From 4a1a245e9b505a5ead74f15a3906190026948a28 Mon Sep 17 00:00:00 2001
From: Fabien O'Carroll <fabien@allou.is>
Date: Sat, 23 Feb 2019 12:51:21 +0100
Subject: [PATCH] Updated audience validation for admin api tokens (#10519)

no-issue
---
 core/server/services/auth/api-key/admin.js             |  5 +++--
 core/test/acceptance/old/admin/actions_spec.js         |  2 +-
 .../acceptance/old/admin/key_authentication_spec.js    |  4 ++--
 core/test/acceptance/old/admin/utils.js                |  4 ++--
 core/test/unit/services/auth/api-key/admin_spec.js     | 10 +++++-----
 5 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/core/server/services/auth/api-key/admin.js b/core/server/services/auth/api-key/admin.js
index 8c5ed20e08..a7b9666f71 100644
--- a/core/server/services/auth/api-key/admin.js
+++ b/core/server/services/auth/api-key/admin.js
@@ -90,9 +90,10 @@ const authenticate = (req, res, next) => {
         // https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138
         const secret = Buffer.from(apiKey.get('secret'), 'hex');
 
-        // ensure the token was meant for this endpoint
+        // @TODO When v3 api hits we should check against the api actually being used
+        // ensure the token was meant for this api
         const options = Object.assign({
-            audience: req.originalUrl
+            audience: '/v2/admin/'
         }, JWT_OPTIONS);
 
         try {
diff --git a/core/test/acceptance/old/admin/actions_spec.js b/core/test/acceptance/old/admin/actions_spec.js
index bbf4487658..8e97e96557 100644
--- a/core/test/acceptance/old/admin/actions_spec.js
+++ b/core/test/acceptance/old/admin/actions_spec.js
@@ -110,7 +110,7 @@ describe('Actions API', function () {
                 return integrationRequest
                     .put(localUtils.API.getApiQuery(`posts/${postId}/`))
                     .set('Origin', config.get('url'))
-                    .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery(`posts/${postId}/`))}`)
+                    .set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v2/admin/')}`)
                     .send({
                         posts: [{
                             featured: true,
diff --git a/core/test/acceptance/old/admin/key_authentication_spec.js b/core/test/acceptance/old/admin/key_authentication_spec.js
index 67c2eb3a4c..da0696ba72 100644
--- a/core/test/acceptance/old/admin/key_authentication_spec.js
+++ b/core/test/acceptance/old/admin/key_authentication_spec.js
@@ -38,7 +38,7 @@ describe('Admin API key authentication', function () {
 
     it('Can access browse endpoint with correct token', function () {
         return request.get(localUtils.API.getApiQuery('posts/'))
-            .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v2/admin/')}`)
             .expect('Content-Type', /json/)
             .expect('Cache-Control', testUtils.cacheRules.private)
             .expect(200);
@@ -55,7 +55,7 @@ describe('Admin API key authentication', function () {
         return request
             .post(localUtils.API.getApiQuery('posts/'))
             .set('Origin', config.get('url'))
-            .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken('/v2/admin/')}`)
             .send({
                 posts: [post]
             })
diff --git a/core/test/acceptance/old/admin/utils.js b/core/test/acceptance/old/admin/utils.js
index 3d9f779704..2730de87a3 100644
--- a/core/test/acceptance/old/admin/utils.js
+++ b/core/test/acceptance/old/admin/utils.js
@@ -115,12 +115,12 @@ module.exports = {
         return testUtils.API.doAuth(`${API_URL}session/`, ...args);
     },
 
-    getValidAdminToken(endpoint) {
+    getValidAdminToken(audience) {
         const jwt = require('jsonwebtoken');
         const JWT_OPTIONS = {
             algorithm: 'HS256',
             expiresIn: '5m',
-            audience: endpoint
+            audience: audience
         };
 
         return jwt.sign(
diff --git a/core/test/unit/services/auth/api-key/admin_spec.js b/core/test/unit/services/auth/api-key/admin_spec.js
index aafb7317a3..1a057b120b 100644
--- a/core/test/unit/services/auth/api-key/admin_spec.js
+++ b/core/test/unit/services/auth/api-key/admin_spec.js
@@ -37,7 +37,7 @@ describe('Admin API Key Auth', function () {
         }, this.secret, {
             algorithm: 'HS256',
             expiresIn: '5m',
-            audience: '/test/',
+            audience: '/v2/admin/',
             issuer: this.fakeApiKey.id
         });
 
@@ -98,7 +98,7 @@ describe('Admin API Key Auth', function () {
         }, this.secret, {
             algorithm: 'HS256',
             expiresIn: '5m',
-            audience: '/test/',
+            audience: 'wrong audience',
             issuer: 'unknown'
         });
 
@@ -127,7 +127,7 @@ describe('Admin API Key Auth', function () {
         const token = jwt.sign(payload, this.secret, {
             algorithm: 'HS256',
             expiresIn: '5m',
-            audience: '/test/',
+            audience: '/v2/admin/',
             issuer: this.fakeApiKey.id
         });
 
@@ -157,7 +157,7 @@ describe('Admin API Key Auth', function () {
         const token = jwt.sign(payload, this.secret, {
             algorithm: 'HS256',
             expiresIn: '10m',
-            audience: '/test/',
+            audience: '/v2/admin/',
             issuer: this.fakeApiKey.id
         });
 
@@ -185,7 +185,7 @@ describe('Admin API Key Auth', function () {
         }, this.secret, {
             algorithm: 'HS256',
             expiresIn: '5m',
-            audience: '/test/',
+            audience: '/v2/admin/',
             issuer: this.fakeApiKey.id
         });