Merge branch 'v15/dev' into release/15.2

Author: Migaroez

src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs

@@ -46,7 +46,9 @@ private static void ConfigureOpenIddict(IUmbracoBuilder builder)
                         Paths.BackOfficeApi.LogoutEndpoint.TrimStart(Constants.CharArrays.ForwardSlash))
                     .SetRevocationEndpointUris(
                         Paths.MemberApi.RevokeEndpoint.TrimStart(Constants.CharArrays.ForwardSlash),
-                        Paths.BackOfficeApi.RevokeEndpoint.TrimStart(Constants.CharArrays.ForwardSlash));
+                        Paths.BackOfficeApi.RevokeEndpoint.TrimStart(Constants.CharArrays.ForwardSlash))
+                    .SetUserInfoEndpointUris(
+                        Paths.MemberApi.UserinfoEndpoint.TrimStart(Constants.CharArrays.ForwardSlash));
 
                 // Enable authorization code flow with PKCE
                 options
@@ -62,7 +64,8 @@ private static void ConfigureOpenIddict(IUmbracoBuilder builder)
                     .UseAspNetCore()
                     .EnableAuthorizationEndpointPassthrough()
                     .EnableTokenEndpointPassthrough()
-                    .EnableEndSessionEndpointPassthrough();
+                    .EnableEndSessionEndpointPassthrough()
+                    .EnableUserInfoEndpointPassthrough();
 
                 // Enable reference tokens
                 // - see https://documentation.openiddict.com/configuration/token-storage.html

src/Umbraco.Cms.Api.Common/Security/Paths.cs

@@ -31,6 +31,8 @@ public static class MemberApi
 
         public static readonly string RevokeEndpoint = EndpointPath($"{EndpointTemplate}/revoke");
 
+        public static readonly string UserinfoEndpoint = EndpointPath($"{EndpointTemplate}/userinfo");
+
         // NOTE: we're NOT using /api/v1.0/ here because it will clash with the Delivery API docs
         private static string EndpointPath(string relativePath) => $"/umbraco/delivery/api/v1/{relativePath}";
     }

src/Umbraco.Cms.Api.Delivery/Controllers/Content/ContentApiControllerBase.cs

@@ -15,6 +15,7 @@ namespace Umbraco.Cms.Api.Delivery.Controllers.Content;
 [ApiExplorerSettings(GroupName = "Content")]
 [LocalizeFromAcceptLanguageHeader]
 [ValidateStartItem]
+[AddVaryHeader]
 [OutputCache(PolicyName = Constants.DeliveryApi.OutputCache.ContentCachePolicy)]
 public abstract class ContentApiControllerBase : DeliveryApiControllerBase
 {

src/Umbraco.Cms.Api.Delivery/Controllers/Security/CurrentMemberController.cs

@@ -0,0 +1,28 @@
+using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using OpenIddict.Server.AspNetCore;
+using Umbraco.Cms.Api.Delivery.Routing;
+using Umbraco.Cms.Core.DeliveryApi;
+
+namespace Umbraco.Cms.Api.Delivery.Controllers.Security;
+
+[ApiVersion("1.0")]
+[ApiController]
+[VersionedDeliveryApiRoute(Common.Security.Paths.MemberApi.EndpointTemplate)]
+[ApiExplorerSettings(IgnoreApi = true)]
+[Authorize(AuthenticationSchemes = OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)]
+public class CurrentMemberController : DeliveryApiControllerBase
+{
+    private readonly ICurrentMemberClaimsProvider _currentMemberClaimsProvider;
+
+    public CurrentMemberController(ICurrentMemberClaimsProvider currentMemberClaimsProvider)
+        => _currentMemberClaimsProvider = currentMemberClaimsProvider;
+
+    [HttpGet("userinfo")]
+    public async Task<IActionResult> Userinfo()
+    {
+        Dictionary<string, object> claims = await _currentMemberClaimsProvider.GetClaimsAsync();
+        return Ok(claims);
+    }
+}

src/Umbraco.Cms.Api.Delivery/DependencyInjection/UmbracoBuilderExtensions.cs

@@ -61,6 +61,7 @@ public static IUmbracoBuilder AddDeliveryApi(this IUmbracoBuilder builder)
         builder.Services.AddSingleton<IApiMediaQueryService, ApiMediaQueryService>();
         builder.Services.AddTransient<IMemberApplicationManager, MemberApplicationManager>();
         builder.Services.AddTransient<IRequestMemberAccessService, RequestMemberAccessService>();
+        builder.Services.AddTransient<ICurrentMemberClaimsProvider, CurrentMemberClaimsProvider>();
         builder.Services.AddScoped<IMemberClientCredentialsManager, MemberClientCredentialsManager>();
 
