0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00

Fixed members/signin_urls endpoint to take admin api key (#21284)

closes #16748 

The members/:member_id/signin_urls endpoint currently only does
cookie-based authentication. When #21249 is merged, turning on 2FA is
going to break any 3rd party processes that use it (including my social
sign-in offering).

This patch gives admin API keys 'read' permission on this endpoint, and
enables 3rd party processes to handle user logins the right way, instead
of via a staff member's email/password.

Migration included.  Feedback appreciated.

I have the wrong name on my migration. I can see it doesn't follow the
naming convention, but I'm not sure how the names are generated.

---------

Co-authored-by: Michael Barrett <mike182uk@gmail.com>
This commit is contained in:
Cathy Sarisky 2024-10-16 09:30:36 -04:00 committed by GitHub
parent 7fc4dfaac1
commit 73a39ead9a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 48 additions and 3 deletions

View file

@ -0,0 +1,6 @@
const {addPermissionToRole} = require('../../utils');
module.exports = addPermissionToRole({
permission: 'Read member signin urls',
role: 'Admin Integration'
});

View file

@ -907,7 +907,8 @@
"link": "all",
"mention": "browse",
"collection": "all",
"recommendation": "all"
"recommendation": "all",
"member_signin_url": "read"
},
"Editor": {
"notification": "all",

View file

@ -242,6 +242,7 @@ describe('Migrations', function () {
permissions.should.havePermission('Edit collections', ['Administrator', 'Editor', 'Admin Integration']);
permissions.should.havePermission('Add collections', ['Administrator', 'Editor', 'Author', 'Admin Integration']);
permissions.should.havePermission('Delete collections', ['Administrator', 'Editor', 'Admin Integration']);
permissions.should.havePermission('Read member signin urls', ['Administrator', 'Admin Integration']);
});
describe('Populate', function () {

View file

@ -99,4 +99,40 @@ describe('Members Sigin URL API', function () {
.expect(403);
});
});
describe('With an admin API key', function () {
let key, token;
before(async function () {
await localUtils.startGhost();
request = supertest.agent(config.get('url'));
await testUtils.initFixtures('members', 'api_keys');
key = testUtils.DataGenerator.Content.api_keys[0];
token = localUtils.getValidAdminToken('/admin/', key);
});
it('Cannot read without the key', function () {
return request
.get(localUtils.API.getApiQuery(`members/${testUtils.DataGenerator.Content.members[0].id}/signin_urls/`))
.set('Origin', config.get('url'))
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(403);
});
it('Can read with a key', function () {
return request
.get(localUtils.API.getApiQuery(`members/${testUtils.DataGenerator.Content.members[0].id}/signin_urls/`))
.set('Origin', config.get('url'))
.set('Content-Type', 'application/json')
.set('Authorization', `Ghost ${token}`)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200)
.then((res) => {
should.not.exist(res.headers['x-cache-invalidate']);
const jsonResponse = res.body;
should.exist(jsonResponse);
should.exist(jsonResponse.member_signin_urls);
jsonResponse.member_signin_urls.should.have.length(1);
localUtils.API.checkResponse(jsonResponse.member_signin_urls[0], 'member_signin_url');
});
});
});
});

View file

@ -191,7 +191,7 @@ describe('Migration Fixture Utils', function () {
const rolesAllStub = sinon.stub(models.Role, 'findAll').returns(Promise.resolve(dataMethodStub));
fixtureManager.addFixturesForRelation(fixtures.relations[0]).then(function (result) {
const FIXTURE_COUNT = 111;
const FIXTURE_COUNT = 112;
should.exist(result);
result.should.be.an.Object();
result.should.have.property('expected', FIXTURE_COUNT);

View file

@ -36,7 +36,7 @@ const validateRouteSettings = require('../../../../../core/server/services/route
describe('DB version integrity', function () {
// Only these variables should need updating
const currentSchemaHash = 'a4f016480ff73c6f52ee4c86482b45a7';
const currentFixturesHash = 'a489d615989eab1023d4b8af0ecee7fd';
const currentFixturesHash = '475f488105c390bb0018db90dce845f1';
const currentSettingsHash = '051ef2a50e2edb8723e89461448313cb';
const currentRoutesHash = '3d180d52c663d173a6be791ef411ed01';

View file

@ -1071,6 +1071,7 @@
"webhook": "all",
"action": "all",
"member": "all",
"member_signin_url": "read",
"label": "all",
"email_preview": "all",
"email": "all",