Authorization Fixed

src/Squidex/Controllers/Api/Apps/AppClientsController.cs

@@ -22,9 +22,10 @@ namespace Squidex.Controllers.Api.Apps
     /// <summary>
     /// Manages and configures apps.
     /// </summary>
-    [MustBeAppOwner]
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
+    [MustBeAppOwner]
     [SwaggerTag(nameof(Apps))]
     public sealed class AppClientsController : ControllerBase
     {

src/Squidex/Controllers/Api/Apps/AppContributorsController.cs

@@ -23,9 +23,10 @@ namespace Squidex.Controllers.Api.Apps
     /// <summary>
     /// Manages and configures apps.
     /// </summary>
-    [MustBeAppOwner]
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
+    [MustBeAppOwner]
     [SwaggerTag(nameof(Apps))]
     public sealed class AppContributorsController : ControllerBase
     {

src/Squidex/Controllers/Api/Apps/AppLanguagesController.cs

@@ -26,6 +26,7 @@ namespace Squidex.Controllers.Api.Apps
     /// <summary>
     /// Manages and configures apps.
     /// </summary>
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
     [SwaggerTag(nameof(Apps))]

src/Squidex/Controllers/Api/Assets/AssetContentController.cs

@@ -23,6 +23,7 @@ namespace Squidex.Controllers.Api.Assets
     /// <summary>
     /// Uploads and retrieves assets.
     /// </summary>
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
     [SwaggerTag(nameof(Assets))]

src/Squidex/Controllers/Api/Assets/AssetsController.cs

@@ -31,6 +31,7 @@ namespace Squidex.Controllers.Api.Assets
     /// <summary>
     /// Uploads and retrieves assets.
     /// </summary>
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
     [SwaggerTag(nameof(Assets))]

src/Squidex/Controllers/Api/EventConsumers/EventConsumersController.cs

@@ -19,8 +19,9 @@ using Squidex.Pipeline;
 
 namespace Squidex.Controllers.Api.EventConsumers
 {
-    [MustBeAdministrator]
+    [ApiAuthorize]
     [ApiExceptionFilter]
+    [MustBeAdministrator]
     [SwaggerIgnore]
     public sealed class EventConsumersController : Controller
     {

src/Squidex/Controllers/Api/History/HistoryController.cs

@@ -21,9 +21,10 @@ namespace Squidex.Controllers.Api.History
     /// <summary>
     /// Readonly API to get an event stream.
     /// </summary>
-    [MustBeAppEditor]
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
+    [MustBeAppEditor]
     [SwaggerTag(nameof(History))]
     public sealed class HistoryController : ControllerBase
     {

src/Squidex/Controllers/Api/Ping/PingController.cs

@@ -15,9 +15,10 @@ namespace Squidex.Controllers.Api.Ping
     /// <summary>
     /// Makes a ping request.
     /// </summary>
-    [MustBeAppReader]
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
+    [MustBeAppReader]
     [SwaggerTag(nameof(Ping))]
     public sealed class PingController : Controller
     {

src/Squidex/Controllers/Api/Plans/AppPlansController.cs

@@ -23,6 +23,7 @@ namespace Squidex.Controllers.Api.Plans
     /// <summary>
     /// Manages and configures plans.
     /// </summary>
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
     [SwaggerTag(nameof(Plans))]

src/Squidex/Controllers/Api/Schemas/SchemaFieldsController.cs

@@ -19,9 +19,10 @@ namespace Squidex.Controllers.Api.Schemas
     /// <summary>
     /// Manages and retrieves information about schemas.
     /// </summary>
-    [MustBeAppDeveloper]
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
+    [MustBeAppDeveloper]
     [SwaggerTag(nameof(Schemas))]
     public sealed class SchemaFieldsController : ControllerBase
     {

src/Squidex/Controllers/Api/Schemas/SchemasController.cs

@@ -27,6 +27,7 @@ namespace Squidex.Controllers.Api.Schemas
     /// <summary>
     /// Manages and retrieves information about schemas.
     /// </summary>
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
     [SwaggerTag(nameof(Schemas))]

src/Squidex/Controllers/Api/Statistics/UsagesController.cs

@@ -23,9 +23,10 @@ namespace Squidex.Controllers.Api.Statistics
     /// <summary>
     /// Retrieves usage information for apps.
     /// </summary>
-    [MustBeAppEditor]
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
+    [MustBeAppEditor]
     [SwaggerTag(nameof(Statistics))]
     public sealed class UsagesController : ControllerBase
     {

src/Squidex/Controllers/Api/Users/UserManagementController.cs

@@ -22,8 +22,9 @@ using Squidex.Shared.Users;
 
 namespace Squidex.Controllers.Api.Users
 {
-    [MustBeAdministrator]
+    [ApiAuthorize]
     [ApiExceptionFilter]
+    [MustBeAdministrator]
     [SwaggerIgnore]
     public sealed class UserManagementController : Controller
     {

src/Squidex/Controllers/Api/Webhooks/WebhooksController.cs

@@ -25,6 +25,7 @@ namespace Squidex.Controllers.Api.Webhooks
     /// <summary>
     /// Manages and retrieves information about schemas.
     /// </summary>
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
     [SwaggerTag(nameof(Webhooks))]

src/Squidex/Controllers/ContentApi/ContentSwaggerController.cs

@@ -16,6 +16,7 @@ using Squidex.Pipeline;
 
 namespace Squidex.Controllers.ContentApi
 {
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi(false)]
     [SwaggerIgnore]

src/Squidex/Controllers/ContentApi/ContentsController.cs

@@ -25,6 +25,7 @@ using Squidex.Pipeline;
 
 namespace Squidex.Controllers.ContentApi
 {
+    [ApiAuthorize]
     [ApiExceptionFilter]
     [AppApi]
     [SwaggerIgnore]

src/Squidex/Pipeline/AppApiFilter.cs

@@ -10,7 +10,11 @@ using System;
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
+using IdentityServer4.AccessTokenValidation;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Authorization;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Squidex.Domain.Apps.Core.Apps;
 using Squidex.Domain.Apps.Read.Apps;
@@ -21,8 +25,14 @@ using Squidex.Shared.Identity;
 
 namespace Squidex.Pipeline
 {
-    public sealed class AppApiFilter : IAsyncAuthorizationFilter, IFilterContainer
+    public sealed class AppApiFilter : AuthorizeFilter, IFilterContainer
     {
+        private static readonly AuthorizationPolicy DefaultPolicy =
+            new AuthorizationPolicyBuilder()
+                .AddRequirements(new DenyAnonymousAuthorizationRequirement())
+                .AddAuthenticationSchemes(IdentityServerAuthenticationDefaults.AuthenticationScheme)
+                .Build();
+
         private readonly IAppProvider appProvider;
         private readonly IAppPlansProvider appPlanProvider;
         private readonly IUsageTracker usageTracker;
@@ -38,6 +48,7 @@ namespace Squidex.Pipeline
         }
 
         public AppApiFilter(IAppProvider appProvider, IAppPlansProvider appPlanProvider, IUsageTracker usageTracker)
+            : base(DefaultPolicy)
         {
             this.appProvider = appProvider;
             this.appPlanProvider = appPlanProvider;
@@ -45,8 +56,10 @@ namespace Squidex.Pipeline
             this.usageTracker = usageTracker;
         }
 
-        public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
+        public override async Task OnAuthorizationAsync(AuthorizationFilterContext context)
         {
+            await base.OnAuthorizationAsync(context);
+
             var appName = context.RouteData.Values["app"]?.ToString();
 
             if (!string.IsNullOrWhiteSpace(appName))