feat: Add PhishLabs incident reporting backend and frontend components

Co-authored-by: markcoleman <[email protected]>

Author: Copilot

src/UmbracoWeb/UmbracoWeb/Controllers/PhishLabsController.cs

@@ -0,0 +1,119 @@
+using Microsoft.AspNetCore.Mvc;
+using System.ComponentModel.DataAnnotations;
+using UmbracoWeb.Models;
+using UmbracoWeb.Services;
+
+namespace UmbracoWeb.Controllers;
+
+/// <summary>
+/// API controller for PhishLabs incident reporting
+/// </summary>
+[ApiController]
+[Route("api/[controller]")]
+public class PhishLabsController : ControllerBase
+{
+    private readonly IPhishLabsService _phishLabsService;
+    private readonly ILogger<PhishLabsController> _logger;
+
+    public PhishLabsController(
+        IPhishLabsService phishLabsService, 
+        ILogger<PhishLabsController> logger)
+    {
+        _phishLabsService = phishLabsService ?? throw new ArgumentNullException(nameof(phishLabsService));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <summary>
+    /// Submit a phishing incident report
+    /// </summary>
+    /// <param name="request">The incident request</param>
+    /// <param name="cancellationToken">Cancellation token</param>
+    /// <returns>Response indicating success or failure</returns>
+    [HttpPost("incidents")]
+    [ValidateAntiForgeryToken]
+    public async Task<ActionResult<PhishLabsIncidentResponse>> SubmitIncident(
+        [FromBody] PhishLabsIncidentRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        // Generate correlation ID for this request
+        var correlationId = Guid.NewGuid().ToString("N")[..12];
+
+        // Get client IP for logging (but don't store PII)
+        var clientIp = GetClientIpHash();
+
+        _logger.LogInformation("PhishLabs incident submission started. CorrelationId: {CorrelationId}, ClientIP: {ClientIpHash}", 
+            correlationId, clientIp);
+
+        // Validate model state
+        if (!ModelState.IsValid)
+        {
+            _logger.LogWarning("Invalid PhishLabs incident request. CorrelationId: {CorrelationId}, Errors: {Errors}", 
+                correlationId, string.Join(", ", ModelState.Values.SelectMany(v => v.Errors).Select(e => e.ErrorMessage)));
+
+            return BadRequest(new PhishLabsIncidentResponse
+            {
+                Success = false,
+                CorrelationId = correlationId,
+                Message = "Please check your input and try again.",
+                ErrorDetails = string.Join(", ", ModelState.Values.SelectMany(v => v.Errors).Select(e => e.ErrorMessage))
+            });
+        }
+
+        try
+        {
+            // Submit to PhishLabs
+            var response = await _phishLabsService.SubmitIncidentAsync(request, correlationId, cancellationToken);
+
+            if (response.Success)
+            {
+                _logger.LogInformation("PhishLabs incident submitted successfully. CorrelationId: {CorrelationId}", correlationId);
+                return Ok(response);
+            }
+            else
+            {
+                _logger.LogWarning("PhishLabs incident submission failed. CorrelationId: {CorrelationId}", correlationId);
+                return StatusCode(500, response);
+            }
+        }
+        catch (ValidationException ex)
+        {
+            _logger.LogWarning(ex, "Validation error in PhishLabs incident submission. CorrelationId: {CorrelationId}", correlationId);
+
+            return BadRequest(new PhishLabsIncidentResponse
+            {
+                Success = false,
+                CorrelationId = correlationId,
+                Message = "Please check your input and try again.",
+                ErrorDetails = ex.Message
+            });
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Unexpected error in PhishLabs incident submission. CorrelationId: {CorrelationId}", correlationId);
+
+            return StatusCode(500, new PhishLabsIncidentResponse
+            {
+                Success = false,
+                CorrelationId = correlationId,
+                Message = "Something went wrong — please try again. If it keeps failing, contact support.",
+                ErrorDetails = "Internal server error"
+            });
+        }
+    }
+
+    /// <summary>
+    /// Health check endpoint for the PhishLabs integration
+    /// </summary>
+    [HttpGet("health")]
+    public ActionResult<object> Health()
+    {
+        return Ok(new { status = "healthy", timestamp = DateTime.UtcNow });
+    }
+
+    private string GetClientIpHash()
+    {
+        var remoteIp = HttpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown";
+        // Hash the IP for privacy - don't store actual IPs
+        return remoteIp.GetHashCode().ToString("X8");
+    }
+}

src/UmbracoWeb/UmbracoWeb/Program.cs

@@ -1,6 +1,8 @@
 using Serilog;
 using Umbraco.Cms.Core.DependencyInjection;
 using Umbraco.Extensions;
+using UmbracoWeb.Models;
+using UmbracoWeb.Services;
 
