Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-10 23:36:14 -05:00
Code Issues Activity

Added notes to oauth code for future improvements

Browse source 
no issue
This commit is contained in:
Thibaut Patel 2021-05-14 12:10:27 +02:00
parent 02ea81fdda
commit 14cae4b154
1 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
core/server/web/oauth/app.js
View file

@ -25,27 +25,45 @@ module.exports = function setupOAuthApp() {
// send 503 json response in case of maintenance // send 503 json response in case of maintenance
oauthApp.use(shared.middlewares.maintenance); oauthApp.use(shared.middlewares.maintenance);
/**
* Configure the passport.authenticate middleware
* We need to configure it on each request because clientId and secret
* will change (when the Owner is changing these settings)
*/
function googleOAuthMiddleware(clientId, secret) { function googleOAuthMiddleware(clientId, secret) {
return (req, res, next) => { return (req, res, next) => {
// TODO: use url config instead of the string /ghost
//Create the callback url to be sent to Google
const callbackUrl = new URL(urlUtils.getSiteUrl()); const callbackUrl = new URL(urlUtils.getSiteUrl());
callbackUrl.pathname = '/ghost/oauth/google/callback'; callbackUrl.pathname = '/ghost/oauth/google/callback';
passport.authenticate(new GoogleStrategy({ passport.authenticate(new GoogleStrategy({
clientID: clientId, clientID: clientId,
clientSecret: secret, clientSecret: secret,
callbackURL: callbackUrl.href callbackURL: callbackUrl.href
}, async function (accessToken, refreshToken, profile) { }, async function (accessToken, refreshToken, profile) {
// This is the verify function that checks that a Google-authenticated user
// is matching one of our users (or invite).
if (req.user) { if (req.user) {
// CASE: the user already has an active Ghost session
const emails = profile.emails.filter(email => email.verified === true).map(email => email.value); const emails = profile.emails.filter(email => email.verified === true).map(email => email.value);
if (!emails.includes(req.user.get('email'))) { if (!emails.includes(req.user.get('email'))) {
return res.redirect('/ghost/#/staff/?message=oauth-linking-failed'); return res.redirect('/ghost/#/staff/?message=oauth-linking-failed');
} }
// TODO: configure the oauth data for this user (row in the oauth table)
//Associate logged-in user with oauth account //Associate logged-in user with oauth account
req.user.set('password', randomPassword()); req.user.set('password', randomPassword());
await req.user.save(); await req.user.save();
} else { } else {
// CASE: the user is logging-in or accepting an invite
//Find user in DB and log-in //Find user in DB and log-in
//TODO: instead find the oauth row with the email use the provider id
const emails = profile.emails.filter(email => email.verified === true); const emails = profile.emails.filter(email => email.verified === true);
if (emails.length < 1) { if (emails.length < 1) {
return res.redirect('/ghost/#/signin?message=login-failed'); return res.redirect('/ghost/#/signin?message=login-failed');
@ -57,6 +75,8 @@ module.exports = function setupOAuthApp() {
}); });
if (!user) { if (!user) {
// CASE: the user is accepting an invite
// TODO: move this code in the invitations service
const options = {context: {internal: true}}; const options = {context: {internal: true}};
let invite = await models.Invite.findOne({email, status: 'sent'}, options); let invite = await models.Invite.findOne({email, status: 'sent'}, options);
@ -73,6 +93,8 @@ module.exports = function setupOAuthApp() {
}, options); }, options);
await invite.destroy(options); await invite.destroy(options);
// TODO: create an oauth model link to user
} }
req.user = user; req.user = user;