Refactor authentication services and middleware

Author: KrzysztofPajak

src/Business/Grand.Business.Authentication/Services/ApiAuthenticationService.cs

@@ -5,6 +5,7 @@
 using Grand.Infrastructure.Configuration;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Net.Http.Headers;
 
@@ -34,12 +35,12 @@ public virtual async Task<Customer> GetAuthenticatedCustomer()
         if (string.IsNullOrEmpty(authHeader))
             return null;
 
-        if (_httpContextAccessor.HttpContext.Request.Path.Value != null
-            && !_httpContextAccessor.HttpContext.Request.Path.Value.StartsWith("/api"))
+        if (IsApiFrontAuthenticated())
         {
             customer = await ApiCustomer();
             return customer;
         }
+
         var authenticateResult = await _httpContextAccessor.HttpContext.AuthenticateAsync(JwtBearerDefaults.AuthenticationScheme);
         if (!authenticateResult.Succeeded)
             return null;
@@ -55,6 +56,15 @@ public virtual async Task<Customer> GetAuthenticatedCustomer()
 
         return customer;
     }
+    private bool IsApiFrontAuthenticated()
+    {
+        var endpoint = _httpContextAccessor.HttpContext.GetEndpoint();
+        if (endpoint == null) return false;
+
+        var authorizeAttributes = endpoint.Metadata.GetOrderedMetadata<AuthorizeAttribute>();
+        return authorizeAttributes.Any(attr => attr.AuthenticationSchemes?.Contains(FrontendAPIConfig.AuthenticationScheme) == true);
+    }
+    
 
     private async Task<Customer> ApiCustomer()
     {

src/Business/Grand.Business.Authentication/Services/CookieAuthenticationService.cs

@@ -55,7 +55,6 @@ public CookieAuthenticationService(
     private readonly IGroupService _groupService;
     private readonly IHttpContextAccessor _httpContextAccessor;
     private readonly SecurityConfig _securityConfig;
-    private Customer _cachedCustomer;
 
     #endregion
 
@@ -112,22 +111,15 @@ public virtual async Task SignIn(Customer customer, bool isPersistent)
         {
             _httpContextAccessor.HttpContext.Response.Cookies.Delete(CustomerCookieName);
 
-            await _httpContextAccessor.HttpContext.SignInAsync(
-                GrandCookieAuthenticationDefaults.AuthenticationScheme, userPrincipal, authenticationProperties);
+            await _httpContextAccessor.HttpContext.SignInAsync(GrandCookieAuthenticationDefaults.AuthenticationScheme, userPrincipal, authenticationProperties);
         }
-
-        //cache authenticated customer
-        _cachedCustomer = customer;
     }
 
     /// <summary>
     ///     Sign out customer
     /// </summary>
     public virtual async Task SignOut()
     {
-        //Firstly reset cached customer
-        _cachedCustomer = null;
-
         //and then sign out customer from the present scheme of authentication
         if (_httpContextAccessor.HttpContext != null)
         {
@@ -145,15 +137,7 @@ await _httpContextAccessor.HttpContext.SignOutAsync(GrandCookieAuthenticationDef
     /// <returns>Customer</returns>
     public virtual async Task<Customer> GetAuthenticatedCustomer()
     {
-        //check if there is a cached customer
-        if (_cachedCustomer != null)
-            return _cachedCustomer;
-
-        //get the authenticated user identity
-        if (_httpContextAccessor.HttpContext == null) return _cachedCustomer;
-        var authenticateResult =
-            await _httpContextAccessor.HttpContext.AuthenticateAsync(GrandCookieAuthenticationDefaults
-                .AuthenticationScheme);
+        var authenticateResult = await _httpContextAccessor.HttpContext.AuthenticateAsync(GrandCookieAuthenticationDefaults.AuthenticationScheme);
         if (!authenticateResult.Succeeded)
             return null;
 
@@ -195,10 +179,7 @@ await _httpContextAccessor.HttpContext.AuthenticateAsync(GrandCookieAuthenticati
         if (customer is not { Active: true } || customer.Deleted || !await _groupService.IsRegistered(customer))
             return null;
 
