Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-03 23:00:14 -05:00
Code Issues Activity

Updated audience validation for admin api tokens (#10519)

Browse source 
no-issue
This commit is contained in:
Fabien O'Carroll 2019-02-23 12:51:21 +01:00 committed by GitHub
parent 487a32832a
commit 4a1a245e9b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 13 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
core/server/services/auth/api-key/admin.js
View file

@ -90,9 +90,10 @@ const authenticate = (req, res, next) => {
// https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138
const secret = Buffer.from(apiKey.get('secret'), 'hex');
// ensure the token was meant for this endpoint
// @TODO When v3 api hits we should check against the api actually being used
// ensure the token was meant for this api
const options = Object.assign({
audience: req.originalUrl
audience: '/v2/admin/'
}, JWT_OPTIONS);
try {

2
core/test/acceptance/old/admin/actions_spec.js
View file

@ -110,7 +110,7 @@ describe('Actions API', function () {
return integrationRequest
.put(localUtils.API.getApiQuery(`posts/${postId}/`))
.set('Origin', config.get('url'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery(`posts/${postId}/`))}`)
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v2/admin/')}`)
.send({
posts: [{
featured: true,

4
core/test/acceptance/old/admin/key_authentication_spec.js
View file

@ -38,7 +38,7 @@ describe('Admin API key authentication', function () {
it('Can access browse endpoint with correct token', function () {
return request.get(localUtils.API.getApiQuery('posts/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v2/admin/')}`)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200);
@ -55,7 +55,7 @@ describe('Admin API key authentication', function () {
return request
.post(localUtils.API.getApiQuery('posts/'))
.set('Origin', config.get('url'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v2/admin/')}`)
.send({
posts: [post]
})

4
core/test/acceptance/old/admin/utils.js
View file

@ -115,12 +115,12 @@ module.exports = {
return testUtils.API.doAuth(`${API_URL}session/`, ...args);
},
getValidAdminToken(endpoint) {
getValidAdminToken(audience) {
const jwt = require('jsonwebtoken');
const JWT_OPTIONS = {
algorithm: 'HS256',
expiresIn: '5m',
audience: endpoint
audience: audience
};
return jwt.sign(

10
core/test/unit/services/auth/api-key/admin_spec.js
View file

@ -37,7 +37,7 @@ describe('Admin API Key Auth', function () {
}, this.secret, {
algorithm: 'HS256',
expiresIn: '5m',
audience: '/test/',
audience: '/v2/admin/',
issuer: this.fakeApiKey.id
});
@ -98,7 +98,7 @@ describe('Admin API Key Auth', function () {
}, this.secret, {
algorithm: 'HS256',
expiresIn: '5m',
audience: '/test/',
audience: 'wrong audience',
issuer: 'unknown'
});
@ -127,7 +127,7 @@ describe('Admin API Key Auth', function () {
const token = jwt.sign(payload, this.secret, {
algorithm: 'HS256',
expiresIn: '5m',
audience: '/test/',
audience: '/v2/admin/',
issuer: this.fakeApiKey.id
});
@ -157,7 +157,7 @@ describe('Admin API Key Auth', function () {
const token = jwt.sign(payload, this.secret, {
algorithm: 'HS256',
expiresIn: '10m',
audience: '/test/',
audience: '/v2/admin/',
issuer: this.fakeApiKey.id
});
@ -185,7 +185,7 @@ describe('Admin API Key Auth', function () {
}, this.secret, {
algorithm: 'HS256',
expiresIn: '5m',
audience: '/test/',
audience: '/v2/admin/',
issuer: this.fakeApiKey.id
});