Protect backoffice api

Author: umbracotrd

src/Umbraco.Commerce.Checkout/Client/src/backoffice/apis/install.api.ts

@@ -3,9 +3,21 @@ export type InstallUccApiResponse = {
     success: boolean,
     message?: string
 }
-export const installUmbracoCommerceCheckoutAsync: (siteRootNodeId: string) => Promise<InstallUccApiResponse> = (siteRootNodeId: string) => {
+
+export const OpenApiConfig: {
+    credentials: RequestCredentials,
+    token: () => Promise<string>,
+} = {
+    credentials: 'same-origin',
+    token: async () => '',
+};
+
+export const installUmbracoCommerceCheckoutAsync: (siteRootNodeId: string) => Promise<InstallUccApiResponse> = async (siteRootNodeId: string) => {
     const response = fetch('/umbraco/management/api/v1/umbraco-commerce-checkout/install?siteRootNodeId=' + siteRootNodeId, {
-        credentials: 'include',
+        credentials: OpenApiConfig.credentials,
+        headers: {
+            'Authorization': 'Bearer ' + await OpenApiConfig.token(),
+        },
     }).then(
         (response: Response) => {
             return response.json() as Promise<InstallUccApiResponse>;

src/Umbraco.Commerce.Checkout/Client/src/backoffice/index.ts

@@ -1,13 +1,19 @@
 import type { UmbEntryPointOnInit } from '@umbraco-cms/backoffice/extension-api';
 
+import { UMB_AUTH_CONTEXT } from '@umbraco-cms/backoffice/auth';
 import { manifests as dashboardManifest } from './dashboards/manifest';
-
 import { ManifestTypes } from '@umbraco-cms/backoffice/extension-registry';
+import { OpenApiConfig } from './apis/install.api';
 
 const manifests: Array<ManifestTypes> = [
     ...dashboardManifest,
 ];
 
 export const onInit: UmbEntryPointOnInit = (_host, extensionRegistry) => {
     extensionRegistry.registerMany(manifests);
+    _host.consumeContext(UMB_AUTH_CONTEXT, async (instance) => {
+        if (!instance) return;
+        const umbOpenApi = instance.getOpenApiConfiguration();
+        OpenApiConfig.token = umbOpenApi.token;
+    });
 };

src/Umbraco.Commerce.Checkout/Web/Controllers/UmbracoCommerceCheckoutApiController.cs

@@ -1,22 +1,25 @@
 using System;
 using System.Threading.Tasks;
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Umbraco.Cms.Api.Management.Controllers;
 using Umbraco.Cms.Api.Management.Routing;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Web.Common.Authorization;
 using Umbraco.Commerce.Checkout.Services;
 using Umbraco.Commerce.Core.Api;
 using Umbraco.Commerce.Core.Models;
 
 namespace Umbraco.Commerce.Checkout.Web.Controllers
 {
-    [ApiController]
     [ApiVersion("1.0")]
     [VersionedApiBackOfficeRoute("umbraco-commerce-checkout")]
     [ApiExplorerSettings(GroupName = "Umbraco Commerce Checkout API")]
-    //[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
-    public class UmbracoCommerceCheckoutApiController : Controller
+    [Authorize]
+    [Authorize(AuthorizationPolicies.SectionAccessSettings)]
+    public class UmbracoCommerceCheckoutApiController : ManagementApiControllerBase
     {
         private readonly IUmbracoCommerceApi _commerceApi;
         private readonly IContentService _contentService;

version.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
-  "version": "14.0.0-rc1",
+  "version": "14.0.0-rc2",
   "assemblyVersion": {
     "precision": "build"
   },