Merge branch 'v14/dev' into release/14.0

Author: iOvergaard

.github/BUILD.md

@@ -13,6 +13,16 @@ If the answer is yes, please read on. Otherwise, make sure to head on over [to t
 
 ↖️ You can jump to any section by using the "table of contents" button ( ![Table of contents icon](img/tableofcontentsicon.svg) ) above.
 
+## Getting Started:
+To run umbraco, we first need to initialize the client git submodule:
+* Execute `git submodule init` and then `git submodule update` to get the files into Umbraco.Web.UI.Client project
+* If you are going to work on the Backoffice, you can either go to the Umbraco.Web.UI.Client folder and check out a new branch or set it up in your IDE, which will allow you to commit to each repository simultaneously:
+  * **Rider**: Preferences -> Version Control -> Directory Mappings -> Click the '+' sign
+* If you get a white page delete Umbraco.Cms.StaticAssets\wwwroot\umbraco folder and run `npm ci && npm run build:for:cms` inside Umbraco.Web.UI.Client folder to clear out any leftover files from older versions.
+
+### Latest version
+* If you want to get the latest changes from the client repository, run `git submodule update` again which will pull the latest main branch.
+
 
 ## Debugging source locally
 

.github/New BackOffice - README.md

@@ -1,3 +1,3 @@
-[submodule "src/Umbraco.Web.UI.New.Client"]
-	path = src/Umbraco.Web.UI.New.Client
+[submodule "src/Umbraco.Web.UI.Client"]
+	path = src/Umbraco.Web.UI.Client
 	url = https://github.com/umbraco/Umbraco.CMS.Backoffice.git

.gitmodules

@@ -72,7 +72,7 @@
     <PackageVersion Include="Serilog.Sinks.Async" Version="1.5.0" />
     <PackageVersion Include="Serilog.Sinks.File" Version="5.0.0" />
     <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
-    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.2" />
+    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.3" />
     <PackageVersion Include="SixLabors.ImageSharp.Web" Version="3.1.0" />
     <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.5.0" />
   </ItemGroup>

Directory.Packages.props

@@ -93,17 +93,17 @@ stages:
             workingDirectory: src/Umbraco.Web.UI.Login
           - script: npm ci --no-fund --no-audit --prefer-offline
             displayName: Run npm ci (Bellissima)
-            workingDirectory: src/Umbraco.Web.UI.New.Client
+            workingDirectory: src/Umbraco.Web.UI.Client
           - script: npm run generate:api-local
             displayName: Generate API models (Bellissima)
-            workingDirectory: src/Umbraco.Web.UI.New.Client
+            workingDirectory: src/Umbraco.Web.UI.Client
             enabled: false
           - script: npm run build:for:cms
             displayName: Run build (Bellissima)
-            workingDirectory: src/Umbraco.Web.UI.New.Client
+            workingDirectory: src/Umbraco.Web.UI.Client
           - script: npm run build
             displayName: Run Login Build (Bellissima)
-            workingDirectory: src/Umbraco.Web.UI.New.Client/apps/auth
+            workingDirectory: src/Umbraco.Web.UI.Client/apps/auth
           - task: UseDotNet@2
             displayName: Use .NET SDK from global.json
             inputs:
@@ -142,7 +142,7 @@ stages:
             displayName: Prepare Bellissima npm package
             env:
               PACKAGE_VERSION: $(build.NBGV_NpmPackageVersion)
-            workingDirectory: src/Umbraco.Web.UI.New.Client
+            workingDirectory: src/Umbraco.Web.UI.Client
           - task: PublishPipelineArtifact@1
             displayName: Publish Bellissima npm artifact
             inputs:
@@ -225,26 +225,26 @@ stages:
           - task: Cache@2
             displayName: Cache node_modules
             inputs:
-              key: '"npm_client" | "$(Agent.OS)"| $(Build.SourcesDirectory)/src/Umbraco.Web.UI.New.Client/package-lock.json'
+              key: '"npm_client" | "$(Agent.OS)"| $(Build.SourcesDirectory)/src/Umbraco.Web.UI.Client/package-lock.json'
               restoreKeys: |
                 "npm_client" | "$(Agent.OS)"
                 "npm_client"
               path: $(npm_config_cache)
           - script: npm ci --no-fund --no-audit --prefer-offline
-            workingDirectory:  src/Umbraco.Web.UI.New.Client
+            workingDirectory:  src/Umbraco.Web.UI.Client
             displayName: Run npm ci
           - script: npm run storybook:build
             displayName: Build Storybook
             env:
               VITE_BASE_PATH: $(BASE_PATH)/
-            workingDirectory: $(Build.SourcesDirectory)/src/Umbraco.Web.UI.New.Client
+            workingDirectory: $(Build.SourcesDirectory)/src/Umbraco.Web.UI.Client
           - script: sed -i "s|/umbraco/backoffice|$(BASE_PATH)/umbraco/backoffice|" assets/*.js
             displayName: Replace BASE_PATH on assets
-            workingDirectory: $(Build.SourcesDirectory)/src/Umbraco.Web.UI.New.Client/storybook-static
+            workingDirectory: $(Build.SourcesDirectory)/src/Umbraco.Web.UI.Client/storybook-static
           - task: ArchiveFiles@2
             displayName: Archive js Docs
             inputs:
-              rootFolderOrFile: $(Build.SourcesDirectory)/src/Umbraco.Web.UI.New.Client/storybook-static
+              rootFolderOrFile: $(Build.SourcesDirectory)/src/Umbraco.Web.UI.Client/storybook-static
               includeRootFolder: false
               archiveFile: $(Build.ArtifactStagingDirectory)/ui-docs.zip
           - task: PublishPipelineArtifact@1

