mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-20 22:42:53 -05:00
Improvements to client auth error logging
no issue - If client credentials are missing, or not valid, output a clear message in the server console - Still defaults to sending the 'access denied to url' error to the frontend
This commit is contained in:
parent
cc3b9e9f53
commit
883152ff15
2 changed files with 51 additions and 6 deletions
|
@ -56,6 +56,7 @@ function isValidOrigin(origin, client) {
|
|||
|| origin === configHostname
|
||||
|| configHostname === 'my-ghost-blog.com'
|
||||
|| origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname
|
||||
// @TODO do this in dev mode only, once we can auto-configure the url #2240
|
||||
|| (origin === 'localhost')
|
||||
)) {
|
||||
return true;
|
||||
|
@ -82,6 +83,11 @@ auth = {
|
|||
}
|
||||
|
||||
if (!req.body.client_id || !req.body.client_secret) {
|
||||
errors.logError(
|
||||
'Client Authentication Failed',
|
||||
'Client credentials were not provided',
|
||||
'For information on how to fix this, please read http://api.ghost.org/docs/client-authentication'
|
||||
);
|
||||
return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);
|
||||
}
|
||||
|
||||
|
@ -101,6 +107,15 @@ auth = {
|
|||
delete req.body.client_id;
|
||||
delete req.body.client_secret;
|
||||
|
||||
if (!client || client.type !== 'ua') {
|
||||
errors.logError(
|
||||
'Client Authentication Failed',
|
||||
'Client credentials were not valid',
|
||||
'For information on how to fix this, please read http://api.ghost.org/docs/client-authentication'
|
||||
);
|
||||
return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);
|
||||
}
|
||||
|
||||
if (!origin && client && client.type === 'ua') {
|
||||
res.header('Access-Control-Allow-Origin', config.url);
|
||||
req.client = client;
|
||||
|
@ -115,7 +130,7 @@ auth = {
|
|||
error = new errors.UnauthorizedError('Access Denied from url: ' + origin + '. Please use the url configured in config.js.');
|
||||
errors.logError(error,
|
||||
'You have attempted to access your Ghost admin panel from a url that does not appear in config.js.',
|
||||
'For information on how to fix this, please visit http://support.ghost.org/config/#url.'
|
||||
'For information on how to fix this, please read http://support.ghost.org/config/#url.'
|
||||
);
|
||||
return errors.handleAPIError(error, req, res, next);
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@ var _ = require('lodash'),
|
|||
passport = require('passport'),
|
||||
rewire = require('rewire'),
|
||||
config = require('../../../server/config'),
|
||||
errors = require('../../../server/errors'),
|
||||
defaultConfig = rewire('../../../../config.example')[process.env.NODE_ENV],
|
||||
auth = rewire('../../../server/middleware/auth'),
|
||||
BearerStrategy = require('passport-http-bearer').Strategy,
|
||||
|
@ -18,7 +19,9 @@ var _ = require('lodash'),
|
|||
client = {
|
||||
id: 2,
|
||||
type: 'ua'
|
||||
};
|
||||
},
|
||||
|
||||
sandbox = sinon.sandbox.create();
|
||||
|
||||
should.equal(true, true);
|
||||
|
||||
|
@ -86,13 +89,13 @@ function registerFaultyClientPasswordStrategy() {
|
|||
}
|
||||
|
||||
describe('Auth', function () {
|
||||
var res, req, next, sandbox;
|
||||
var res, req, next, errorStub;
|
||||
|
||||
beforeEach(function () {
|
||||
sandbox = sinon.sandbox.create();
|
||||
req = {};
|
||||
res = {};
|
||||
next = sandbox.spy();
|
||||
errorStub = sandbox.stub(errors, 'logError');
|
||||
});
|
||||
|
||||
afterEach(function () {
|
||||
|
@ -322,7 +325,7 @@ describe('Auth', function () {
|
|||
done();
|
||||
});
|
||||
|
||||
it('shouldn\'t authenticate client', function (done) {
|
||||
it('shouldn\'t authenticate without full client credentials', function (done) {
|
||||
req.body = {};
|
||||
req.body.client_id = testClient;
|
||||
res.status = {};
|
||||
|
@ -339,6 +342,33 @@ describe('Auth', function () {
|
|||
registerUnsuccessfulClientPasswordStrategy();
|
||||
auth.authenticateClient(req, res, next);
|
||||
next.called.should.be.false;
|
||||
errorStub.calledTwice.should.be.true;
|
||||
errorStub.getCall(0).args[1].should.eql('Client credentials were not provided');
|
||||
|
||||
done();
|
||||
});
|
||||
|
||||
it('shouldn\'t authenticate invalid/unknown client', function (done) {
|
||||
req.body = {};
|
||||
req.body.client_id = testClient;
|
||||
req.body.client_secret = testSecret;
|
||||
res.status = {};
|
||||
|
||||
sandbox.stub(res, 'status', function (statusCode) {
|
||||
statusCode.should.eql(401);
|
||||
return {
|
||||
json: function (err) {
|
||||
err.errors[0].errorType.should.eql('UnauthorizedError');
|
||||
}
|
||||
};
|
||||
});
|
||||
|
||||
registerUnsuccessfulClientPasswordStrategy();
|
||||
auth.authenticateClient(req, res, next);
|
||||
next.called.should.be.false;
|
||||
errorStub.calledTwice.should.be.true;
|
||||
errorStub.getCall(0).args[1].should.eql('Client credentials were not valid');
|
||||
|
||||
done();
|
||||
});
|
||||
|
||||
|
@ -365,7 +395,7 @@ describe('Auth', function () {
|
|||
done();
|
||||
});
|
||||
|
||||
it('should authenticate client', function (done) {
|
||||
it('should authenticate valid/known client', function (done) {
|
||||
req.body = {};
|
||||
req.body.client_id = testClient;
|
||||
req.body.client_secret = testSecret;
|
||||
|
|
Loading…
Add table
Reference in a new issue