Reinstating Direct Backoffice Controller Access for Authenticated Users in Umbraco 14 using Cookies

[martinthogersen]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

14.3.1

Bug summary

In Umbraco 13, the code below enabled authenticated backoffice users to access the following URL directly: /umbraco/backoffice/PreviouslyWorking/Example

However, in Umbraco 14, it's now required to include an HTTP Authorization header with a valid bearer token for the same access. This additional requirement shouldn't be necessary since the user's authentication status is already determined through the AuthCookieName value (default cookie name: "UMB_UCONTEXT").

Is it possible to restore the previous behavior so authenticated users can access /umbraco/backoffice/PreviouslyWorking/Example without needing to include an Authorization header?

Here's the original controller code that worked in Umbraco 13:

public class PreviouslyWorkingController : UmbracoAuthorizedController
{
    private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor;

    public PreviouslyWorkingController(IBackOfficeSecurityAccessor backOfficeSecurityAccessor)
    {
        _backOfficeSecurityAccessor = backOfficeSecurityAccessor;
    }

    public ActionResult Example()
    {
        return Content("You are authorized to see this page");
    }
}

And here's the composer setup, which configures routing for the controller:

public class BackofficeComposer : IComposer
{
    public void Compose(IUmbracoBuilder builder)
    {
        builder.Services.Configure<UmbracoPipelineOptions>(options =>
        {
            MapEndpointsForController<PreviouslyWorkingController>(options);
        });
    }

    private void MapEndpointsForController<T>(UmbracoPipelineOptions umbracoPipelineOptions)
        where T : ControllerBase
    {
        umbracoPipelineOptions.AddFilter(new UmbracoPipelineFilter(nameof(T))
        {
            Endpoints = app => app.UseEndpoints(endpoints =>
            {
                var globalSettings = app.ApplicationServices.GetRequiredService<IOptions<GlobalSettings>>().Value;
                var hostingEnvironment = app.ApplicationServices.GetRequiredService<IHostingEnvironment>();
                var backofficeArea = Constants.Web.Mvc.BackOfficePathSegment;

                var rootSegment = $"{globalSettings.GetUmbracoMvcArea(hostingEnvironment)}/{backofficeArea}";
                endpoints.MapUmbracoRoute<T>(rootSegment, "", null);
            })
        });
    }
}

Specifics

No response

Steps to reproduce

Set Up Umbraco 13:

1. Install and configure Umbraco 13 on your local development environment.
2. Implement the provided PreviouslyWorkingController and BackofficeComposer code.
3. Log in as an authenticated user.
4. Navigate to the URL: /umbraco/backoffice/PreviouslyWorking/Example.
5. Confirm that the page displays the message: "You are authorized to see this page."

Upgrade to Umbraco 14:

1. Upgrade the installation to Umbraco 14.
2. Ensure the same PreviouslyWorkingController and BackofficeComposer code is used.
3. Log in as an authenticated user.
4. Navigate to the same URL: /umbraco/backoffice/PreviouslyWorking/Example.
5. Observe that access is denied unless a valid bearer token is included in the HTTP Authorization header.

Expected result / actual result

No response

[github-actions[bot]]

Hi there @martinthogersen!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

[martinthogersen]

This code fixes the issue:

services.AddAuthorization(options =>
{
    options.AddPolicy(AuthorizationPolicies.BackOfficeAccess, policy =>
    {
        policy.Requirements.Clear();
        policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
        policy.Requirements.Add(new BackOfficeRequirement());
    });
});