build/azure-pipelines.yml

@@ -0,0 +1,254 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Umbraco.Cms.Api.Management.Security;
+using Umbraco.Cms.Core;
+using Umbraco.Cms.Core.Configuration.Models;
+using Umbraco.Cms.Core.Net;
+using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Web.Common.Security;
+using Umbraco.Extensions;
+
+namespace Umbraco.Cms.Api.Management.Configuration;
+
+/// <summary>
+///     Used to configure <see cref="CookieAuthenticationOptions" /> for the back office authentication type
+/// </summary>
+public class ConfigureBackOfficeCookieOptions : IConfigureNamedOptions<CookieAuthenticationOptions>
+{
+    private readonly IDataProtectionProvider _dataProtection;
+    private readonly GlobalSettings _globalSettings;
+    private readonly IIpResolver _ipResolver;
+    private readonly IRuntimeState _runtimeState;
+    private readonly SecuritySettings _securitySettings;
+    private readonly IUserService _userService;
+    private readonly TimeProvider _timeProvider;
+
+    /// <summary>
+    ///     Initializes a new instance of the <see cref="ConfigureBackOfficeCookieOptions" /> class.
+    /// </summary>
+    /// <param name="securitySettings">The <see cref="SecuritySettings" /> options</param>
+    /// <param name="globalSettings">The <see cref="GlobalSettings" /> options</param>
+    /// <param name="runtimeState">The <see cref="IRuntimeState" /></param>
+    /// <param name="dataProtection">The <see cref="IDataProtectionProvider" /></param>
+    /// <param name="userService">The <see cref="IUserService" /></param>
+    /// <param name="ipResolver">The <see cref="IIpResolver" /></param>
+    /// <param name="timeProvider">The <see cref="TimeProvider" /></param>
+    public ConfigureBackOfficeCookieOptions(
+        IOptions<SecuritySettings> securitySettings,
+        IOptions<GlobalSettings> globalSettings,
+        IRuntimeState runtimeState,
+        IDataProtectionProvider dataProtection,
+        IUserService userService,
+        IIpResolver ipResolver,
+        TimeProvider timeProvider)
+    {
+        _securitySettings = securitySettings.Value;
+        _globalSettings = globalSettings.Value;
+        _runtimeState = runtimeState;
+        _dataProtection = dataProtection;
+        _userService = userService;
+        _ipResolver = ipResolver;
+        _timeProvider = timeProvider;
+    }
+
+    /// <inheritdoc />
+    public void Configure(string? name, CookieAuthenticationOptions options)
+    {
+        if (name != Constants.Security.BackOfficeAuthenticationType)
+        {
+            return;
+        }
+
+        Configure(options);
+    }
+
+    /// <inheritdoc />
+    public void Configure(CookieAuthenticationOptions options)
+    {
+        options.SlidingExpiration = false;
+        options.ExpireTimeSpan = _globalSettings.TimeOut;
+        options.Cookie.Domain = _securitySettings.AuthCookieDomain;
+        options.Cookie.Name = _securitySettings.AuthCookieName;
+        options.Cookie.HttpOnly = true;
+        options.Cookie.SecurePolicy =
+            _globalSettings.UseHttps ? CookieSecurePolicy.Always : CookieSecurePolicy.SameAsRequest;
+        options.Cookie.Path = "/";
+
+        // NOTE: matches route in BackOfficeLoginController
+        const string backOfficeLoginPath = "/umbraco/login";
+        options.LoginPath = backOfficeLoginPath;
+        options.LogoutPath = backOfficeLoginPath;
+        options.AccessDeniedPath = backOfficeLoginPath;
+
+        options.DataProtectionProvider = _dataProtection;
+
+        // NOTE: This is borrowed directly from aspnetcore source
+        // Note: the purpose for the data protector must remain fixed for interop to work.
+        IDataProtector dataProtector = options.DataProtectionProvider.CreateProtector(
+            "Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware",
+            Constants.Security.BackOfficeAuthenticationType,
+            "v2");
+        var ticketDataFormat = new TicketDataFormat(dataProtector);
+
+        options.TicketDataFormat = new BackOfficeSecureDataFormat(_globalSettings.TimeOut, ticketDataFormat);