         builder.Services.ConfigureOptions<ConfigureUmbracoDeliveryApiSwaggerGenOptions>();

src/Umbraco.Cms.Api.Delivery/Filters/AddVaryHeaderAttribute.cs

@@ -0,0 +1,13 @@
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace Umbraco.Cms.Api.Delivery.Filters;
+
+public sealed class AddVaryHeaderAttribute : ActionFilterAttribute
+{
+    private const string Vary = "Accept-Language, Preview, Start-Item";
+
+    public override void OnResultExecuting(ResultExecutingContext context)
+        => context.HttpContext.Response.Headers.Vary = context.HttpContext.Response.Headers.Vary.Count > 0
+            ? $"{context.HttpContext.Response.Headers.Vary}, {Vary}"
+            : Vary;
+}

src/Umbraco.Cms.Api.Delivery/Json/DeliveryApiVersionAwareJsonConverterBase.cs

@@ -0,0 +1,88 @@
+using System.Reflection;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using Asp.Versioning;
+using Microsoft.AspNetCore.Http;
+using Umbraco.Cms.Core.DeliveryApi;
+
+namespace Umbraco.Cms.Api.Delivery.Json;
+
+public abstract class DeliveryApiVersionAwareJsonConverterBase<T> : JsonConverter<T>
+{
+    private readonly IHttpContextAccessor _httpContextAccessor;
+    private readonly JsonConverter<T> _defaultConverter = (JsonConverter<T>)JsonSerializerOptions.Default.GetConverter(typeof(T));
+
+    public DeliveryApiVersionAwareJsonConverterBase(IHttpContextAccessor httpContextAccessor)
+        => _httpContextAccessor = httpContextAccessor;
+
+    /// <inheritdoc />
+    public override T? Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+        => _defaultConverter.Read(ref reader, typeToConvert, options);
+
+    /// <inheritdoc />
+    public override void Write(Utf8JsonWriter writer, T value, JsonSerializerOptions options)
+    {
+        Type type = typeof(T);
+        var apiVersion = GetApiVersion();
+
+        // Get the properties in the specified order
+        PropertyInfo[] properties = type.GetProperties().OrderBy(GetPropertyOrder).ToArray();
+
+        writer.WriteStartObject();
+
+        foreach (PropertyInfo property in properties)
+        {
+            // Filter out properties based on the API version
+            var include = apiVersion is null || ShouldIncludeProperty(property, apiVersion.Value);
+
+            if (include is false)
+            {
+                continue;
+            }
+
+            var propertyName = property.Name;
+            writer.WritePropertyName(options.PropertyNamingPolicy?.ConvertName(propertyName) ?? propertyName);
+            JsonSerializer.Serialize(writer, property.GetValue(value), options);
+        }
+
+        writer.WriteEndObject();
+    }
+
+    private int? GetApiVersion()
+    {
+        HttpContext? httpContext = _httpContextAccessor.HttpContext;
+        ApiVersion? apiVersion = httpContext?.GetRequestedApiVersion();
+
+        return apiVersion?.MajorVersion;
+    }
+
+    private int GetPropertyOrder(PropertyInfo prop)
+    {
+        var attribute = prop.GetCustomAttribute<JsonPropertyOrderAttribute>();
+        return attribute?.Order ?? 0;
+    }
+
+    /// <summary>
+    ///     Determines whether a property should be included based on version bounds.
+    /// </summary>
+    /// <param name="propertyInfo">The property info.</param>
+    /// <param name="version">An integer representing an API version.</param>
+    /// <returns><c>true</c> if the property should be included; otherwise, <c>false</c>.</returns>
+    private bool ShouldIncludeProperty(PropertyInfo propertyInfo, int version)
+    {
+        var attribute = propertyInfo
+            .GetCustomAttributes(typeof(IncludeInApiVersionAttribute), false)
+            .FirstOrDefault();
+
+        if (attribute is not IncludeInApiVersionAttribute apiVersionAttribute)
+        {
+            return true; // No attribute means include the property
+        }
+
+        // Check if the version is within the specified bounds
+        var isWithinMinVersion = apiVersionAttribute.MinVersion.HasValue is false || version >= apiVersionAttribute.MinVersion.Value;
+        var isWithinMaxVersion = apiVersionAttribute.MaxVersion.HasValue is false || version <= apiVersionAttribute.MaxVersion.Value;
+
+        return isWithinMinVersion && isWithinMaxVersion;
+    }
+}

