Added audience check in Admin API key authentication

refs #9865

- Extracted tests related to Admin API key authenticatoin into separate
acceptance test suite

core/server/services/auth/api-key/admin.js

@@ -88,7 +88,7 @@ const authenticate = (req, res, next) => {
 
         // ensure the token was meant for this endpoint
         const options = Object.assign({
-            aud: req.originalUrl
+            audience: req.originalUrl
         }, JWT_OPTIONS);
 
         try {

core/test/acceptance/old/admin/key_authentication_spec.js

@@ -0,0 +1,97 @@
+const should = require('should');
+const supertest = require('supertest');
+const _ = require('lodash');
+const testUtils = require('../../../utils');
+const localUtils = require('./utils');
+const config = require('../../../../server/config');
+
+const ghost = testUtils.startGhost;
+
+// TODO: remove this suite once Admin API key auth is enabled
+describe('Admin API V2 key authentication', function () {
+    let request;
+
+    before(function () {
+        return ghost()
+            .then(function (_ghostServer) {
+                request = supertest.agent(config.get('url'));
+            })
+            .then(function () {
+                return testUtils.initFixtures('api_keys');
+            });
+    });
+
+    it('browse with correct GET endpoint token', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(403);
+    });
+});
+
+// TODO: enable this suite once Admin API key auth is enabled
+describe.skip('Admin API V2 key authentication', function () {
+    let request;
+
+    before(function () {
+        return ghost()
+            .then(function (_ghostServer) {
+                request = supertest.agent(config.get('url'));
+            })
+            .then(function () {
+                return testUtils.initFixtures('api_keys');
+            });
+    });
+
+    it('do not authenticate without token header', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(401);
+    });
+
+    it('do not authenticate with wrong endpoint token', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken('https://wrong.com')}`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(401);
+    });
+
+    it('browse with no endpoint token', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken('')}`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(401);
+    });
+
+    it('browse with correct GET endpoint token', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(200);
+    });
+
+    it('browse with correct POST endpoint token', function () {
+        const post = {
+            // @TODO: required for now, needs proper validation
+            author_id: '1',
+            title: 'Post created with api_key'
+        };
+
+        return request
+            .post(localUtils.API.getApiQuery('posts'))
+            .set('Origin', config.get('url'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts'))}`)
+            .send({
+                posts: [post]
+            })
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(201);
+    });
+});

core/test/acceptance/old/admin/utils.js

@@ -104,7 +104,8 @@ module.exports = {
     getValidAdminToken(endpoint) {
         const jwt = require('jsonwebtoken');
         const JWT_OPTIONS = {
-            algorithm: 'HS256'
+            algorithm: 'HS256',
+            audience: endpoint
         };
 
         return jwt.sign(
@@ -112,8 +113,7 @@ module.exports = {
                 kid: testUtils.DataGenerator.Content.api_keys[0].id
             },
             Buffer.from(testUtils.DataGenerator.Content.api_keys[0].secret, 'hex'),
-            JWT_OPTIONS,
+            JWT_OPTIONS
-            endpoint
         );
     }
 };