accessing members from umbracoapicontroller to secure media files in v8

Nathan 11 posts 101 karma points c-trib

Sep 19, 2023 @ 22:35

Hello everyone,

I’m trying to secure media files on my Umbraco v8.18.8 website based on, among other factors, whether or not a member is currently logged in. The method I'm using to achieve this is roughly based on this blog post. I have a handler class that successfully intercepts all requests to /media/*:

public class MediaHandler : HttpTaskAsyncHandler
{
    public MediaHandler() { }

    public override bool IsReusable
    {
        get { return false; }
    }

    public override async Task ProcessRequestAsync(HttpContext context)
    {
        List<KeyValuePair<string, object>> parameters = new List<KeyValuePair<string, object>>();
        parameters.Add(new KeyValuePair<string, object>("mediaPath", context.Request.Path));
        string scheme = context.Request.Url.Scheme;
        string authority = context.Request.Url.Authority;

        string url = BuildApiUrl(
            domainAddress: scheme + "://" + authority,
            apiLocation: "Umbraco/Api/",
            controllerName: "ProtectedMediaApi",
            methodName: "IsAllowed",
            parameters: parameters);

        HttpResponseMessage isAllowedResponse = await GetResultFromApi(url);

        if (!isAllowedResponse.IsSuccessStatusCode)
        {
            context.Response.StatusDescription = isAllowedResponse.ReasonPhrase;
            context.Response.StatusCode = (int)isAllowedResponse.StatusCode;
            return;
        }

        bool isAllowed = JsonConvert.DeserializeObject<bool>(await isAllowedResponse.Content.ReadAsStringAsync());

        if (isAllowed)
        {
            string requestedFile = context.Server.MapPath(context.Request.Path);
            SendContentTypeAndFile(context, requestedFile);
        }
        else
        {
            context.Response.StatusDescription = "Forbidden";
            context.Response.StatusCode = 403;
        }
    }

    private string BuildApiUrl(string domainAddress, string controllerName, string methodName, List<KeyValuePair<string, object>> parameters, string apiLocation)
    {
        StringBuilder url = new StringBuilder();

        url.Append($"{domainAddress}/{apiLocation}{controllerName}/{methodName}");

        if (parameters != null && parameters.Count > 0)
        {
            int parameterCount = parameters.Count;
            for (int i = 0; i < parameterCount; i++)
            {
                url.Append(i == 0 ? "?" : "&");
                url.Append($"{parameters[i].Key}={parameters[i].Value.ToString()}");
            }
        }

        return url.ToString();
    }

    private async Task<HttpResponseMessage> GetResultFromApi(string url)
    {
        using (HttpClient httpClient = new HttpClient())
        {
            HttpResponseMessage response = await httpClient.GetAsync(url);
            return response;
        }
    }

    private HttpContext SendContentTypeAndFile(HttpContext context, String strFile)
    {
        context.Response.ContentType = MimeMapping.GetMimeMapping(strFile);
        context.Response.TransmitFile(strFile);
        context.Response.End();
        return context;
    }
}

The handler is designated in my Web.config file like so: <add name="MediaHandler" path="/media/*" verb="*" type="MembersPortalV8.Handlers.MediaHandler"/>

The API being called in MediaHandler is defined in a separate class, ProtectedMediaApiController, which inherits from UmbracoApiController as such:

public class ProtectedMediaApiController : UmbracoApiController
{
    private readonly IMediaService _mediaService;

    public ProtectedMediaApiController(
        IGlobalSettings globalSettings,
        IUmbracoContextAccessor umbracoContextAccessor,
        ISqlContext sqlContext,
        ServiceContext services,
        AppCaches appCaches,
        IProfilingLogger logger,
        IRuntimeState runtimeState,
        UmbracoHelper umbracoHelper,
        UmbracoMapper umbracoMapper,
        IMediaService mediaService
    ) : base(globalSettings, umbracoContextAccessor, sqlContext, services, appCaches, logger, runtimeState, umbracoHelper, umbracoMapper)
    {
        _mediaService = mediaService;
    }

    [HttpGet]
    public bool IsAllowed(string mediaPath)
    {
        if (string.IsNullOrEmpty(mediaPath))
        {
            return false;
        }

        IMedia media = _mediaService.GetMediaByPath(mediaPath);

        if (media == null)
        {
            return false;
        }

        IPublishedContent typedMedia = Umbraco.Media(media.Id);
        IEnumerable<IPublishedContent> ancestorList = typedMedia.Ancestors();

        bool isPublic = false;

        foreach (IPublishedContent ancestor in ancestorList)
        {
            if (ancestor.Value<bool>("isPublic"))
            {
                isPublic = true;
                break;
            }
        }

        bool isLoggedIn = Members.IsLoggedIn();

        if (!isPublic && !isLoggedIn)
        {
            return false;
        }

        return true;
    }
}

Accessing mediaService through DI works as expected, and I am able to check properties on the specified media file. For some reason, however, I cannot get the current member - every approach I have tried so far either returns false or null. Some examples:

Members.IsLoggedIn() (as shown above) - always returns false, even if a member is logged in. Members should be accessible here since it is a property of UmbracoApiControllerBase, which UmbracoApiController inherits from (source).
_membershipHelper.IsLoggedIn() (where a new MembershipHelper is passed in through DI) - always returns false.
_umbracoHelper.MemberIsLoggedOn() (where UmbracoHelper is retrieved through DI) - always returns false.

This forum post discusses the same issue. The OP claims they passed the current member's username as a parameter to their API method; however, the class my API method is being called from inherits HttpTaskAsyncHandler, which, as far as I know, would not allow me to DI a MembershipHelper.

The forum post also mentions using the MemberAuthorize attribute - interestingly, this does work, and logged-out members are not able to call the API method, which means that this functionality is at least possible. Unfortunately, I also need to check members' roles to determine if they can access a given media file. Since other member-related methods do not work (_membershipHelper.GetCurrentLoginStatus() is always null, _membershipHelper.GetCurrentMember() is always null), this would not be a sufficient workaround.

Some other options I have tried include:

Using ApiController instead of UmbracoApiController or attempting to inject Umbraco dependencies into MediaHandler (does not give access to Umbraco services - tried some options discussed in this thread but could not figure out how to get it working for my purpose)
Inheriting UmbracoHttpHandler or UmbracoAuthorizedHttpHandler instead of IHttpHandler or HttpTaskAsyncHandler (seemingly not possible, see this github issue)

According to the github issue I mentioned earlier, it might be due to Umbraco interpreting the request as client-side and therefore not providing an UmbracoContext - unfortunately I cannot change the extension to force a server-side request as suggested, as my handler needs to run for all media files of any extension. Another suggestion was to use MVC route hijacking, which may be the proper way to go about doing this, but I was having some other issues with that (will create a separate thread for it!)

I am still relatively new to Umbraco so there is most likely something obvious I'm missing here. I will post an update to this thread if I find anything, but in the mean time, any help/advice/suggestions would be greatly appreciated!

Flag this post as spam?

Accessing members from UmbracoApiController to secure media files in v8