 // Configure Serilog
 Log.Logger = new LoggerConfiguration()
@@ -16,6 +18,34 @@
     // Add Serilog
     builder.Host.UseSerilog();
 
+    // Configure PhishLabs settings
+    builder.Services.Configure<PhishLabsSettings>(
+        builder.Configuration.GetSection(PhishLabsSettings.SectionName));
+
+    // Add HTTP client for PhishLabs service
+    builder.Services.AddHttpClient<IPhishLabsService, PhishLabsService>();
+
+    // Register PhishLabs service
+    builder.Services.AddScoped<IPhishLabsService, PhishLabsService>();
+
+    // Add antiforgery services
+    builder.Services.AddAntiforgery(options =>
+    {
+        options.HeaderName = "X-CSRF-TOKEN";
+        options.SuppressXFrameOptionsHeader = false;
+    });
+
+    // Add CORS policy
+    builder.Services.AddCors(options =>
+    {
+        options.AddPolicy("PhishLabsPolicy", policy =>
+        {
+            policy.AllowAnyOrigin()
+                  .AllowAnyHeader()
+                  .WithMethods("POST");
+        });
+    });
+
     // Add Umbraco
     builder.CreateUmbracoBuilder()
         .AddBackOffice()
@@ -29,6 +59,9 @@
     // Configure the HTTP request pipeline
     await app.BootUmbracoAsync();
 
+    // Use CORS
+    app.UseCors("PhishLabsPolicy");
+
     app.UseUmbraco()
         .WithMiddleware(u =>
         {

src/UmbracoWeb/UmbracoWeb/Services/IPhishLabsService.cs

@@ -0,0 +1,21 @@
+using UmbracoWeb.Models;
+
+namespace UmbracoWeb.Services;
+
+/// <summary>
+/// Service interface for PhishLabs incident reporting
+/// </summary>
+public interface IPhishLabsService
+{
+    /// <summary>
+    /// Submit a phishing incident to PhishLabs
+    /// </summary>
+    /// <param name="request">The incident request</param>
+    /// <param name="correlationId">Correlation ID for tracking</param>
+    /// <param name="cancellationToken">Cancellation token</param>
+    /// <returns>Response from PhishLabs</returns>
+    Task<PhishLabsIncidentResponse> SubmitIncidentAsync(
+        PhishLabsIncidentRequest request, 
+        string correlationId, 
+        CancellationToken cancellationToken = default);
+}