-        //Cache the authenticated customer
-        _cachedCustomer = customer;
-
-        return _cachedCustomer;
+        return customer;
     }
 
     /// <summary>

src/Web/Grand.Web.Common/Middleware/CultureSettingMiddleware.cs

@@ -15,7 +15,7 @@ public CultureSettingMiddleware(RequestDelegate next)
 
     public async Task InvokeAsync(HttpContext context, IWorkContextAccessor workContextAccessor)
     {
-        if (workContextAccessor.WorkContext.WorkingLanguage != null)
+        if (workContextAccessor.WorkContext?.WorkingLanguage != null)
         {
             var culture = new CultureInfo(workContextAccessor.WorkContext.WorkingLanguage.LanguageCulture);
 

src/Web/Grand.Web.Common/Middleware/WorkContextMiddleware.cs

@@ -1,5 +1,6 @@
 using Grand.Infrastructure;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
 
 namespace Grand.Web.Common.Middleware;
 
@@ -9,6 +10,8 @@ public class WorkContextMiddleware
 
     private readonly RequestDelegate _next;
 
+    private readonly List<string> skipRoutePattern = ["/scalar/{documentName}", "/openapi/{documentName}.json"];
+
     #endregion
 
     #region Ctor
@@ -35,6 +38,17 @@ public WorkContextMiddleware(RequestDelegate next)
     public async Task InvokeAsync(HttpContext context, IWorkContextSetter workContextSetter, IWorkContextAccessor workContextAccessor)
     {
         if (context?.Request == null) return;
+        
+        var endpoint = context.GetEndpoint();
+        if (endpoint != null)
+        {
+            var routePattern = (endpoint as RouteEndpoint)?.RoutePattern.RawText;
+            if (routePattern != null && skipRoutePattern.Any(pattern => routePattern.StartsWith(pattern, StringComparison.OrdinalIgnoreCase)))
+            {
+                await _next(context);
+                return;
+            }
+        }
 
         //set current context
         var workContext = await workContextSetter.InitializeWorkContext();

src/Web/Grand.Web.Common/WorkContextSetter.cs

@@ -175,23 +175,21 @@ protected async Task<Customer> CurrentCustomer(Store store)
         var customer = await GetBackgroundTaskCustomer();
         if (customer != null) return customer;
 
-        customer = await GetSearchEngineCustomer();
+        customer = await GetAllowAnonymousCustomer();
         if (customer != null) return customer;
 
-        customer = await GetAllowAnonymousCustomer();
+        customer = await GetCookieAuthenticatedCustomer();
         if (customer != null) return customer;
 
         customer = await GetGuestCustomer();
         if (customer != null) return customer;
 
-        customer = await GetAuthenticatedCustomer();
+        customer = await GetSearchEngineCustomer();
         if (customer != null) return customer;
 
         customer = await GetApiUserCustomer();
         if (customer != null) return customer;
-
 
-
         //create guest if not exists
         customer = await CreateCustomerGuest(store);
 
@@ -213,7 +211,7 @@ private async Task<Customer> GetAllowAnonymousCustomer()
         return await _customerService.GetCustomerBySystemName(SystemCustomerNames.Anonymous);
     }
 
-    private async Task<Customer> GetAuthenticatedCustomer()
+    private async Task<Customer> GetCookieAuthenticatedCustomer()
     {
         var customer = await _authenticationService.GetAuthenticatedCustomer();
         if (customer == null) return null;
@@ -229,8 +227,7 @@ private async Task<Customer> GetAuthenticatedCustomer()
 
     private async Task<Customer> GetApiUserCustomer()
     {
-        var apiAuthenticationService =
-            _httpContextAccessor.HttpContext.RequestServices.GetService<IApiAuthenticationService>();
+        var apiAuthenticationService = _httpContextAccessor.HttpContext.RequestServices.GetService<IApiAuthenticationService>();
         return await apiAuthenticationService.GetAuthenticatedCustomer();
     }