Move Public API behind labs flag

closes #5941 - added UI to labs page - added method to determine if full authentication is required - updated public_api tests to enable public api first
2025-03-11 02:12:21 -05:00 · 2015-10-23 11:03:38 +02:00 · 2015-10-23 11:03:38 +02:00 · bf65c136ce
commit bf65c136ce
parent 0c9befc16f
8 changed files with 78 additions and 3 deletions
--- a/core/client/app/controllers/feature.js
+++ b/core/client/app/controllers/feature.js
@ -25,5 +25,9 @@ export default Ember.Controller.extend(Ember.PromiseProxyMixin, {
        }
        return value;
    }),
    publicAPI: Ember.computed('config.publicAPI', 'labs.publicAPI', function () {
        return this.get('config.publicAPI') || this.get('labs.publicAPI');
    })
 });
--- a/core/client/app/controllers/settings/labs.js
+++ b/core/client/app/controllers/settings/labs.js
@ -9,6 +9,7 @@ export default Ember.Controller.extend({
    ghostPaths: Ember.inject.service('ghost-paths'),
    notifications: Ember.inject.service(),
    session: Ember.inject.service(),
    feature: Ember.inject.controller(),
    labsJSON: Ember.computed('model.labs', function () {
        return JSON.parse(this.get('model.labs') || {});
@ -29,6 +30,16 @@ export default Ember.Controller.extend({
        });
    },
    usePublicAPI: Ember.computed('feature.publicAPI', {
        get: function () {
            return this.get('feature.publicAPI');
        },
        set: function (key, value) {
            this.saveLabs('publicAPI', value);
            return value;
        }
    }),
    actions: {
        onUpload: function (file) {
            var self = this,
--- a/core/client/app/templates/settings/labs.hbs
+++ b/core/client/app/templates/settings/labs.hbs
@ -42,5 +42,19 @@
                </div>
            </fieldset>
        </form>
        <hr>
        <form>
            <fieldset>
                <div class="form-group for-checkbox">
                    <label for="labs-publicAPI">Public API</label>
                    <label class="checkbox" for="labs-publicAPI">
                        {{input id="labs-publicAPI" name="labs[publicAPI]" type="checkbox" checked=usePublicAPI}}
                        <span class="input-toggle-component"></span>
                        <p>Enable public API access.</p>
                    </label>
                    <p>Allow access to the publicly available Ghost API using JavaScript.</p>
                </div>
            </fieldset>
        </form>
    </section>
 </section>
--- a/core/server/api/configuration.js
+++ b/core/server/api/configuration.js
@ -10,6 +10,7 @@ var _                  = require('lodash'),
 function getValidKeys() {
    var validKeys = {
            fileStorage: config.fileStorage === false ? false : true,
            publicAPI: config.publicAPI === true ? true : false,
            apps: config.apps === true ? true : false,
            version: config.ghostVersion,
            environment: process.env.NODE_ENV,
--- a/core/server/middleware/auth.js
+++ b/core/server/middleware/auth.js
@ -3,6 +3,7 @@ var _           = require('lodash'),
    url         = require('url'),
    errors      = require('../errors'),
    config      = require('../config'),
    api         = require('../api'),
    oauthServer,
    auth;
@ -130,6 +131,30 @@ auth = {
        }
    },
    // ### Require user depending on public API being activated.
    requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {
        return api.settings.read({key: 'labs', context: {internal: true}}).then(function (response) {
            var labs,
                labsValue;
            labs = _.find(response.settings, function (setting) {
                return setting.key === 'labs';
            });
            labsValue = JSON.parse(labs.value);
            if (labsValue.publicAPI && labsValue.publicAPI === true) {
                return next();
            } else {
                if (req.user) {
                    return next();
                } else {
                    return errors.handleAPIError(new errors.NoPermissionError('Please Sign In'), req, res, next);
                }
            }
        });
    },
    // ### Generate access token Middleware
    // register the oauth2orize middleware for password and refresh token grants
    generateAccessToken: function generateAccessToken(req, res, next) {
--- a/core/server/middleware/index.js
+++ b/core/server/middleware/index.js
@ -43,6 +43,7 @@ middleware = {
        authenticateClient: auth.authenticateClient,
        authenticateUser: auth.authenticateUser,
        requiresAuthorizedUser: auth.requiresAuthorizedUser,
        requiresAuthorizedUserPublicAPI: auth.requiresAuthorizedUserPublicAPI,
        generateAccessToken: auth.generateAccessToken,
        errorHandler: errors.handleAPIError
    }
--- a/core/server/routes/api.js
+++ b/core/server/routes/api.js
@ -8,7 +8,8 @@ apiRoutes = function apiRoutes(middleware) {
        // Authentication for public endpoints
        authenticatePublic = [
            middleware.api.authenticateClient,
-            middleware.api.authenticateUser
+            middleware.api.authenticateUser,
            middleware.api.requiresAuthorizedUserPublicAPI
        ],
        // Require user for private endpoints
        authenticatePrivate = [
--- a/core/test/functional/routes/api/public_api_spec.js
+++ b/core/test/functional/routes/api/public_api_spec.js
@ -10,6 +10,12 @@ var testUtils     = require('../../../utils'),
    request;
 describe('Public API', function () {
    var publicAPIaccessSetting = {
        settings: [
            {key: 'labs', value: {publicAPI: true}}
        ]
    };
    before(function (done) {
        // starting ghost automatically populates the db
        // TODO: prevent db init, and manage bringing up the DB with fixtures ourselves
@ -17,8 +23,20 @@ describe('Public API', function () {
            request = supertest.agent(ghostServer.rootApp);
        }).then(function () {
            return testUtils.doAuth(request, 'posts', 'tags');
-        }).then(function () {
+        }).then(function (token) {
-            done();
+            // enable public API
            return request.put(testUtils.API.getApiQuery('settings/'))
                .set('Authorization', 'Bearer ' + token)
                .send(publicAPIaccessSetting)
                .expect('Content-Type', /json/)
                .expect('Cache-Control', testUtils.cacheRules.private)
                .expect(200)
                .end(function (err) {
                    if (err) {
                        return done(err);
                    }
                    done();
                });
        }).catch(done);
    });