Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-03 23:00:14 -05:00
Code Issues Activity
ghost/core/server/services/auth/authorize.js

54 lines
2 KiB
JavaScript
Raw Normal View History

Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout
2018-10-05 17:45:17 +07:00
const labs = require('../labs');
const session = require('./session');
const common = require('../../lib/common');
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 13:45:59 +02:00
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout
2018-10-05 17:45:17 +07:00
const authorize = {
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 13:45:59 +02:00
// Workaround for missing permissions
// TODO: rework when https://github.com/TryGhost/Ghost/issues/3911 is done
requiresAuthorizedUser: function requiresAuthorizedUser(req, res, next) {
if (req.user && req.user.id) {
return next();
} else {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-11 22:47:46 +01:00
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.middleware.auth.pleaseSignIn')}));
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 13:45:59 +02:00
}
},
// ### Require user depending on public API being activated.
requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {
if (labs.isSet('publicAPI') === true) {
return next();
} else {
if (req.user && req.user.id) {
return next();
} else {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-11 22:47:46 +01:00
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.middleware.auth.pleaseSignIn')}));
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 13:45:59 +02:00
}
}
Add ghost-backup client to trigger export (#8911) no issue - adds a ghost-backup client - adds a client authenticated endpoint to export blog for ghost-backup client only - allows some additional overrides during import - allows for an import by file to override locking a user and double hashing the password
2017-08-22 11:15:40 +01:00
},
// Requires the authenticated client to match specific client
requiresAuthorizedClient: function requiresAuthorizedClient(client) {
return function doAuthorizedClient(req, res, next) {
Ensure cors check happens for /authentication/token route (#9317) no issue - otherwise external browser clients run into cors problems
2017-12-15 10:35:48 +01:00
if (client && (!req.client || !req.client.name || req.client.name !== client)) {
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file
2017-12-11 22:47:46 +01:00
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.permissions.noPermissionToAction')}));
Add ghost-backup client to trigger export (#8911) no issue - adds a ghost-backup client - adds a client authenticated endpoint to export blog for ghost-backup client only - allows some additional overrides during import - allows for an import by file to override locking a user and double hashing the password
2017-08-22 11:15:40 +01:00
}
return next();
};
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout
2018-10-05 17:45:17 +07:00
},
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer
2018-10-15 16:23:34 +07:00
authorizeAdminAPI: [session.ensureUser],
// used by API v2 endpoints
requiresAuthorizedUserOrApiKey(req, res, next) {
const hasUser = req.user && req.user.id;
const hasApiKey = req.api_key && req.api_key.id;
if (hasUser || hasApiKey) {
return next();
} else {
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.middleware.auth.pleaseSignInOrAuthenticate')}));
}
}
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks
2016-09-30 13:45:59 +02:00
};
module.exports = authorize;
Reference in a new issue Copy permalink