From b410f5833bc610fa3df30ce8af820699f1d112a3 Mon Sep 17 00:00:00 2001
From: Michael Bradshaw <mjbshaw@gmail.com>
Date: Wed, 19 Feb 2014 15:53:40 -0700
Subject: [PATCH] Respect subdirectory in authenticate middleware

---
 core/server/middleware/index.js      |  4 ++--
 core/server/middleware/middleware.js | 17 +++++++++--------
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/core/server/middleware/index.js b/core/server/middleware/index.js
index 7099537948..c90a49af01 100644
--- a/core/server/middleware/index.js
+++ b/core/server/middleware/index.js
@@ -272,8 +272,8 @@ module.exports = function (server, dbHash) {
 
     // ### Caching
     expressServer.use(middleware.cacheControl('public'));
-    expressServer.use('/api/', middleware.cacheControl('private'));
-    expressServer.use('/ghost/', middleware.cacheControl('private'));
+    expressServer.use(subdir + '/api/', middleware.cacheControl('private'));
+    expressServer.use(subdir + '/ghost/', middleware.cacheControl('private'));
 
     // enable authentication; has to be done before CSRF handling
     expressServer.use(middleware.authenticate);
diff --git a/core/server/middleware/middleware.js b/core/server/middleware/middleware.js
index e5c71b9a21..cb64409c5b 100644
--- a/core/server/middleware/middleware.js
+++ b/core/server/middleware/middleware.js
@@ -29,17 +29,17 @@ var middleware = {
     // exceptions for signin, signout, signup, forgotten, reset only
     // api and frontend use different authentication mechanisms atm
     authenticate: function (req, res, next) {
-        if (res.isAdmin) {
-            if (req.path.indexOf("/ghost/api/") === 0) {
-                return middleware.authAPI(req, res, next);
-            }
-
-            var noAuthNeeded = [
+        var subPath = req.path.substring(config().paths.subdir.length),
+            noAuthNeeded = [
                 '/ghost/signin/', '/ghost/signout/', '/ghost/signup/',
                 '/ghost/forgotten/', '/ghost/reset/'
             ];
+        if (res.isAdmin) {
+            if (subPath.indexOf('/ghost/api/') === 0) {
+                return middleware.authAPI(req, res, next);
+            }
 
-            if (noAuthNeeded.indexOf(req.path) < 0) {
+            if (noAuthNeeded.indexOf(subPath) < 0) {
                 return middleware.auth(req, res, next);
             }
         }
@@ -51,7 +51,8 @@ var middleware = {
     // We strip /ghost/ out of the redirect parameter for neatness
     auth: function (req, res, next) {
         if (!req.session.user) {
-            var reqPath = req.path.replace(/^\/ghost\/?/gi, ''),
+            var subPath = req.path.substring(config().paths.subdir.length),
+                reqPath = subPath.replace(/^\/ghost\/?/gi, ''),
                 redirect = '',
                 msg;