ghost/core/server/services/auth/session/index.js

const session = require('express-session');
const constants = require('../../../lib/constants');
const config = require('../../../config');
const settingsCache = require('../../settings/cache');
const models = require('../../../models');
const urlUtils = require('../../../lib/url-utils');
const url = require('url');

const SessionService = require('@tryghost/session-service');
const SessionMiddleware = require('./middleware');
const SessionStore = require('./store');

function getOriginOfRequest(req) {
    const origin = req.get('origin');
    const referrer = req.get('referrer');

    if (!origin && !referrer) {
        return null;
    }

    if (origin) {
        return origin;
    }

    const {protocol, host} = url.parse(referrer);
    if (protocol && host) {
        return `${protocol}//${host}`;
    }
    return null;
}

async function getSession(req, res) {
    if (req.session) {
        return req.session;
    }
    return new Promise((resolve, reject) => {
        expressSessionMiddleware(req, res, function (err) {
            if (err) {
                return reject(err);
            }
            resolve(req.session);
        });
    });
}

function findUserById({id}) {
    return models.User.findOne({id});
}

let expressSessionMiddleware;
function initExpressSessionMiddleware() {
    if (!expressSessionMiddleware) {
        expressSessionMiddleware = session({
            store: new SessionStore(models.Session),
            secret: settingsCache.get('session_secret'),
            resave: false,
            saveUninitialized: false,
            name: 'ghost-admin-api-session',
            cookie: {
                maxAge: constants.SIX_MONTH_MS,
                httpOnly: true,
                path: urlUtils.getSubdir() + '/ghost',
                sameSite: 'lax',
                secure: urlUtils.isSSL(config.get('url'))
            }
        });
    }
}

let sessionService;
function initSessionService() {
    if (!sessionService) {
        if (!expressSessionMiddleware) {
            initExpressSessionMiddleware();
        }

        sessionService = SessionService({
            getOriginOfRequest,
            getSession,
            findUserById
        });
    }
}

let sessionMiddleware;
function initSessionMiddleware() {
    if (!sessionMiddleware) {
        if (!sessionService) {
            initSessionService();
        }
        sessionMiddleware = SessionMiddleware({
            sessionService
        });
    }
}

module.exports = {
    get createSession() {
        return this.middleware.createSession;
    },

    get destroySession() {
        return this.middleware.destroySession;
    },

    get authenticate() {
        return this.middleware.authenticate;
    },

    get service() {
        if (!sessionService) {
            initSessionService();
        }
        return sessionService;
    },

    get middleware() {
        if (!sessionMiddleware) {
            initSessionMiddleware();
        }
        return sessionMiddleware;
    }
};
Refactored session service (#11701) * Refactored SessionStore to use @tryghost/errors no-issue * Updated tests to test exposed API no-issue This will make refactoring easier, as we only have the "public" contract to maintain * Refactored session functionality to SessionService no-issue This splits the session logic away from the HTTP responding logic, which will allows us to decouple session creation/modification from the API. Eventually this can be used to create sessions based on magiclink style tokens. * Instantiated and exported the new SessionService no-issue * Refactored session middleware to take session service no-issue This removes duplication of code and makes the middleware more explicit that it's just a wrapper around the session service. * Updated to use external @tryghost/session-service no-issue 2020-04-02 16:27:31 +02:00			`const session = require('express-session');`
			`const constants = require('../../../lib/constants');`
			`const config = require('../../../config');`
			`const settingsCache = require('../../settings/cache');`
			`const models = require('../../../models');`
			`const urlUtils = require('../../../lib/url-utils');`
			`const url = require('url');`

			`const SessionService = require('@tryghost/session-service');`
			`const SessionMiddleware = require('./middleware');`
			`const SessionStore = require('./store');`

			`function getOriginOfRequest(req) {`
			`const origin = req.get('origin');`
			`const referrer = req.get('referrer');`

			`if (!origin && !referrer) {`
			`return null;`
			`}`

			`if (origin) {`
			`return origin;`
			`}`

			`const {protocol, host} = url.parse(referrer);`
			`if (protocol && host) {`
			return `${protocol}//${host}`;
			`}`
			`return null;`
			`}`

			`async function getSession(req, res) {`
			`if (req.session) {`
			`return req.session;`
			`}`
			`return new Promise((resolve, reject) => {`
			`expressSessionMiddleware(req, res, function (err) {`
			`if (err) {`
			`return reject(err);`
			`}`
			`resolve(req.session);`
			`});`
			`});`
			`}`

			`function findUserById({id}) {`
			`return models.User.findOne({id});`
			`}`

			`let expressSessionMiddleware;`
			`function initExpressSessionMiddleware() {`
			`if (!expressSessionMiddleware) {`
			`expressSessionMiddleware = session({`
			`store: new SessionStore(models.Session),`
			`secret: settingsCache.get('session_secret'),`
			`resave: false,`
			`saveUninitialized: false,`
			`name: 'ghost-admin-api-session',`
			`cookie: {`
			`maxAge: constants.SIX_MONTH_MS,`
			`httpOnly: true,`
			`path: urlUtils.getSubdir() + '/ghost',`
			`sameSite: 'lax',`
			`secure: urlUtils.isSSL(config.get('url'))`
			`}`
			`});`
			`}`
			`}`

			`let sessionService;`
			`function initSessionService() {`
			`if (!sessionService) {`
			`if (!expressSessionMiddleware) {`
			`initExpressSessionMiddleware();`
			`}`

