Calling controller action results in session timeout

DemeSzabolcs · August 15, 2025, 4:01pm

Hello!

In my custom package, I’m trying to call a controller action in my custom section. This is heavily WIP.

Here is my controller; the API shows up in Swagger. The controller’s content doesn’t really matter; I just want to make it callable:

using Microsoft.AspNetCore.Mvc;
using Umbraco.Cms.Api.Management.Controllers;
using Umbraco.Cms.Core.Services;
using Umbraco.Cms.Web.Common.Routing;

namespace Umbraco.ContentInsights.Controllers;

[BackOfficeRoute("content-insights")]
[ApiExplorerSettings(GroupName = "Content Insights API")]
public class ContentInsightsController : ManagementApiControllerBase
{
    private readonly IContentTypeService _contentTypeService;

    public ContentInsightsController(IContentTypeService contentTypeService) =>
        _contentTypeService = contentTypeService;

    [HttpGet("get-content-types")]
    public IActionResult GetContentTypes()
    {
        var types = _contentTypeService.GetAll()
            .Select(ct => new
            {
                ct.Alias,
                ct.Name
            });

        return Ok(types);
    }
}

And I have a .ts file that is displayed when I click on my custom section.

Here is the code where I would call the controller (from the .ts file):

        const response = await tryExecute(this, umbHttpClient.get<ContentType[]>({
            url: '/umbraco/content-insights/get-content-types',
        }));

        const contentTypes = (response as { data: ContentType[] }).data;

The problem is, when this .ts file loads, I immediately get redirected to the sign-in page: “Your session has timed out. Please sign in again below.”. If I sign in, then after 1 second, I get redirected again, and so on.

I also tried just using “fetch”, but then I got a 401 Unauthorized error.

What I want to achieve is that the backoffice login should be sufficient to be authorized to this API.

What should I do in my .ts file to call my controller without any issues?

DemeSzabolcs · August 16, 2025, 9:13pm

Also when I call the controller I’m doing it from an async firstUpdated() function inside my ts file.

DemeSzabolcs · August 17, 2025, 5:25pm

A small update: adding [AllowAnonymous]to the controller works, but obviously that is not a good solution.

MattW · August 18, 2025, 7:01am

Hey have you tried adding a entry point for your client?

github.com/Matthew-Wise/Umbraco-CSP-manager

src/Umbraco.Community.CSPManager/Client/src/entrypoints/entrypoint.ts

main

import { type UmbEntryPointOnInit, type UmbEntryPointOnUnload } from '@umbraco-cms/backoffice/extension-api';
import { UMB_AUTH_CONTEXT } from '@umbraco-cms/backoffice/auth';
import { client } from '../api';

// load up the manifests here
export const onInit: UmbEntryPointOnInit = (_host, _extensionRegistry) => {
  // Will use only to add in Open API config with generated TS OpenAPI HTTPS Client
  // Do the OAuth token handshake stuff
  _host.consumeContext(UMB_AUTH_CONTEXT, async (authContext) => {
    if (!authContext) {
      return;
    }

    // Get the token info from Umbraco
    const config = authContext.getOpenApiConfiguration();

    client.setConfig({
      baseUrl: config.base,
      credentials: config.credentials
    });

This file has been truncated. show original

Hope this helps
Matt

MattW · August 18, 2025, 7:09am

Will set up an entry client and an example API controller

DemeSzabolcs · August 18, 2025, 11:11am

No. I will try that, thank you!

DemeSzabolcs · August 19, 2025, 2:03am

Thank you very much, it worked!

I did some digging, and I refactored my code, so I moved the sections and sectionView (and the newly added entry point) from the umbraco.package.json to proper mainfest.ts files and bundled them, only adding the bundle to the umbraco.package.json.

After that, my problem was that I started digging into the template’s generated API folder, and I mixed the generated API client with my umbHttpClient, so it didn’t work. But then I realized this and deleted the generated API client and just used umbHttpClient, and I used it in the entrypoint too.

And at the end, this piece of your code fixed the problem:

    // For every request being made, add the token to the headers
    // Can't use the setConfig approach above as its set only once and
    // tokens expire and get refreshed
    client.interceptors.request.use(async (request, _options) => {
      const token = await config.token();
      request.headers.set('Authorization', `Bearer ${token}`);
      return request;
    });

system · September 18, 2025, 2:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.