Merge pull request #24 from umbraco/feature/zapier-api-key-auth

Validate access using also an API key.

Author: acoumb

src/Umbraco.Cms.Integrations.Automation.Zapier/Configuration/ZapierSettings.cs

@@ -11,9 +11,13 @@ public ZapierSettings()
 
         public ZapierSettings(NameValueCollection appSettings)
         {
-            UserGroup = appSettings[Constants.UmbracoCmsIntegrationsAutomationZapierUserGroup];
+            UserGroupAlias = appSettings[Constants.UmbracoCmsIntegrationsAutomationZapierUserGroupAlias];
+
+            ApiKey = appSettings[Constants.UmbracoCmsIntegrationsAutomationZapierApiKey];
         }
 
-        public string UserGroup { get; set; }
+        public string UserGroupAlias { get; set; }
+
+        public string ApiKey { get; set; }
     }
 }

src/Umbraco.Cms.Integrations.Automation.Zapier/Constants.cs

@@ -9,13 +9,17 @@ public class Constants
 
         public const string TargetStateName = "zapiersubscriptionhook-db";
 
-        public const string UmbracoCmsIntegrationsAutomationZapierUserGroup = "Umbraco.Cms.Integrations.Automation.Zapier.UserGroup";
+        public const string UmbracoCmsIntegrationsAutomationZapierUserGroupAlias = "Umbraco.Cms.Integrations.Automation.Zapier.UserGroupAlias";
+
+        public const string UmbracoCmsIntegrationsAutomationZapierApiKey = "Umbraco.Cms.Integrations.Automation.Zapier.ApiKey";
 
         public static class ZapierAppConfiguration
         {
             public const string UsernameHeaderKey = "X-USERNAME";
 
             public const string PasswordHeaderKey = "X-PASSWORD";
+
+            public const string ApiKeyHeaderKey = "X-APIKEY";
         }
 
         public static class Configuration

src/Umbraco.Cms.Integrations.Automation.Zapier/Controllers/AuthController.cs

@@ -1,18 +1,15 @@
 using System.Threading.Tasks;
 
-using Umbraco.Cms.Integrations.Automation.Zapier.Configuration;
 using Umbraco.Cms.Integrations.Automation.Zapier.Models;
 using Umbraco.Cms.Integrations.Automation.Zapier.Services;
 
 #if NETCOREAPP
 using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.Options;
+
 using Umbraco.Cms.Web.Common.Controllers;
-using Umbraco.Cms.Core.Security;
 #else
 using System.Web.Http;
-using System.Configuration;
-using Umbraco.Cms.Integrations.Automation.Zapier.Models.Dtos;
+
 using Umbraco.Web.WebApi;
 #endif
 
@@ -23,31 +20,14 @@ namespace Umbraco.Cms.Integrations.Automation.Zapier.Controllers
     /// </summary>
     public class AuthController : UmbracoApiController
     {
-        private readonly ZapierSettings Options;
-
         private readonly IUserValidationService _userValidationService;
 
-#if NETCOREAPP
-        private readonly IBackOfficeUserManager _backOfficeUserManager;
-
-        public AuthController(IBackOfficeUserManager backOfficeUserManager, IUserValidationService userValidationService, IOptions<ZapierSettings> options)
-        {
-            _backOfficeUserManager = backOfficeUserManager;
-            
-            _userValidationService = userValidationService;
-
-            Options = options.Value;
-        }
-#else
         public AuthController(IUserValidationService userValidationService)
         {
-            Options = new ZapierSettings(ConfigurationManager.AppSettings);
-
             _userValidationService = userValidationService;
         }
-#endif
 
         [HttpPost]
-        public async Task<bool> ValidateUser([FromBody] UserModel userModel) => await _userValidationService.Validate(userModel.Username, userModel.Password, Options.UserGroup);
+        public async Task<bool> ValidateUser([FromBody] UserModel userModel) => await _userValidationService.Validate(userModel.Username, userModel.Password, userModel.ApiKey);
     }
 }

src/Umbraco.Cms.Integrations.Automation.Zapier/Controllers/ContentController.cs

@@ -35,7 +35,7 @@ public ContentController(IContentTypeService contentTypeService, IUserValidation
 
         public IEnumerable<ContentTypeDto> GetContentTypes()
         {
-            if (!IsUserValid()) return null;
+            if (!IsAccessValid()) return null;
 
             var contentTypes = _contentTypeService.GetAll();
 

src/Umbraco.Cms.Integrations.Automation.Zapier/Controllers/PollingController.cs

@@ -44,7 +44,7 @@ public PollingController(IContentService contentService, IContentTypeService con
         [Obsolete("Used only for Umbraco Zapier app v1.0.0. For updated versions use GetContentByType")]
         public IEnumerable<PublishedContentDto> GetSampleContent()
         {
-            if (!IsUserValid()) return null;
+            if (!IsAccessValid()) return null;
 
             var rootNodes = _contentService.GetRootContent()
                 .Where(p => p.Published)
@@ -60,7 +60,7 @@ public IEnumerable<PublishedContentDto> GetSampleContent()
 
         public List<Dictionary<string, string>> GetContentByType(string alias)
         {
-            if (!IsUserValid()) return null;
+            if (!IsAccessValid()) return null;
 
             var contentType = _contentTypeService.Get(alias);
             if (contentType == null) return new List<Dictionary<string, string>>();

src/Umbraco.Cms.Integrations.Automation.Zapier/Controllers/SubscriptionController.cs

