Check client is enabled before auth

no issue - add a check that the client has status 'enabled' to client auth strategy - this permits the disabling of clients easily - update tests
2025-01-06 22:40:14 -05:00 · 2015-11-04 16:59:56 +00:00 · 2015-11-04 16:59:56 +00:00 · 19603a33f3
commit 19603a33f3
parent eb3cce0235
2 changed files with 18 additions and 2 deletions
--- a/core/server/middleware/auth-strategies.js
+++ b/core/server/middleware/auth-strategies.js
@ -17,7 +17,7 @@ strategies = {
            .then(function then(model) {
                if (model) {
                    var client = model.toJSON({include: ['trustedDomains']});
-                    if (client.secret === clientSecret) {
+                    if (client.status === 'enabled' && client.secret === clientSecret) {
                        return done(null, client);
                    }
                }
--- a/core/test/unit/middleware/auth-strategies_spec.js
+++ b/core/test/unit/middleware/auth-strategies_spec.js
@ -12,7 +12,8 @@ var should           = require('should'),

    fakeClient =  {
        slug: 'ghost-admin',
-        secret: 'not_available'
+        secret: 'not_available',
+        status: 'enabled'
    },

    fakeValidToken = {
@ -96,6 +97,21 @@ describe('Auth Strategies', function () {
                done();
            }).catch(done);
        });
+
+        it('shouldn\'t auth client that is disabled', function (done) {
+            var clientId = 'ghost-admin',
+                clientSecret = 'not_available';
+
+            fakeClient.status = 'disabled';
+
+            authStrategies.clientPasswordStrategy(clientId, clientSecret, next).then(function () {
+                clientStub.calledOnce.should.be.true;
+                clientStub.calledWith({slug: clientId}).should.be.true;
+                next.called.should.be.true;
+                next.calledWith(null, false).should.be.true;
+                done();
+            }).catch(done);
+        });
    });

    describe('Bearer Strategy', function () {