ghost/core/server/api/canary/session.js

const Promise = require('bluebird');
const tpl = require('@tryghost/tpl');
const errors = require('@tryghost/errors');
const models = require('../../models');
const auth = require('../../services/auth');
const api = require('./index');

const messages = {
    accessDenied: 'Access Denied.'
};

const session = {
    read(frame) {
        /*
         * TODO
         * Don't query db for user, when new api http wrapper is in we can
         * have direct access to req.user, we can also get access to some session
         * inofrmation too and send it back
         */
        return models.User.findOne({id: frame.options.context.user});
    },
    add(frame) {
        const object = frame.data;

        if (!object || !object.username || !object.password) {
            return Promise.reject(new errors.UnauthorizedError({
                message: tpl(messages.accessDenied)
            }));
        }

        return models.User.check({
            email: object.username,
            password: object.password
        }).then((user) => {
            return Promise.resolve((req, res, next) => {
                req.brute.reset(function (err) {
                    if (err) {
                        return next(err);
                    }
                    req.user = user;
                    auth.session.createSession(req, res, next);
                });
            });
        }).catch(async (err) => {
            if (!errors.utils.isGhostError(err)) {
                throw new errors.UnauthorizedError({
                    message: tpl(messages.accessDenied),
                    err
                });
            }

            if (err.errorType === 'PasswordResetRequiredError') {
                await api.authentication.generateResetToken({
                    passwordreset: [{
                        email: object.username
                    }]
                }, frame.options.context);
            }

            throw err;
        });
    },
    delete() {
        return Promise.resolve((req, res, next) => {
            auth.session.destroySession(req, res, next);
        });
    }
};

module.exports = session;
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00			`const Promise = require('bluebird');`
Replaced i18n with tpl core/server/api/canary/session.js (#13487) refs: #13380 - The i18n package is deprecated. It is being replaced with the tpl package. 2021-10-08 09:11:26 -05:00			`const tpl = require('@tryghost/tpl');`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 13:22:20 -05:00			`const errors = require('@tryghost/errors');`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00			`const models = require('../../models');`
			`const auth = require('../../services/auth');`
Improved password reset and session invalidation for "locked" users (#11790) - Fixed session invalidation for "locked" user - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password - Fixed error message returned by session API - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user - Added automatic password reset email to locked users on sign-in - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset - Backported the auto sending of required password reset email to v2 sign-in route - used by 3rd party clients where the email is necessary for users to know why login is failing Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk> 2020-05-05 13:37:53 -05:00			`const api = require('./index');`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00
Replaced i18n with tpl core/server/api/canary/session.js (#13487) refs: #13380 - The i18n package is deprecated. It is being replaced with the tpl package. 2021-10-08 09:11:26 -05:00			`const messages = {`
			`accessDenied: 'Access Denied.'`
			`};`

💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00			`const session = {`
💡Migrated session controllers for compatibility with "frame" (#11101) no issue - Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. - Changes here are just a long-awaited cleanup to allow completely remove v0.1 code 2019-09-11 04:28:55 -05:00			`read(frame) {`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00			`/*`
			`* TODO`
			`* Don't query db for user, when new api http wrapper is in we can`
			`* have direct access to req.user, we can also get access to some session`
			`* inofrmation too and send it back`
			`*/`
💡Migrated session controllers for compatibility with "frame" (#11101) no issue - Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. - Changes here are just a long-awaited cleanup to allow completely remove v0.1 code 2019-09-11 04:28:55 -05:00			`return models.User.findOne({id: frame.options.context.user});`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00			`},`
💡Migrated session controllers for compatibility with "frame" (#11101) no issue - Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. - Changes here are just a long-awaited cleanup to allow completely remove v0.1 code 2019-09-11 04:28:55 -05:00			`add(frame) {`
			`const object = frame.data;`

💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00			`if (!object \|\| !object.username \|\| !object.password) {`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 13:22:20 -05:00			`return Promise.reject(new errors.UnauthorizedError({`
Replaced i18n with tpl core/server/api/canary/session.js (#13487) refs: #13380 - The i18n package is deprecated. It is being replaced with the tpl package. 2021-10-08 09:11:26 -05:00			`message: tpl(messages.accessDenied)`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00			`}));`
			`}`

			`return models.User.check({`
			`email: object.username,`
			`password: object.password`
			`}).then((user) => {`
			`return Promise.resolve((req, res, next) => {`
			`req.brute.reset(function (err) {`
			`if (err) {`
			`return next(err);`
			`}`
			`req.user = user;`
			`auth.session.createSession(req, res, next);`
			`});`
			`});`
Improved password reset and session invalidation for "locked" users (#11790) - Fixed session invalidation for "locked" user - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password - Fixed error message returned by session API - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user - Added automatic password reset email to locked users on sign-in - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset - Backported the auto sending of required password reset email to v2 sign-in route - used by 3rd party clients where the email is necessary for users to know why login is failing Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk> 2020-05-05 13:37:53 -05:00			`}).catch(async (err) => {`
Switch to @tryghost/errors from ignition errors package (#13807) refs: TryGhost/Toolbox#147 * Replaces all references to isIgnitionError with isGhostError * Switches use of GhostError to InternalServerError - as GhostError is no longer public There are places where InternalServerError is not the valid error, and new errors should be added to the @tryghost/errors package to ensure that we can use semantically correct errors in those cases. 2021-12-01 05:22:01 -05:00			`if (!errors.utils.isGhostError(err)) {`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 13:22:20 -05:00			`throw new errors.UnauthorizedError({`
Replaced i18n with tpl core/server/api/canary/session.js (#13487) refs: #13380 - The i18n package is deprecated. It is being replaced with the tpl package. 2021-10-08 09:11:26 -05:00			`message: tpl(messages.accessDenied),`
Improved password reset and session invalidation for "locked" users (#11790) - Fixed session invalidation for "locked" user - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password - Fixed error message returned by session API - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user - Added automatic password reset email to locked users on sign-in - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset - Backported the auto sending of required password reset email to v2 sign-in route - used by 3rd party clients where the email is necessary for users to know why login is failing Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk> 2020-05-05 13:37:53 -05:00			`err`
			`});`
			`}`

			`if (err.errorType === 'PasswordResetRequiredError') {`
			`await api.authentication.generateResetToken({`
			`passwordreset: [{`
			`email: object.username`
Removed separate reset/forced-reset emails and updated email copy refs https://github.com/TryGhost/Ghost/pull/11790 - reduced complexity by sticking to one email for both normal reset and forced reset (locked staff accounts) - exposed `siteTitle` for use in any email templates - updated email copy to be suitable for both types of password reset 2020-05-06 07:19:47 -05:00			`}]`
Improved password reset and session invalidation for "locked" users (#11790) - Fixed session invalidation for "locked" user - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password - Fixed error message returned by session API - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user - Added automatic password reset email to locked users on sign-in - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset - Backported the auto sending of required password reset email to v2 sign-in route - used by 3rd party clients where the email is necessary for users to know why login is failing Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk> 2020-05-05 13:37:53 -05:00			`}, frame.options.context);`
			`}`

			`throw err;`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 09:11:24 -05:00			`});`
			`},`
			`delete() {`
			`return Promise.resolve((req, res, next) => {`
			`auth.session.destroySession(req, res, next);`
			`});`
			`}`
			`};`

			`module.exports = session;`