Added audience check in Admin API key authentication

refs #9865 - Extracted tests related to Admin API key authenticatoin into separate acceptance test suite
2025-01-06 22:40:14 -05:00 · 2019-01-23 12:22:47 +00:00 · 2019-01-23 12:22:47 +00:00 · 776e23696d
commit 776e23696d
parent 7ec9dda30c
4 changed files with 617 additions and 557 deletions
--- a/core/server/services/auth/api-key/admin.js
+++ b/core/server/services/auth/api-key/admin.js
@ -88,7 +88,7 @@ const authenticate = (req, res, next) => {

        // ensure the token was meant for this endpoint
        const options = Object.assign({
-            aud: req.originalUrl
+            audience: req.originalUrl
        }, JWT_OPTIONS);

        try {
--- a/core/test/acceptance/old/admin/key_authentication_spec.js
+++ b/core/test/acceptance/old/admin/key_authentication_spec.js
@ -0,0 +1,97 @@
+const should = require('should');
+const supertest = require('supertest');
+const _ = require('lodash');
+const testUtils = require('../../../utils');
+const localUtils = require('./utils');
+const config = require('../../../../server/config');
+
+const ghost = testUtils.startGhost;
+
+// TODO: remove this suite once Admin API key auth is enabled
+describe('Admin API V2 key authentication', function () {
+    let request;
+
+    before(function () {
+        return ghost()
+            .then(function (_ghostServer) {
+                request = supertest.agent(config.get('url'));
+            })
+            .then(function () {
+                return testUtils.initFixtures('api_keys');
+            });
+    });
+
+    it('browse with correct GET endpoint token', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(403);
+    });
+});
+
+// TODO: enable this suite once Admin API key auth is enabled
+describe.skip('Admin API V2 key authentication', function () {
+    let request;
+
+    before(function () {
+        return ghost()
+            .then(function (_ghostServer) {
+                request = supertest.agent(config.get('url'));
+            })
+            .then(function () {
+                return testUtils.initFixtures('api_keys');
+            });
+    });
+
+    it('do not authenticate without token header', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(401);
+    });
+
+    it('do not authenticate with wrong endpoint token', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken('https://wrong.com')}`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(401);
+    });
+
+    it('browse with no endpoint token', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken('')}`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(401);
+    });
+
+    it('browse with correct GET endpoint token', function () {
+        return request.get(localUtils.API.getApiQuery('posts/'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts/'))}`)
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(200);
+    });
+
+    it('browse with correct POST endpoint token', function () {
+        const post = {
+            // @TODO: required for now, needs proper validation
+            author_id: '1',
+            title: 'Post created with api_key'
+        };
+
+        return request
+            .post(localUtils.API.getApiQuery('posts'))
+            .set('Origin', config.get('url'))
+            .set('Authorization', `Ghost ${localUtils.getValidAdminToken(localUtils.API.getApiQuery('posts'))}`)
+            .send({
+                posts: [post]
+            })
+            .expect('Content-Type', /json/)
+            .expect('Cache-Control', testUtils.cacheRules.private)
+            .expect(201);
+    });
+});
--- a/core/test/acceptance/old/admin/posts_spec.js
+++ b/core/test/acceptance/old/admin/posts_spec.js
--- a/core/test/acceptance/old/admin/utils.js
+++ b/core/test/acceptance/old/admin/utils.js
@ -104,7 +104,8 @@ module.exports = {
    getValidAdminToken(endpoint) {
        const jwt = require('jsonwebtoken');
        const JWT_OPTIONS = {
-            algorithm: 'HS256'
+            algorithm: 'HS256',
+            audience: endpoint
        };

        return jwt.sign(
@ -112,8 +113,7 @@ module.exports = {
                kid: testUtils.DataGenerator.Content.api_keys[0].id
            },
            Buffer.from(testUtils.DataGenerator.Content.api_keys[0].secret, 'hex'),
-            JWT_OPTIONS,
-            endpoint
+            JWT_OPTIONS
        );
    }
 };