }