Add member auth to the Delivery API

src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs

@@ -0,0 +1,109 @@
+using Microsoft.Extensions.DependencyInjection;
+using Umbraco.Cms.Api.Common.Security;
+using Umbraco.Cms.Core;
+using Umbraco.Cms.Core.DependencyInjection;
+using Umbraco.Cms.Infrastructure.HostedServices;
+
+namespace Umbraco.Cms.Api.Common.DependencyInjection;
+
+public static class UmbracoBuilderAuthExtensions
+{
+    private static bool _initialized;
+    private static SemaphoreSlim _initializedLocker = new(1);
+
+    public static IUmbracoBuilder AddUmbracoOpenIddict(this IUmbracoBuilder builder)
+    {
+        if (_initialized)
+        {
+            return builder;
+        }
+
+        _initializedLocker.Wait();
+
+        if (_initialized is false)
+        {
+            ConfigureOpenIddict(builder);
+            _initialized = true;
+        }
+
+        _initializedLocker.Release();
+        return builder;
+    }
+
+    private static void ConfigureOpenIddict(IUmbracoBuilder builder)
+    {
+        builder.Services.AddOpenIddict()
+            // Register the OpenIddict server components.
+            .AddServer(options =>
+            {
+                // Enable the authorization and token endpoints.
+                // - important: member endpoints MUST be added before backoffice endpoints to ensure that auto-discovery works for members
+                options
+                    .SetAuthorizationEndpointUris(
+                        Paths.MemberApi.AuthorizationEndpoint.TrimStart(Constants.CharArrays.ForwardSlash),
+                        Paths.BackOfficeApi.AuthorizationEndpoint.TrimStart(Constants.CharArrays.ForwardSlash))
+                    .SetTokenEndpointUris(
+                        Paths.MemberApi.TokenEndpoint.TrimStart(Constants.CharArrays.ForwardSlash),
+                        Paths.BackOfficeApi.TokenEndpoint.TrimStart(Constants.CharArrays.ForwardSlash))
+                    .SetLogoutEndpointUris(
+                        Paths.MemberApi.LogoutEndpoint.TrimStart(Constants.CharArrays.ForwardSlash))
+                    .SetRevocationEndpointUris(
+                        Paths.MemberApi.RevokeEndpoint.TrimStart(Constants.CharArrays.ForwardSlash));
+
+                // Enable authorization code flow with PKCE
+                options
+                    .AllowAuthorizationCodeFlow()
+                    .RequireProofKeyForCodeExchange()
+                    .AllowRefreshTokenFlow();
+
+                // Register the encryption and signing credentials.
+                // - see https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
+                options
+                    // TODO: use actual certificates here, see docs above
+                    .AddDevelopmentEncryptionCertificate()
+                    .AddDevelopmentSigningCertificate()
+                    .DisableAccessTokenEncryption();
+
+                // Register the ASP.NET Core host and configure for custom authentication endpoint.
+                options
+                    .UseAspNetCore()
+                    .EnableAuthorizationEndpointPassthrough()
+                    .EnableLogoutEndpointPassthrough();
+
+                // Enable reference tokens
+                // - see https://documentation.openiddict.com/configuration/token-storage.html
+                options
+                    .UseReferenceAccessTokens()
+                    .UseReferenceRefreshTokens();
+
+                // Use ASP.NET Core Data Protection for tokens instead of JWT.
+                // This is more secure, and has the added benefit of having a high throughput
+                // but means that all servers (such as in a load balanced setup)
+                // needs to use the same application name and key ring,
+                // however this is already recommended for load balancing, so should be fine.
+                // See https://documentation.openiddict.com/configuration/token-formats.html#switching-to-data-protection-tokens
+                // and https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-7.0
+                // for more information
+                options.UseDataProtection();
+            })
+
+            // Register the OpenIddict validation components.
+            .AddValidation(options =>
+            {
+                // Import the configuration from the local OpenIddict server instance.
+                options.UseLocalServer();
+
+                // Register the ASP.NET Core host.
+                options.UseAspNetCore();
+
+                // Enable token entry validation
+                // - see https://documentation.openiddict.com/configuration/token-storage.html#enabling-token-entry-validation-at-the-api-level
+                options.EnableTokenEntryValidation();
+
+                // Use ASP.NET Core Data Protection for tokens instead of JWT. (see note in AddServer)
+                options.UseDataProtection();
+            });
+
+        builder.Services.AddHostedService<OpenIddictCleanup>();
+    }
+}

src/Umbraco.Cms.Api.Common/OpenApi/SwaggerRouteTemplatePipelineFilter.cs

@@ -5,6 +5,7 @@
 using Microsoft.Extensions.Options;
 using Microsoft.OpenApi.Models;
 using Swashbuckle.AspNetCore.SwaggerGen;
+using Swashbuckle.AspNetCore.SwaggerUI;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Web.Common.ApplicationBuilder;
@@ -32,20 +33,8 @@ private void PostPipelineAction(IApplicationBuilder applicationBuilder)
             {
                 swaggerOptions.RouteTemplate = SwaggerRouteTemplate(applicationBuilder);
             });
-        applicationBuilder.UseSwaggerUI(
-            swaggerUiOptions =>
-            {
-                swaggerUiOptions.RoutePrefix = SwaggerUiRoutePrefix(applicationBuilder);
-
-                foreach ((var name, OpenApiInfo? apiInfo) in swaggerGenOptions.Value.SwaggerGeneratorOptions.SwaggerDocs
-                             .OrderBy(x => x.Value.Title))
-                {
-                    swaggerUiOptions.SwaggerEndpoint($"{name}/swagger.json", $"{apiInfo.Title}");
-                }
 
-                swaggerUiOptions.OAuthClientId(Constants.OauthClientIds.Swagger);
-                swaggerUiOptions.OAuthUsePkce();
-            });
+        applicationBuilder.UseSwaggerUI(swaggerUiOptions => SwaggerUiConfiguration(swaggerUiOptions, swaggerGenOptions.Value, applicationBuilder));
     }
 
     protected virtual bool SwaggerIsEnabled(IApplicationBuilder applicationBuilder)
@@ -60,6 +49,23 @@ protected virtual string SwaggerRouteTemplate(IApplicationBuilder applicationBui
     protected virtual string SwaggerUiRoutePrefix(IApplicationBuilder applicationBuilder)
         => $"{GetUmbracoPath(applicationBuilder).TrimStart(Constants.CharArrays.ForwardSlash)}/swagger";
 
+    protected virtual void SwaggerUiConfiguration(
+        SwaggerUIOptions swaggerUiOptions,
+        SwaggerGenOptions swaggerGenOptions,
+        IApplicationBuilder applicationBuilder)
+    {
+        swaggerUiOptions.RoutePrefix = SwaggerUiRoutePrefix(applicationBuilder);
+
+        foreach ((var name, OpenApiInfo? apiInfo) in swaggerGenOptions.SwaggerGeneratorOptions.SwaggerDocs
+                     .OrderBy(x => x.Value.Title))
+        {
+            swaggerUiOptions.SwaggerEndpoint($"{name}/swagger.json", $"{apiInfo.Title}");
+        }
+
+        swaggerUiOptions.OAuthClientId(Constants.OAuthClientIds.Swagger);
+        swaggerUiOptions.OAuthUsePkce();
+    }
+
     private string GetUmbracoPath(IApplicationBuilder applicationBuilder)
     {
         GlobalSettings settings = applicationBuilder.ApplicationServices.GetRequiredService<IOptions<GlobalSettings>>().Value;

src/Umbraco.Cms.Api.Common/Security/Paths.cs

@@ -0,0 +1,32 @@
+namespace Umbraco.Cms.Api.Common.Security;
+
+public static class Paths
+{
+    public static class BackOfficeApi
+    {
+        public const string EndpointTemplate = "security/back-office";
+
+        public static readonly string AuthorizationEndpoint = EndpointPath($"{EndpointTemplate}/authorize");
+
+        public static readonly string TokenEndpoint = EndpointPath($"{EndpointTemplate}/token");
+
+        // TODO: talk to Jacob about what is the preferred versioning scheme for the new backoffice client - /v1.0/ or /v1/
+        private static string EndpointPath(string relativePath) => $"/umbraco/management/api/v1.0/{relativePath}";
+    }
+
+    public static class MemberApi
+    {
+        public const string EndpointTemplate = "security/member";
+
+        public static readonly string AuthorizationEndpoint = EndpointPath($"{EndpointTemplate}/authorize");
+
+        public static readonly string TokenEndpoint = EndpointPath($"{EndpointTemplate}/token");
+
+        public static readonly string LogoutEndpoint = EndpointPath($"{EndpointTemplate}/signout");
+
+        public static readonly string RevokeEndpoint = EndpointPath($"{EndpointTemplate}/revoke");
+
+        // NOTE: we're NOT using /api/v1.0/ here because it will clash with the Delivery API docs
+        private static string EndpointPath(string relativePath) => $"/umbraco/delivery/api/v1/{relativePath}";
+    }
+}

src/Umbraco.Cms.Api.Delivery/Configuration/ConfigureUmbracoMemberAuthenticationDeliveryApiSwaggerGenOptions.cs

@@ -0,0 +1,36 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Microsoft.OpenApi.Models;
+using Swashbuckle.AspNetCore.SwaggerGen;
+using Umbraco.Cms.Api.Common.Security;
+
+namespace Umbraco.Cms.Api.Delivery.Configuration;
+
+/// <summary>
+/// This configures member authentication for the Delivery API in Swagger. Consult the docs for
+/// member authentication within the Delivery API for instructions on how to use this.
+/// </summary>
+/// <remarks>
+/// This class is not used by the core CMS due to the required installation dependencies (local login page among other things).
+/// </remarks>
+public class ConfigureUmbracoMemberAuthenticationDeliveryApiSwaggerGenOptions : IConfigureOptions<SwaggerGenOptions>
+{
+    public void Configure(SwaggerGenOptions options)
+        => options.AddSecurityDefinition(
+            "Umbraco Member",
+            new OpenApiSecurityScheme
+            {
+                In = ParameterLocation.Header,
+                Name = "Umbraco Member",
+                Type = SecuritySchemeType.OAuth2,
+                Description = "Umbraco Member Authentication",
+                Flows = new OpenApiOAuthFlows
+                {
+                    AuthorizationCode = new OpenApiOAuthFlow
+                    {
+                        AuthorizationUrl = new Uri(Paths.MemberApi.AuthorizationEndpoint, UriKind.Relative),
+                        TokenUrl = new Uri(Paths.MemberApi.TokenEndpoint, UriKind.Relative)
+                    }
+                }
+            });
+}

src/Umbraco.Cms.Api.Delivery/Controllers/ByIdContentApiController.cs

@@ -1,7 +1,9 @@
 using Asp.Versioning;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.DependencyInjection;
 using Umbraco.Cms.Core.DeliveryApi;
+using Umbraco.Cms.Core.DependencyInjection;
 using Umbraco.Cms.Core.Models.DeliveryApi;
 using Umbraco.Cms.Core.Models.PublishedContent;
 using Umbraco.Cms.Core.Services;
@@ -11,14 +13,41 @@ namespace Umbraco.Cms.Api.Delivery.Controllers;
 [ApiVersion("1.0")]
 public class ByIdContentApiController : ContentApiItemControllerBase
 {
+    private readonly IRequestMemberService _requestMemberService;
+
+    [Obsolete($"Please use the constructor that does not accept {nameof(IPublicAccessService)}. Will be removed in V14.")]
     public ByIdContentApiController(
         IApiPublishedContentCache apiPublishedContentCache,
         IApiContentResponseBuilder apiContentResponseBuilder,
         IPublicAccessService publicAccessService)
-        : base(apiPublishedContentCache, apiContentResponseBuilder, publicAccessService)
+        : this(
+            apiPublishedContentCache,
+            apiContentResponseBuilder,
+            StaticServiceProvider.Instance.GetRequiredService<IRequestMemberService>())
     {
     }
 
+    [Obsolete($"Please use the constructor that does not accept {nameof(IPublicAccessService)}. Will be removed in V14.")]
+    public ByIdContentApiController(
+        IApiPublishedContentCache apiPublishedContentCache,
+        IApiContentResponseBuilder apiContentResponseBuilder,
+        IPublicAccessService publicAccessService,
+        IRequestMemberService requestMemberService)
+        : this(
+            apiPublishedContentCache,
+            apiContentResponseBuilder,
+            requestMemberService)
+    {
+    }
+
+    [ActivatorUtilitiesConstructor]
+    public ByIdContentApiController(
+        IApiPublishedContentCache apiPublishedContentCache,
+        IApiContentResponseBuilder apiContentResponseBuilder,
+        IRequestMemberService requestMemberService)
+        : base(apiPublishedContentCache, apiContentResponseBuilder)
+        => _requestMemberService = requestMemberService;
+
     /// <summary>
     ///     Gets a content item by id.
     /// </summary>
@@ -28,6 +57,7 @@ public class ByIdContentApiController : ContentApiItemControllerBase
     [MapToApiVersion("1.0")]
     [ProducesResponseType(typeof(IApiContentResponse), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<IActionResult> ById(Guid id)
     {
@@ -38,9 +68,10 @@ public async Task<IActionResult> ById(Guid id)
             return NotFound();
         }
 
-        if (IsProtected(contentItem))
+        IActionResult? deniedAccessResult = await HandleMemberAccessAsync(contentItem, _requestMemberService);
+        if (deniedAccessResult is not null)
         {
-            return Unauthorized();
+            return deniedAccessResult;
         }
 
         IApiContentResponse? apiContentResponse = ApiContentResponseBuilder.Build(contentItem);
@@ -49,6 +80,6 @@ public async Task<IActionResult> ById(Guid id)
             return NotFound();
         }
 
-        return await Task.FromResult(Ok(apiContentResponse));
+        return Ok(apiContentResponse);
     }
 }