DeliveryApiAccessAttribute is internal

[callumbwhyte]

Which Umbraco version are you using?

12.0.0-17.1.0

Bug summary

Since the introduction of the Delivery API, the DeliveryApiAccessAttribute that handles authorization for endpoints has been internal.

Whilst it's clear the Delivery API is not really intended to be extended, it is possible to register new controllers extending the base classes and under the same /umbraco/api/delivery routes.

This could be helpful in projects where you want a specific endpoint within the Delivery API groups (e.g. for client generation) or for package authors looking to ship their own APIs for front-end consumption.

Currently (AFAIK) you have to role your own Delivery API auth logic, which isn't ideal.

Specifics

No response

Steps to reproduce

N/A

Expected result / actual result

Ideally we should make DeliveryApiAccessAttribute public so it can be used by packages and consuming projects.

[github-actions]

Hi there @callumbwhyte!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

[kjac]

Hi @callumbwhyte 👋

Sure, we can make that attribute public (sealed). That's a simple fix, but are you sure it does what you need it to do? This attribute basically just verifies that:

1. The Delivery API is configured for public (content) access, or
2. The current request has a valid API key

In other words, this attribute has no contextual knowledge of the current request, nor any idea about any member authentication that might have happened.

[callumbwhyte]

@kjac Yes, this is exactly what I needed in my use case – enabled + API key.

I'm not using member auth, but it would appear that's handled per content item in the base controllers themselves. e.g. here

After another quick search of the codebase would suggest there might be a few other helpful filters / attributes to have public:

• DeliveryApiMediaAccessAttribute – the same, but for media
• ContextualizeFromAcceptHeadersAttribute – sets variant / segment from request
• ValidateStartItemAttribute – ensures start item is a valid ID in the navigation service

[kjac]

Hi @callumbwhyte

Agree to disagree 😄 to a point, at least. The DeliveryApiMediaAccessAttribute makes sense, but the other two are distinctly related to content output handling... and they are set on the ContentApiControllerBase, which is public and should be used as base for all content related custom APIs.

I'll add a task to update docs for custom Delivery API controllers

[kjac]

Fixed - will be released in V17.3

If you need an urgent fix, you'll have to clone the DeliveryApiAccessAttribute implementation for now. The good news is that all its dependencies are public, and they are the ones carrying the bulk of the implementation.