+
+        options.Events = new CookieAuthenticationEvents
+        {
+            // IMPORTANT! If you set any of OnRedirectToLogin, OnRedirectToAccessDenied, OnRedirectToLogout, OnRedirectToReturnUrl
+            // you need to be aware that this will bypass the default behavior of returning the correct status codes for ajax requests and
+            // not redirecting for non-ajax requests. This is because the default behavior is baked into this class here:
+            // https://github.com/dotnet/aspnetcore/blob/master/src/Security/Authentication/Cookies/src/CookieAuthenticationEvents.cs#L58
+            // It would be possible to re-use the default behavior if any of these need to be set but that must be taken into account else
+            // our back office requests will not function correctly. For now we don't need to set/configure any of these callbacks because
+            // the defaults work fine with our setup.
+            OnValidatePrincipal = async ctx =>
+            {
+                // We need to resolve the BackOfficeSecurityStampValidator per request as a requirement (even in aspnetcore they do this)
+                BackOfficeSecurityStampValidator securityStampValidator =
+                    ctx.HttpContext.RequestServices.GetRequiredService<BackOfficeSecurityStampValidator>();
+
+                // Same goes for the signinmanager
+                IBackOfficeSignInManager signInManager =
+                    ctx.HttpContext.RequestServices.GetRequiredService<IBackOfficeSignInManager>();
+
+                ClaimsIdentity? backOfficeIdentity = ctx.Principal?.GetUmbracoIdentity();
+                if (backOfficeIdentity == null)
+                {
+                    ctx.RejectPrincipal();
+                    await signInManager.SignOutAsync();
+                }
+
+                // ensure the thread culture is set
+                backOfficeIdentity?.EnsureCulture();
+
+                EnsureTicketRenewalIfKeepUserLoggedIn(ctx);
+
+                // add or update a claim to track when the cookie expires, we use this to track time remaining
+                backOfficeIdentity?.AddOrUpdateClaim(new Claim(
+                    Constants.Security.TicketExpiresClaimType,
+                    ctx.Properties.ExpiresUtc!.Value.ToString("o"),
+                    ClaimValueTypes.DateTime,
+                    Constants.Security.BackOfficeAuthenticationType,
+                    Constants.Security.BackOfficeAuthenticationType,
+                    backOfficeIdentity));
+
+                await securityStampValidator.ValidateAsync(ctx);
+
+                // We have to manually specify Issued and Expires,
+                // because the SecurityStampValidator refreshes the principal every 30 minutes,
+                // When the principal is refreshed the Issued is update to time of refresh, however, the Expires remains unchanged
+                // When we then try and renew, the difference of issued and expires effectively becomes the new ExpireTimeSpan
+                // meaning we effectively lose 30 minutes of our ExpireTimeSpan for EVERY principal refresh if we don't
+                // https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs#L115
+                ctx.Properties.IssuedUtc = _timeProvider.GetUtcNow();
+                ctx.Properties.ExpiresUtc = _timeProvider.GetUtcNow().Add(_globalSettings.TimeOut);
+                ctx.ShouldRenew = true;
+            },
+            OnSigningIn = ctx =>
+            {
+                // occurs when sign in is successful but before the ticket is written to the outbound cookie
+                ClaimsIdentity? backOfficeIdentity = ctx.Principal?.GetUmbracoIdentity();
+                if (backOfficeIdentity != null)
+                {
+                    // generate a session id and assign it
+                    // create a session token - if we are configured and not in an upgrade state then use the db, otherwise just generate one
+                    Guid session = _runtimeState.Level == RuntimeLevel.Run
