Directory.Packages.props

@@ -73,7 +73,7 @@
     <PackageVersion Include="Serilog.Sinks.Async" Version="1.5.0" />
     <PackageVersion Include="Serilog.Sinks.File" Version="5.0.0" />
     <PackageVersion Include="Serilog.Sinks.Map" Version="1.0.2" />
-    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.6" />
+    <PackageVersion Include="SixLabors.ImageSharp" Version="3.1.7" />
     <PackageVersion Include="SixLabors.ImageSharp.Web" Version="3.1.3" />
     <PackageVersion Include="Swashbuckle.AspNetCore" Version="6.9.0" />
   </ItemGroup>

src/Umbraco.Cms.Api.Management/Controllers/DataType/CopyDataTypeController.cs

@@ -1,4 +1,5 @@
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.ViewModels.DataType;
@@ -7,10 +8,12 @@
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.DataType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)]
 public class CopyDataTypeController : DataTypeControllerBase
 {
     private readonly IDataTypeService _dataTypeService;

src/Umbraco.Cms.Api.Management/Controllers/DataType/CreateDataTypeController.cs

@@ -1,4 +1,5 @@
-using Asp.Versioning;
+using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.Factories;
@@ -8,10 +9,12 @@
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.DataType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)]
 public class CreateDataTypeController : DataTypeControllerBase
 {
     private readonly IDataTypeService _dataTypeService;

src/Umbraco.Cms.Api.Management/Controllers/DataType/DeleteDataTypeController.cs

@@ -1,15 +1,18 @@
-using Asp.Versioning;
+using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.DataType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)]
 public class DeleteDataTypeController : DataTypeControllerBase
 {
     private readonly IDataTypeService _dataTypeService;

src/Umbraco.Cms.Api.Management/Controllers/DataType/MoveDataTypeController.cs

@@ -1,4 +1,5 @@
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.ViewModels.DataType;
@@ -7,10 +8,12 @@
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.DataType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)]
 public class MoveDataTypeController : DataTypeControllerBase
 {
     private readonly IDataTypeService _dataTypeService;

src/Umbraco.Cms.Api.Management/Controllers/DataType/UpdateDataTypeController.cs

@@ -1,4 +1,5 @@
-using Asp.Versioning;
+using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.Factories;
@@ -8,10 +9,12 @@
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.DataType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)]
 public class UpdateDataTypeController : DataTypeControllerBase
 {
     private readonly IDataTypeService _dataTypeService;

src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ExportDocumentTypeController.cs

@@ -1,14 +1,17 @@
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.Factories;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.DocumentType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)]
 public class ExportDocumentTypeController : DocumentTypeControllerBase
 {
     private readonly IContentTypeService _contentTypeService;

src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportExistingDocumentTypeController.cs

@@ -1,17 +1,19 @@
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.ViewModels.DocumentType;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
-using Umbraco.Cms.Core.Models.Membership;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services.ImportExport;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.DocumentType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)]
 public class ImportExistingDocumentTypeController : DocumentTypeControllerBase
 {
     private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor;

src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportNewDocumentTypeController.cs

@@ -1,17 +1,19 @@
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.ViewModels.DocumentType;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
-using Umbraco.Cms.Core.Models.Membership;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services.ImportExport;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.DocumentType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)]
 public class ImportNewDocumentTypeController : DocumentTypeControllerBase
 {
     private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor;

src/Umbraco.Cms.Api.Management/Controllers/MediaType/ExportMediaTypeController.cs

@@ -1,14 +1,17 @@
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.Factories;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.MediaType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessMediaTypes)]
 public class ExportMediaTypeController : MediaTypeControllerBase
 {
     private readonly IMediaTypeService _mediaTypeService;

src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportExistingMediaTypeController.cs

@@ -1,17 +1,19 @@
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.ViewModels.MediaType;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
-using Umbraco.Cms.Core.Models.Membership;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services.ImportExport;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.MediaType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessMediaTypes)]
 public class ImportExistingMediaTypeController : MediaTypeControllerBase
 {
     private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor;

src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportNewMediaTypeController.cs

@@ -1,18 +1,19 @@
 using Asp.Versioning;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
-using Umbraco.Cms.Api.Management.Controllers.DocumentType;
 using Umbraco.Cms.Api.Management.ViewModels.MediaType;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
-using Umbraco.Cms.Core.Models.Membership;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services.ImportExport;
 using Umbraco.Cms.Core.Services.OperationStatus;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Api.Management.Controllers.MediaType;
 
 [ApiVersion("1.0")]
+[Authorize(Policy = AuthorizationPolicies.TreeAccessMediaTypes)]
 public class ImportNewMediaTypeController : MediaTypeControllerBase
 {
     private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor;

src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs

@@ -1,9 +1,8 @@
-using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Api.Management.Controllers.DocumentType;
 using Umbraco.Cms.Api.Management.Routing;
-using Umbraco.Cms.Api.Management.ViewModels.MediaType;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Services.OperationStatus;
 using Umbraco.Cms.Web.Common.Authorization;

src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs

@@ -34,6 +34,8 @@ namespace Umbraco.Cms.Api.Management.Controllers.Security;
 [ApiExplorerSettings(IgnoreApi = true)]
 public class BackOfficeController : SecurityControllerBase
 {
+    private static long? _loginDurationAverage;
+
     private readonly IHttpContextAccessor _httpContextAccessor;
     private readonly IBackOfficeSignInManager _backOfficeSignInManager;
     private readonly IBackOfficeUserManager _backOfficeUserManager;
@@ -72,45 +74,65 @@ public BackOfficeController(
     [Authorize(Policy = AuthorizationPolicies.DenyLocalLoginIfConfigured)]
     public async Task<IActionResult> Login(CancellationToken cancellationToken, LoginRequestModel model)
     {
-        IdentitySignInResult result = await _backOfficeSignInManager.PasswordSignInAsync(
-            model.Username, model.Password, true, true);
+        // Start a timed scope to ensure failed responses return is a consistent time
+        var loginDuration = Math.Max(_loginDurationAverage ?? _securitySettings.Value.UserDefaultFailedLoginDurationInMilliseconds, _securitySettings.Value.UserMinimumFailedLoginDurationInMilliseconds);
+        await using var timedScope = new TimedScope(loginDuration, cancellationToken);
 
