I am using Umbraco 13 to feed data to an application via an API. I am using the preview functionality on nodes to allow editors see how the content will look on the application side.
However this is allowing public viewing on the Umbraco public website. Is there a way to lock this down so no one is able to view it publicly?
Or even better make it so you must be logged into the backend to view the website?
I don’t think we actually check if the user is currently logged into the backoffice. But a user needs to be logged into the backoffice to click on the preview button and then the JWT token gets generated, which includes the user name. We do check if the user exists when validating the token. And because of the timeout, it cannot be reused indefinitly.
Is it perfect? Probably not, but it’s not as if preview content is a secret in most cases. And it’s better than not going anything.
The code is a bit long to just post here and I don’t have the time right now to filter it down.