From be488c194171570c15e638269cce49cff7dee8f8 Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Tue, 18 Jun 2024 11:46:54 +0200
Subject: [PATCH] Added post configuration of OpenIddictServerOptions that
 removes the ValidateTransportSecurityRequirement iff globalsettings.usehttps
 is false.

---
 .../Configuration/PostConfigureOpenIddict.cs  | 44 +++++++++++++++++++
 .../UmbracoBuilderAuthExtensions.cs           |  2 +
 2 files changed, 46 insertions(+)
 create mode 100644 src/Umbraco.Cms.Api.Common/Configuration/PostConfigureOpenIddict.cs

diff --git a/src/Umbraco.Cms.Api.Common/Configuration/PostConfigureOpenIddict.cs b/src/Umbraco.Cms.Api.Common/Configuration/PostConfigureOpenIddict.cs
new file mode 100644
index 000000000000..f01b71fbb16b
--- /dev/null
+++ b/src/Umbraco.Cms.Api.Common/Configuration/PostConfigureOpenIddict.cs
@@ -0,0 +1,44 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using OpenIddict.Server;
+using OpenIddict.Server.AspNetCore;
+using Umbraco.Cms.Core.Configuration.Models;
+
+namespace Umbraco.Cms.Api.Common.Configuration;
+
+internal class PostConfigureOpenIddict : IPostConfigureOptions<OpenIddictServerOptions>
+{
+    private readonly IOptions<GlobalSettings> _globalSettings;
+
+    public PostConfigureOpenIddict(IOptions<GlobalSettings> globalSettings)
+    {
+        _globalSettings = globalSettings;
+    }
+
+    public void PostConfigure(string? name, OpenIddictServerOptions options)
+    {
+        EnsureHttpsIsNotRequiredWhenConfigAllowHttp(options);
+    }
+
+    /// <summary>
+    /// Ensures OpenIddict is configured to allow Http requrest, if and only if, the global settings are configured to allow Http.
+    /// </summary>
+    /// <remarks>
+    /// The logic actually allowing http by removing the ValidateTransportSecurityRequirement Descriptor is borrowed from <see cref="OpenIddictServerBuilder.RemoveEventHandler"/>
+    /// </remarks>
+    private void EnsureHttpsIsNotRequiredWhenConfigAllowHttp(OpenIddictServerOptions options)
+    {
+        if (_globalSettings.Value.UseHttps is false)
+        {
+            OpenIddictServerHandlerDescriptor descriptor = OpenIddictServerAspNetCoreHandlers.ValidateTransportSecurityRequirement.Descriptor;
+
+            for (var index = options.Handlers.Count - 1; index >= 0; index--)
+            {
+                if (options.Handlers[index].ServiceDescriptor.ServiceType == descriptor.ServiceDescriptor.ServiceType)
+                {
+                    options.Handlers.RemoveAt(index);
+                }
+            }
+        }
+    }
+}
diff --git a/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs b/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs
index 7e730695f3a6..c215eeecf86b 100644
--- a/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs
+++ b/src/Umbraco.Cms.Api.Common/DependencyInjection/UmbracoBuilderAuthExtensions.cs
@@ -4,6 +4,7 @@
 using Microsoft.IdentityModel.Tokens;
 using OpenIddict.Server;
 using OpenIddict.Validation;
+using Umbraco.Cms.Api.Common.Configuration;
 using Umbraco.Cms.Api.Common.Security;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Configuration.Models;
@@ -132,5 +133,6 @@ private static void ConfigureOpenIddict(IUmbracoBuilder builder)
             });
 
         builder.Services.AddRecurringBackgroundJob<OpenIddictCleanupJob>();
+        builder.Services.ConfigureOptions<PostConfigureOpenIddict>();
     }
 }