src/Umbraco.Cms.Api.Delivery/Querying/Filters/ContentTypeFilter.cs

@@ -1,6 +1,5 @@
 using Umbraco.Cms.Api.Delivery.Indexing.Filters;
 using Umbraco.Cms.Core.DeliveryApi;
-using Umbraco.Extensions;
 
 namespace Umbraco.Cms.Api.Delivery.Querying.Filters;
 
@@ -15,15 +14,15 @@ public bool CanHandle(string query)
     /// <inheritdoc/>
     public FilterOption BuildFilterOption(string filter)
     {
-        var alias = filter.Substring(ContentTypeSpecifier.Length);
+        var filterValue = filter.Substring(ContentTypeSpecifier.Length);
+        var negate = filterValue.StartsWith('!');
+        var aliases = filterValue.TrimStart('!').Split(',', StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries);
 
         return new FilterOption
         {
             FieldName = ContentTypeFilterIndexer.FieldName,
-            Values = alias.IsNullOrWhiteSpace() == false
-                ? new[] { alias.TrimStart('!') }
-                : Array.Empty<string>(),
-            Operator = alias.StartsWith('!')
+            Values = aliases,
+            Operator = negate
                 ? FilterOperation.IsNot
                 : FilterOperation.Is
         };

src/Umbraco.Cms.Api.Delivery/Services/CurrentMemberClaimsProvider.cs

@@ -0,0 +1,44 @@
+using OpenIddict.Abstractions;
+using Umbraco.Cms.Core.DeliveryApi;
+using Umbraco.Cms.Core.Security;
+
+namespace Umbraco.Cms.Api.Delivery.Services;
+
+// NOTE: this is public and unsealed to allow overriding the default claims with minimal effort.
+public class CurrentMemberClaimsProvider : ICurrentMemberClaimsProvider
+{
+    private readonly IMemberManager _memberManager;
+
+    public CurrentMemberClaimsProvider(IMemberManager memberManager)
+        => _memberManager = memberManager;
+
+    public virtual async Task<Dictionary<string, object>> GetClaimsAsync()
+    {
+        MemberIdentityUser? memberIdentityUser = await _memberManager.GetCurrentMemberAsync();
+        return memberIdentityUser is not null
+            ? await GetClaimsForMemberIdentityAsync(memberIdentityUser)
+            : throw new InvalidOperationException("Could not retrieve the current member. This method should only ever be invoked when a member has been authorized.");
+    }
+
+    protected virtual async Task<Dictionary<string, object>> GetClaimsForMemberIdentityAsync(MemberIdentityUser memberIdentityUser)
+    {
+        var claims = new Dictionary<string, object>
+        {
+            [OpenIddictConstants.Claims.Subject] = memberIdentityUser.Key
+        };
+
+        if (memberIdentityUser.Name is not null)
+        {
+            claims[OpenIddictConstants.Claims.Name] = memberIdentityUser.Name;
+        }
+
+        if (memberIdentityUser.Email is not null)
+        {
+            claims[OpenIddictConstants.Claims.Email] = memberIdentityUser.Email;
+        }
+
+        claims[OpenIddictConstants.Claims.Role] = await _memberManager.GetRolesAsync(memberIdentityUser);
+
+        return claims;
+    }
+}

src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs

@@ -275,9 +275,12 @@ public async Task<IActionResult> Token()
     [MapToApiVersion("1.0")]
     public async Task<IActionResult> Signout(CancellationToken cancellationToken)
     {
-        var userName = await GetUserNameFromAuthCookie();
+        AuthenticateResult cookieAuthResult = await HttpContext.AuthenticateAsync(Constants.Security.BackOfficeAuthenticationType);
+        var userName = cookieAuthResult.Principal?.Identity?.Name;
+        var userId = cookieAuthResult.Principal?.Identity?.GetUserId();
 
         await _backOfficeSignInManager.SignOutAsync();
+        _backOfficeUserManager.NotifyLogoutSuccess(cookieAuthResult.Principal ?? User, userId);
 
         _logger.LogInformation(
             "User {UserName} from IP address {RemoteIpAddress} has logged out",