			`sessionService = SessionService({`
			`getOriginOfRequest,`
			`getSession,`
			`findUserById`
			`});`
			`}`
			`}`

			`let sessionMiddleware;`
			`function initSessionMiddleware() {`
			`if (!sessionMiddleware) {`
			`if (!sessionService) {`
			`initSessionService();`
			`}`
			`sessionMiddleware = SessionMiddleware({`
			`sessionService`
			`});`
			`}`
			`}`

Session auth service (#9910) refs #9865 * This service handles the session store and exporting middleware to be used for creating and managing sessions * Updates the auth service index.js file in line with how we do things elsewhere * After wrapping the exports in a getter, the usage of rewire had broken the authenticate tests, this commit _removes_ rewire from the tests, calls `init` on the models before the tests (needed because rewire isn't there) and also cleans up the use of var. 2018-10-02 15:35:23 +07:00			`module.exports = {`
			`get createSession() {`
Refactored session service (#11701) * Refactored SessionStore to use @tryghost/errors no-issue * Updated tests to test exposed API no-issue This will make refactoring easier, as we only have the "public" contract to maintain * Refactored session functionality to SessionService no-issue This splits the session logic away from the HTTP responding logic, which will allows us to decouple session creation/modification from the API. Eventually this can be used to create sessions based on magiclink style tokens. * Instantiated and exported the new SessionService no-issue * Refactored session middleware to take session service no-issue This removes duplication of code and makes the middleware more explicit that it's just a wrapper around the session service. * Updated to use external @tryghost/session-service no-issue 2020-04-02 16:27:31 +02:00			`return this.middleware.createSession;`
Session auth service (#9910) refs #9865 * This service handles the session store and exporting middleware to be used for creating and managing sessions * Updates the auth service index.js file in line with how we do things elsewhere * After wrapping the exports in a getter, the usage of rewire had broken the authenticate tests, this commit _removes_ rewire from the tests, calls `init` on the models before the tests (needed because rewire isn't there) and also cleans up the use of var. 2018-10-02 15:35:23 +07:00			`},`
Switched to use new implementation of authorizeAdminApi refs #9865 - see code comments 2019-01-18 17:41:52 +01:00
Session auth service (#9910) refs #9865 * This service handles the session store and exporting middleware to be used for creating and managing sessions * Updates the auth service index.js file in line with how we do things elsewhere * After wrapping the exports in a getter, the usage of rewire had broken the authenticate tests, this commit _removes_ rewire from the tests, calls `init` on the models before the tests (needed because rewire isn't there) and also cleans up the use of var. 2018-10-02 15:35:23 +07:00			`get destroySession() {`
Refactored session service (#11701) * Refactored SessionStore to use @tryghost/errors no-issue * Updated tests to test exposed API no-issue This will make refactoring easier, as we only have the "public" contract to maintain * Refactored session functionality to SessionService no-issue This splits the session logic away from the HTTP responding logic, which will allows us to decouple session creation/modification from the API. Eventually this can be used to create sessions based on magiclink style tokens. * Instantiated and exported the new SessionService no-issue * Refactored session middleware to take session service no-issue This removes duplication of code and makes the middleware more explicit that it's just a wrapper around the session service. * Updated to use external @tryghost/session-service no-issue 2020-04-02 16:27:31 +02:00			`return this.middleware.destroySession;`
Session auth service (#9910) refs #9865 * This service handles the session store and exporting middleware to be used for creating and managing sessions * Updates the auth service index.js file in line with how we do things elsewhere * After wrapping the exports in a getter, the usage of rewire had broken the authenticate tests, this commit _removes_ rewire from the tests, calls `init` on the models before the tests (needed because rewire isn't there) and also cleans up the use of var. 2018-10-02 15:35:23 +07:00			`},`
Switched to use new implementation of authorizeAdminApi refs #9865 - see code comments 2019-01-18 17:41:52 +01:00
Added easy way to enable admin api key authentication refs #9865 - small refactoring to make both session and admin api key handling similar - admin api key authentication is still disabled, but easy to enable - added proof test how to authenticate using admin api keys 2019-01-18 17:03:03 +01:00			`get authenticate() {`
Refactored session service (#11701) * Refactored SessionStore to use @tryghost/errors no-issue * Updated tests to test exposed API no-issue This will make refactoring easier, as we only have the "public" contract to maintain * Refactored session functionality to SessionService no-issue This splits the session logic away from the HTTP responding logic, which will allows us to decouple session creation/modification from the API. Eventually this can be used to create sessions based on magiclink style tokens. * Instantiated and exported the new SessionService no-issue * Refactored session middleware to take session service no-issue This removes duplication of code and makes the middleware more explicit that it's just a wrapper around the session service. * Updated to use external @tryghost/session-service no-issue 2020-04-02 16:27:31 +02:00			`return this.middleware.authenticate;`
			`},`

			`get service() {`
			`if (!sessionService) {`
			`initSessionService();`
			`}`
			`return sessionService;`
			`},`

			`get middleware() {`
			`if (!sessionMiddleware) {`
			`initSessionMiddleware();`
			`}`
			`return sessionMiddleware;`
Session auth service (#9910) refs #9865 * This service handles the session store and exporting middleware to be used for creating and managing sessions * Updates the auth service index.js file in line with how we do things elsewhere * After wrapping the exports in a getter, the usage of rewire had broken the authenticate tests, this commit _removes_ rewire from the tests, calls `init` on the models before the tests (needed because rewire isn't there) and also cleans up the use of var. 2018-10-02 15:35:23 +07:00			`}`
			`};`