src/UmbracoWeb/UmbracoWeb/Services/PhishLabsService.cs

@@ -0,0 +1,171 @@
+using System.Text;
+using System.Text.Json;
+using Microsoft.Extensions.Options;
+using UmbracoWeb.Models;
+
+namespace UmbracoWeb.Services;
+
+/// <summary>
+/// Service for integrating with PhishLabs incident reporting API
+/// </summary>
+public class PhishLabsService : IPhishLabsService
+{
+    private readonly HttpClient _httpClient;
+    private readonly PhishLabsSettings _settings;
+    private readonly ILogger<PhishLabsService> _logger;
+    private readonly JsonSerializerOptions _jsonOptions;
+
+    public PhishLabsService(
+        HttpClient httpClient, 
+        IOptions<PhishLabsSettings> settings, 
+        ILogger<PhishLabsService> logger)
+    {
+        _httpClient = httpClient ?? throw new ArgumentNullException(nameof(httpClient));
+        _settings = settings?.Value ?? throw new ArgumentNullException(nameof(settings));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+
+        _jsonOptions = new JsonSerializerOptions
+        {
+            PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+            WriteIndented = false
+        };
+
+        ConfigureHttpClient();
+    }
+
+    /// <summary>
+    /// Submit a phishing incident to PhishLabs
+    /// </summary>
+    public async Task<PhishLabsIncidentResponse> SubmitIncidentAsync(
+        PhishLabsIncidentRequest request, 
+        string correlationId, 
+        CancellationToken cancellationToken = default)
+    {
+        if (request == null)
+            throw new ArgumentNullException(nameof(request));
+
+        if (string.IsNullOrWhiteSpace(correlationId))
+            throw new ArgumentException("Correlation ID is required", nameof(correlationId));
+
+        _logger.LogInformation("Submitting PhishLabs incident. CorrelationId: {CorrelationId}, URL: {UrlHash}", 
+            correlationId, ComputeUrlHash(request.Url));
+
+        try
+        {
+            var apiRequest = new PhishLabsApiRequest
+            {
+                Url = SanitizeUrl(request.Url),
+                Description = SanitizeDescription(request.Details),
+                Source = "umbraco-web",
+                Timestamp = DateTime.UtcNow
+            };
+
+            var response = await SubmitToPhishLabsAsync(apiRequest, correlationId, cancellationToken);
+
+            if (response.Success)
+            {
+                _logger.LogInformation("PhishLabs incident submitted successfully. CorrelationId: {CorrelationId}, IncidentId: {IncidentId}", 
+                    correlationId, response.IncidentId);
+
+                return new PhishLabsIncidentResponse
+                {
+                    Success = true,
+                    CorrelationId = correlationId,
+                    Message = "Thanks — we received your report and are investigating. If this affects your account, we'll contact you."
+                };
+            }
+            else
+            {
+                _logger.LogWarning("PhishLabs incident submission failed. CorrelationId: {CorrelationId}, Error: {Error}", 
+                    correlationId, response.Error);
+
+                return new PhishLabsIncidentResponse
+                {
+                    Success = false,
+                    CorrelationId = correlationId,
+                    Message = "Something went wrong — please try again.",
+                    ErrorDetails = response.Error
+                };
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "Error submitting PhishLabs incident. CorrelationId: {CorrelationId}", correlationId);
+
+            return new PhishLabsIncidentResponse
+            {
+                Success = false,
+                CorrelationId = correlationId,
+                Message = "Something went wrong — please try again. If it keeps failing, contact support.",
+                ErrorDetails = ex.Message
+            };
+        }
+    }
+
+    private void ConfigureHttpClient()
+    {
+        _httpClient.BaseAddress = new Uri(_settings.ApiBaseUrl);
+        _httpClient.Timeout = TimeSpan.FromSeconds(_settings.TimeoutSeconds);
+        _httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {_settings.ApiKey}");
+        _httpClient.DefaultRequestHeaders.Add("User-Agent", "Umbraco-Web-PhishLabs-Integration/1.0");
+    }
+
+    private async Task<PhishLabsApiResponse> SubmitToPhishLabsAsync(
+        PhishLabsApiRequest request, 
+        string correlationId, 
+        CancellationToken cancellationToken)
+    {
+        var endpoint = _settings.ServicePath.TrimStart('/');
+        var json = JsonSerializer.Serialize(request, _jsonOptions);
+        var content = new StringContent(json, Encoding.UTF8, "application/json");
+        
+        content.Headers.Add("X-Correlation-ID", correlationId);
+
+        var httpResponse = await _httpClient.PostAsync(endpoint, content, cancellationToken);
+
+        if (httpResponse.IsSuccessStatusCode)
+        {
+            var responseContent = await httpResponse.Content.ReadAsStringAsync(cancellationToken);
+            var apiResponse = JsonSerializer.Deserialize<PhishLabsApiResponse>(responseContent, _jsonOptions);
+            
+            return apiResponse ?? new PhishLabsApiResponse 
+            { 
+                Success = false, 
+                Error = "Invalid response format" 
+            };
+        }
+        else
+        {
+            var errorContent = await httpResponse.Content.ReadAsStringAsync(cancellationToken);
+            return new PhishLabsApiResponse
+            {
+                Success = false,
+                Error = $"HTTP {(int)httpResponse.StatusCode}: {errorContent}"
+            };
+        }
+    }
+
+    private static string SanitizeUrl(string url)
+    {
+        if (string.IsNullOrWhiteSpace(url))
+            return string.Empty;
+
+        // Basic URL sanitization - remove any dangerous characters
+        return url.Trim().Replace("\r", "").Replace("\n", "");
+    }
+
+    private static string? SanitizeDescription(string? description)
+    {
+        if (string.IsNullOrWhiteSpace(description))
+            return null;
+
+        // Basic description sanitization
+        return description.Trim().Replace("\r\n", "\n").Replace("\r", "\n");
+    }
+
+    private static string ComputeUrlHash(string url)
+    {
+        // Create a simple hash for logging (no PII)
+        return url.GetHashCode().ToString("X8");
+    }
+}

src/UmbracoWeb/UmbracoWeb/UmbracoWeb.csproj

@@ -12,6 +12,7 @@
     <PackageReference Include="Serilog.Extensions.Logging" Version="8.0.0" />
     <PackageReference Include="Serilog.Sinks.File" Version="6.0.0" />
     <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
+    <PackageReference Include="System.ComponentModel.Annotations" Version="5.0.0" />
   </ItemGroup>
 
 </Project>