Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-06 22:40:14 -05:00
Code Issues Activity

Added audience check in Admin API key authentication

Browse source 
refs #9865

- Extracted tests related to Admin API key authenticatoin into separate
acceptance test suite
This commit is contained in:
Nazar Gargol 2019-01-23 12:22:47 +00:00
parent 7ec9dda30c
commit 776e23696d
4 changed files with 617 additions and 557 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/server/services/auth/api-key/admin.js
View file

@ -88,7 +88,7 @@ const authenticate = (req, res, next) => {
// ensure the token was meant for this endpoint
const options = Object.assign({
aud: req.originalUrl
audience: req.originalUrl
}, JWT_OPTIONS);
try {

97
core/test/acceptance/old/admin/key_authentication_spec.js Normal file
View file

@ -0,0 +1,97 @@
const should = require('should');
const supertest = require('supertest');
const _ = require('lodash');
const testUtils = require('../../../utils');
const localUtils = require('./utils');
const config = require('../../../../server/config');
const ghost = testUtils.startGhost;
// TODO: remove this suite once Admin API key auth is enabled
describe('Admin API V2 key authentication', function () {
let request;
before(function () {
return ghost()
.then(function (_ghostServer) {
request = supertest.agent(config.get('url'));
})
.then(function () {
return testUtils.initFixtures('api_keys');
});
});
it('browse with correct GET endpoint token', function () {
return request.get(localUtils.API.getApiQuery('posts/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(403);
});
});
// TODO: enable this suite once Admin API key auth is enabled
describe.skip('Admin API V2 key authentication', function () {
let request;
before(function () {
return ghost()
.then(function (_ghostServer) {
request = supertest.agent(config.get('url'));
})
.then(function () {
return testUtils.initFixtures('api_keys');
});
});
it('do not authenticate without token header', function () {
return request.get(localUtils.API.getApiQuery('posts/'))
.set('Authorization', `Ghost`)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(401);
});
it('do not authenticate with wrong endpoint token', function () {
return request.get(localUtils.API.getApiQuery('posts/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('https://wrong.com')}`)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(401);
});
it('browse with no endpoint token', function () {
return request.get(localUtils.API.getApiQuery('posts/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken('')}`)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(401);
});
it('browse with correct GET endpoint token', function () {
return request.get(localUtils.API.getApiQuery('posts/'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(200);
});
it('browse with correct POST endpoint token', function () {
const post = {
// @TODO: required for now, needs proper validation
author_id: '1',
title: 'Post created with api_key'
};
return request
.post(localUtils.API.getApiQuery('posts'))
.set('Origin', config.get('url'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts'))}`)
.send({
posts: [post]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(201);
});
});

37
core/test/acceptance/old/admin/posts_spec.js
View file

@ -11,42 +11,6 @@ const ghost = testUtils.startGhost;
let request;
describe('Posts API V2', function () {
describe('...with admin api_key', function () {
let ghostServer;
before(function () {
return ghost()
.then(function (_ghostServer) {
ghostServer = _ghostServer;
request = supertest.agent(config.get('url'));
})
.then(function () {
// @NOTE: We don't authenticate!
return testUtils.initFixtures('api_keys');
});
});
it('example: add post', function () {
const post = {
// @TODO: required for now, needs proper validation
author_id: '1',
title: 'Post created with api_key'
};
return request
.post(localUtils.API.getApiQuery('posts'))
.set('Origin', config.get('url'))
.set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts'))}`)
.send({
posts: [post]
})
.expect('Content-Type', /json/)
.expect('Cache-Control', testUtils.cacheRules.private)
.expect(403);
});
});
describe('...with sessions', function () {
let ghostServer;
describe('As Owner', function () {
@ -607,5 +571,4 @@ describe('Posts API V2', function () {
});
});
});
});
});

6
core/test/acceptance/old/admin/utils.js
View file

@ -104,7 +104,8 @@ module.exports = {
getValidAdminToken(endpoint) {
const jwt = require('jsonwebtoken');
const JWT_OPTIONS = {
algorithm: 'HS256'
algorithm: 'HS256',
audience: endpoint
};
return jwt.sign(
@ -112,8 +113,7 @@ module.exports = {
kid: testUtils.DataGenerator.Content.api_keys[0].id
},
Buffer.from(testUtils.DataGenerator.Content.api_keys[0].secret, 'hex'),
JWT_OPTIONS,
endpoint
JWT_OPTIONS
);
}
};