-        if (result.IsNotAllowed)
+        IdentitySignInResult result = await _backOfficeSignInManager.PasswordSignInAsync(model.Username, model.Password, true, true);
+        if (result.Succeeded is false)
         {
-            return StatusCode(StatusCodes.Status403Forbidden, new ProblemDetailsBuilder()
-                .WithTitle("User is not allowed")
-                .WithDetail("The operation is not allowed on the user")
-                .Build());
-        }
+            // TODO: The result should include the user and whether the credentials were valid to avoid these additional checks
+            BackOfficeIdentityUser? user = await _backOfficeUserManager.FindByNameAsync(model.Username.Trim()); // Align with UmbracoSignInManager and trim username!
+            if (user is not null &&
+                await _backOfficeUserManager.CheckPasswordAsync(user, model.Password))
+            {
+                // The credentials were correct, so cancel timed scope and provide a more detailed failure response
+                await timedScope.CancelAsync();
+
+                if (result.IsNotAllowed)
+                {
+                    return StatusCode(StatusCodes.Status403Forbidden, new ProblemDetailsBuilder()
+                        .WithTitle("User is not allowed")
+                        .WithDetail("The operation is not allowed on the user")
+                        .Build());
+                }
+
+                if (result.IsLockedOut)
+                {
+                    return StatusCode(StatusCodes.Status403Forbidden, new ProblemDetailsBuilder()
+                        .WithTitle("User is locked")
+                        .WithDetail("The user is locked, and need to be unlocked before more login attempts can be executed.")
+                        .Build());
+                }
+
+                if (result.RequiresTwoFactor)
+                {
+                    string? twofactorView = _backOfficeTwoFactorOptions.GetTwoFactorView(model.Username);
+                    IEnumerable<string> enabledProviders = (await _userTwoFactorLoginService.GetProviderNamesAsync(user.Key)).Result.Where(x => x.IsEnabledOnUser).Select(x => x.ProviderName);
+
+                    return StatusCode(StatusCodes.Status402PaymentRequired, new RequiresTwoFactorResponseModel()
+                    {
+                        TwoFactorLoginView = twofactorView,
+                        EnabledTwoFactorProviderNames = enabledProviders
+                    });
+                }
+            }
 
-        if (result.IsLockedOut)
-        {
-            return StatusCode(StatusCodes.Status403Forbidden, new ProblemDetailsBuilder()
-                .WithTitle("User is locked")
-                .WithDetail("The user is locked, and need to be unlocked before more login attempts can be executed.")
+            return StatusCode(StatusCodes.Status401Unauthorized, new ProblemDetailsBuilder()
+                .WithTitle("Invalid credentials")
+                .WithDetail("The provided credentials are invalid. User has not been signed in.")
                 .Build());
         }
 
-        if(result.RequiresTwoFactor)
-        {
-            string? twofactorView = _backOfficeTwoFactorOptions.GetTwoFactorView(model.Username);
-            BackOfficeIdentityUser? attemptingUser = await _backOfficeUserManager.FindByNameAsync(model.Username);
-            IEnumerable<string> enabledProviders = (await _userTwoFactorLoginService.GetProviderNamesAsync(attemptingUser!.Key)).Result.Where(x=>x.IsEnabledOnUser).Select(x=>x.ProviderName);
-            return StatusCode(StatusCodes.Status402PaymentRequired, new RequiresTwoFactorResponseModel()
-            {
-                TwoFactorLoginView = twofactorView,
-                EnabledTwoFactorProviderNames = enabledProviders
-            });
-        }
+        // Set initial or update average (successful) login duration
+        _loginDurationAverage = _loginDurationAverage is long average
+            ? (average + (long)timedScope.Elapsed.TotalMilliseconds) / 2
+            : (long)timedScope.Elapsed.TotalMilliseconds;
 
-        if (result.Succeeded)
-        {
-            return Ok();
-        }
-        return StatusCode(StatusCodes.Status401Unauthorized, new ProblemDetailsBuilder()
-            .WithTitle("Invalid credentials")
-            .WithDetail("The provided credentials are invalid. User has not been signed in.")
-            .Build());
+        // Cancel the timed scope (we don't want to unnecessarily wait on a successful response)
+        await timedScope.CancelAsync();
+
+        return Ok();
     }
 
     [AllowAnonymous]

src/Umbraco.Cms.Imaging.ImageSharp2/Umbraco.Cms.Imaging.ImageSharp2.csproj

@@ -4,7 +4,7 @@
     <Description>Adds imaging support using ImageSharp/ImageSharp.Web version 2 to Umbraco CMS.</Description>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="SixLabors.ImageSharp" VersionOverride="[2.1.9, 3)" />
+    <PackageReference Include="SixLabors.ImageSharp" VersionOverride="[2.1.10, 3)" />
     <PackageReference Include="SixLabors.ImageSharp.Web" VersionOverride="[2.0.2, 3)" />
   </ItemGroup>