@@ -38,7 +38,7 @@ public SubscriptionController(
         [HttpPost]
         public bool UpdatePreferences([FromBody] SubscriptionDto dto)
         {
-            if (!IsUserValid() || dto == null) return false;
+            if (!IsAccessValid() || dto == null) return false;
 
             var result = dto.SubscribeHook
                 ? _zapierSubscriptionHookService.Add(dto.EntityId, dto.Type, dto.HookUrl)

src/Umbraco.Cms.Integrations.Automation.Zapier/Controllers/ZapierAuthorizedApiController.cs

@@ -36,10 +36,11 @@ public ZapierAuthorizedApiController(IUserValidationService userValidationServic
             _userValidationService = userValidationService;
         }
 
-        public bool IsUserValid()
+        public bool IsAccessValid()
         {
             string username = string.Empty;
             string password = string.Empty;
+            string apiKey = string.Empty;
 
 #if NETCOREAPP
             if (Request.Headers.TryGetValue(Constants.ZapierAppConfiguration.UsernameHeaderKey,
@@ -48,18 +49,27 @@ public bool IsUserValid()
             if (Request.Headers.TryGetValue(Constants.ZapierAppConfiguration.PasswordHeaderKey,
                     out var passwordValues))
                 password = passwordValues.First();
+            if (Request.Headers.TryGetValue(Constants.ZapierAppConfiguration.ApiKeyHeaderKey,
+                    out var apiKeyValues))
+                apiKey = apiKeyValues.First();
 #else
             if (Request.Headers.TryGetValues(Constants.ZapierAppConfiguration.UsernameHeaderKey,
                     out var usernameValues))
                 username = usernameValues.First();
             if (Request.Headers.TryGetValues(Constants.ZapierAppConfiguration.PasswordHeaderKey,
                     out var passwordValues))
                 password = passwordValues.First();
+            if (Request.Headers.TryGetValues(Constants.ZapierAppConfiguration.ApiKeyHeaderKey,
+                    out var apiKeyValues))
+                apiKey = apiKeyValues.First();
 #endif
 
-            if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password)) return false;
+            if (string.IsNullOrEmpty(apiKey) && (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))) return false;
 
-            var isAuthorized = _userValidationService.Validate(username, password, Options.UserGroup).GetAwaiter()
+            if (!string.IsNullOrEmpty(apiKey))
+                return apiKey == Options.ApiKey;
+
+            var isAuthorized = _userValidationService.Validate(username, password, Options.UserGroupAlias).GetAwaiter()
                 .GetResult();
             if (!isAuthorized) return false;
 

src/Umbraco.Cms.Integrations.Automation.Zapier/Models/UserModel.cs

@@ -6,5 +6,7 @@ public class UserModel
         public string Username { get; set; }
 
         public string Password { get; set; }
+
+        public string ApiKey { get; set; }
     }
 }

src/Umbraco.Cms.Integrations.Automation.Zapier/Services/IUserValidationService.cs

@@ -4,6 +4,6 @@ namespace Umbraco.Cms.Integrations.Automation.Zapier.Services
 {
     public interface IUserValidationService
     {
-        Task<bool> Validate(string username, string password, string userGroup);
+        Task<bool> Validate(string username, string password, string apiKey);
     }
 }

src/Umbraco.Cms.Integrations.Automation.Zapier/Services/UserValidationService.cs

@@ -1,10 +1,16 @@
 using System.Linq;
 using System.Threading.Tasks;
 
+using Umbraco.Cms.Integrations.Automation.Zapier.Configuration;
+
 #if NETCOREAPP
+using Microsoft.Extensions.Options;
+
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 #else
+using System.Configuration;
+
 using Umbraco.Core.Services;
 #endif
 
@@ -14,23 +20,38 @@ public class UserValidationService : IUserValidationService
     {
         private readonly IUserService _userService;
 
+        private readonly ZapierSettings _zapierSettings;
 
 #if NETCOREAPP
         private readonly IBackOfficeUserManager _backOfficeUserManager;
 
-        public UserValidationService(IBackOfficeUserManager backOfficeUserManager, IUserService userService)
+        public UserValidationService(IOptions<ZapierSettings> options, IBackOfficeUserManager backOfficeUserManager)
         {
             _backOfficeUserManager = backOfficeUserManager;
+
+            _zapierSettings = options.Value;
         }
 #else
         public UserValidationService(IUserService userService)
         {
             _userService = userService;
+
+            _zapierSettings = new ZapierSettings(ConfigurationManager.AppSettings);
         }
 #endif
 
-        public async Task<bool> Validate(string username, string password, string userGroup)
+        /// <summary>
+        /// Allow access by validating API Key. If API key is missing, validate user credentials.
+        /// </summary>
+        /// <param name="username"></param>
+        /// <param name="password"></param>
+        /// <param name="apiKey"></param>
+        /// <returns></returns>
+        public async Task<bool> Validate(string username, string password, string apiKey)
         {
+            if (!string.IsNullOrEmpty(apiKey))
+                return apiKey == _zapierSettings.ApiKey;
+
 #if NETCOREAPP
             var isUserValid =
                 await _backOfficeUserManager.ValidateCredentialsAsync(username, password);
@@ -40,11 +61,11 @@ public async Task<bool> Validate(string username, string password, string userGr
 
             if (!isUserValid) return false;
 
-            if (!string.IsNullOrEmpty(userGroup))
+            if (!string.IsNullOrEmpty(_zapierSettings.UserGroupAlias))
             {
                 var user = _userService.GetByUsername(username);
 
-                return user != null && user.Groups.Any(p => p.Name == userGroup);
+                return user != null && user.Groups.Any(p => p.Alias == _zapierSettings.UserGroupAlias);
             }
 
             return true;