+                        ? _userService.CreateLoginSession(
+                            backOfficeIdentity.GetId()!.Value,
+                            _ipResolver.GetCurrentRequestIpAddress())
+                        : Guid.NewGuid();
+
+                    // add our session claim
+                    backOfficeIdentity.AddClaim(new Claim(
+                        Constants.Security.SessionIdClaimType,
+                        session.ToString(),
+                        ClaimValueTypes.String,
+                        Constants.Security.BackOfficeAuthenticationType,
+                        Constants.Security.BackOfficeAuthenticationType,
+                        backOfficeIdentity));
+
+                    // since it is a cookie-based authentication add that claim
+                    backOfficeIdentity.AddClaim(new Claim(
+                        ClaimTypes.CookiePath,
+                        "/",
+                        ClaimValueTypes.String,
+                        Constants.Security.BackOfficeAuthenticationType,
+                        Constants.Security.BackOfficeAuthenticationType,
+                        backOfficeIdentity));
+                }
+
+                return Task.CompletedTask;
+            },
+            OnSignedIn = ctx =>
+            {
+                // occurs when sign in is successful and after the ticket is written to the outbound cookie
+
+                // When we are signed in with the cookie, assign the principal to the current HttpContext
+                ctx.HttpContext.SetPrincipalForRequest(ctx.Principal);
+
+                return Task.CompletedTask;
+            },
+            OnSigningOut = ctx =>
+            {
+                // Clear the user's session on sign out
+                if (ctx.HttpContext?.User?.Identity != null)
+                {
+                    var claimsIdentity = ctx.HttpContext.User.Identity as ClaimsIdentity;
+                    var sessionId = claimsIdentity?.FindFirstValue(Constants.Security.SessionIdClaimType);
+                    if (sessionId.IsNullOrWhiteSpace() == false && Guid.TryParse(sessionId, out Guid guidSession))
+                    {
+                        _userService.ClearLoginSession(guidSession);
+                    }
+                }
+
+                // Remove all of our cookies
+                var cookies = new[]
+                {
+                    _securitySettings.AuthCookieName,
+                    Constants.Web.PreviewCookieName, Constants.Security.BackOfficeExternalCookieName,
+                    Constants.Web.AngularCookieName, Constants.Web.CsrfValidationCookieName
+                };
+                foreach (var cookie in cookies)
+                {
+                    ctx.Options.CookieManager.DeleteCookie(ctx.HttpContext!, cookie, new CookieOptions { Path = "/" });
+                }
+
+                return Task.CompletedTask;
+            }
+        };
+    }
+
+    /// <summary>
+    ///     Ensures the ticket is renewed if the <see cref="SecuritySettings.KeepUserLoggedIn" /> is set to true
+    ///     and the current request is for the get user seconds endpoint
+    /// </summary>
+    /// <param name="context">The <see cref="CookieValidatePrincipalContext" /></param>
+    private void EnsureTicketRenewalIfKeepUserLoggedIn(CookieValidatePrincipalContext context)
+    {
+        if (!_securitySettings.KeepUserLoggedIn)
+        {
+            return;
+        }
+
+        DateTimeOffset currentUtc = _timeProvider.GetUtcNow();
+        DateTimeOffset? issuedUtc = context.Properties.IssuedUtc;
+        DateTimeOffset? expiresUtc = context.Properties.ExpiresUtc;
+
+        if (expiresUtc.HasValue && issuedUtc.HasValue)
+        {
+            TimeSpan timeElapsed = currentUtc.Subtract(issuedUtc.Value);
+            TimeSpan timeRemaining = expiresUtc.Value.Subtract(currentUtc);
+
+            // if it's time to renew, then do it
+            if (timeRemaining < timeElapsed)
+            {
+                context.ShouldRenew = true;
+            }
+        }
+    }
+}