ghost/core/server/services/auth/authorize.js

const labs = require('../labs');
const common = require('../../lib/common');

const authorize = {
    // Workaround for missing permissions
    // TODO: rework when https://github.com/TryGhost/Ghost/issues/3911 is  done
    requiresAuthorizedUser: function requiresAuthorizedUser(req, res, next) {
        if (req.user && req.user.id) {
            return next();
        } else {
            return next(new common.errors.NoPermissionError({
                message: common.i18n.t('errors.middleware.auth.pleaseSignIn')
            }));
        }
    },

    // ### Require user depending on public API being activated.
    requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {
        if (labs.isSet('publicAPI') === true) {
            return next();
        } else {
            if (req.user && req.user.id) {
                return next();
            } else {
                return next(new common.errors.NoPermissionError({
                    message: common.i18n.t('errors.middleware.auth.pleaseSignIn')
                }));
            }
        }
    },

    // Requires the authenticated client to match specific client
    requiresAuthorizedClient: function requiresAuthorizedClient(client) {
        return function doAuthorizedClient(req, res, next) {
            if (client && (!req.client || !req.client.name || req.client.name !== client)) {
                return next(new common.errors.NoPermissionError({
                    message: common.i18n.t('errors.permissions.noPermissionToAction')
                }));
            }

            return next();
        };
    },

    authorizeContentApi(req, res, next) {
        const hasApiKey = req.api_key && req.api_key.id;
        const hasMember = req.member;
        if (hasApiKey) {
            return next();
        }
        if (labs.isSet('members') && hasMember) {
            return next();
        }
        return next(new common.errors.NoPermissionError({
            message: common.i18n.t('errors.middleware.auth.authorizationFailed'),
            context: common.i18n.t('errors.middleware.auth.missingContentMemberOrIntegration')
        }));
    },

    /**
     * @NOTE:
     *
     * We don't support admin api keys yet, but we can already use this authorization helper, because
     * we have not connected authenticating with admin api keys yet. `req.api_key` will be always null.
     */
    authorizeAdminApi(req, res, next) {
        const hasUser = req.user && req.user.id;
        const hasApiKey = req.api_key && req.api_key.id;

        if (hasUser || hasApiKey) {
            return next();
        } else {
            return next(new common.errors.NoPermissionError({
                message: common.i18n.t('errors.middleware.auth.authorizationFailed'),
                context: common.i18n.t('errors.middleware.auth.missingAdminUserOrIntegration')
            }));
        }
    }
};

module.exports = authorize;
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 17:45:17 +07:00			`const labs = require('../labs');`
			`const common = require('../../lib/common');`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 13:45:59 +02:00
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 17:45:17 +07:00			`const authorize = {`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 13:45:59 +02:00			`// Workaround for missing permissions`
			`// TODO: rework when https://github.com/TryGhost/Ghost/issues/3911 is done`
			`requiresAuthorizedUser: function requiresAuthorizedUser(req, res, next) {`
			`if (req.user && req.user.id) {`
			`return next();`
			`} else {`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 17:33:36 +01:00			`return next(new common.errors.NoPermissionError({`
			`message: common.i18n.t('errors.middleware.auth.pleaseSignIn')`
			`}));`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 13:45:59 +02:00			`}`
			`},`

			`// ### Require user depending on public API being activated.`
			`requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {`
			`if (labs.isSet('publicAPI') === true) {`
			`return next();`
			`} else {`
			`if (req.user && req.user.id) {`
			`return next();`
			`} else {`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 17:33:36 +01:00			`return next(new common.errors.NoPermissionError({`
			`message: common.i18n.t('errors.middleware.auth.pleaseSignIn')`
			`}));`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 13:45:59 +02:00			`}`
			`}`
Add ghost-backup client to trigger export (#8911) no issue - adds a ghost-backup client - adds a client authenticated endpoint to export blog for ghost-backup client only - allows some additional overrides during import - allows for an import by file to override locking a user and double hashing the password 2017-08-22 11:15:40 +01:00			`},`

			`// Requires the authenticated client to match specific client`
			`requiresAuthorizedClient: function requiresAuthorizedClient(client) {`
			`return function doAuthorizedClient(req, res, next) {`
Ensure cors check happens for /authentication/token route (#9317) no issue - otherwise external browser clients run into cors problems 2017-12-15 10:35:48 +01:00			`if (client && (!req.client \|\| !req.client.name \|\| req.client.name !== client)) {`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 17:33:36 +01:00			`return next(new common.errors.NoPermissionError({`
			`message: common.i18n.t('errors.permissions.noPermissionToAction')`
			`}));`
Add ghost-backup client to trigger export (#8911) no issue - adds a ghost-backup client - adds a client authenticated endpoint to export blog for ghost-backup client only - allows some additional overrides during import - allows for an import by file to override locking a user and double hashing the password 2017-08-22 11:15:40 +01:00			`}`

			`return next();`
			`};`
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 17:45:17 +07:00			`},`

♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 17:29:40 +07:00			`authorizeContentApi(req, res, next) {`
			`const hasApiKey = req.api_key && req.api_key.id;`
🚧 Authorized Content API requests with req.member closes #10111 The members labs setting is required to be set for req.member to be considered valid authorization 2018-11-07 17:41:49 +07:00			`const hasMember = req.member;`
♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 17:29:40 +07:00			`if (hasApiKey) {`
			`return next();`
			`}`
🚧 Authorized Content API requests with req.member closes #10111 The members labs setting is required to be set for req.member to be considered valid authorization 2018-11-07 17:41:49 +07:00			`if (labs.isSet('members') && hasMember) {`
			`return next();`
			`}`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 17:33:36 +01:00			`return next(new common.errors.NoPermissionError({`
Improved error messages for failed authorization 2019-02-21 13:19:57 +07:00			`message: common.i18n.t('errors.middleware.auth.authorizationFailed'),`
			`context: common.i18n.t('errors.middleware.auth.missingContentMemberOrIntegration')`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 17:33:36 +01:00			`}));`
♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 17:29:40 +07:00			`},`

Switched to use new implementation of authorizeAdminApi refs #9865 - see code comments 2019-01-18 17:41:52 +01:00			`/**`
			`* @NOTE:`
			`*`
			`* We don't support admin api keys yet, but we can already use this authorization helper, because`
			* we have not connected authenticating with admin api keys yet. `req.api_key` will be always null.
			`*/`
			`authorizeAdminApi(req, res, next) {`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 16:23:34 +07:00			`const hasUser = req.user && req.user.id;`
			`const hasApiKey = req.api_key && req.api_key.id;`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 17:33:36 +01:00
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 16:23:34 +07:00			`if (hasUser \|\| hasApiKey) {`
			`return next();`
			`} else {`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 17:33:36 +01:00			`return next(new common.errors.NoPermissionError({`
Improved error messages for failed authorization 2019-02-21 13:19:57 +07:00			`message: common.i18n.t('errors.middleware.auth.authorizationFailed'),`
			`context: common.i18n.t('errors.middleware.auth.missingAdminUserOrIntegration')`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 17:33:36 +01:00			`}));`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 16:23:34 +07:00			`}`
			`}`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 13:45:59 +02:00			`};`

			`module.exports = authorize;`