diff --git a/core/server/services/auth/authenticate.js b/core/server/services/auth/authenticate.js index 80a7f1794c..b251cdf92f 100644 --- a/core/server/services/auth/authenticate.js +++ b/core/server/services/auth/authenticate.js @@ -103,7 +103,7 @@ const authenticate = { }, // ### v2 API auth middleware - authenticateAdminAPI: [session.safeGetSession, session.getUser], + authenticateAdminApi: [session.safeGetSession, session.getUser], authenticateContentApi: [apiKeyAuth.content.authenticateContentApiKey, members.authenticateMembersToken] }; diff --git a/core/server/services/auth/authorize.js b/core/server/services/auth/authorize.js index 9262d0d9e0..8f76909394 100644 --- a/core/server/services/auth/authorize.js +++ b/core/server/services/auth/authorize.js @@ -37,7 +37,7 @@ const authorize = { }; }, - authorizeAdminAPI: [session.ensureUser], + authorizeAdminApi: [session.ensureUser], authorizeContentApi(req, res, next) { const hasApiKey = req.api_key && req.api_key.id; const hasMember = req.member; diff --git a/core/server/web/api/v2/admin/middleware.js b/core/server/web/api/v2/admin/middleware.js index 3bbd5112cd..248261faf2 100644 --- a/core/server/web/api/v2/admin/middleware.js +++ b/core/server/web/api/v2/admin/middleware.js @@ -4,9 +4,9 @@ const shared = require('../../../shared'); /** * Authentication for private endpoints */ -module.exports.authAdminAPI = [ - auth.authenticate.authenticateAdminAPI, - auth.authorize.authorizeAdminAPI, +module.exports.authAdminApi = [ + auth.authenticate.authenticateAdminApi, + auth.authorize.authorizeAdminApi, shared.middlewares.updateUserLastSeen, shared.middlewares.api.cors, shared.middlewares.urlRedirects.adminRedirect, diff --git a/core/server/web/api/v2/admin/routes.js b/core/server/web/api/v2/admin/routes.js index 95438b3050..7b12fc5b47 100644 --- a/core/server/web/api/v2/admin/routes.js +++ b/core/server/web/api/v2/admin/routes.js @@ -23,23 +23,23 @@ module.exports = function apiRoutes() { // ## Configuration router.get('/configuration', api.http(api.configuration.read)); - router.get('/configuration/:key', mw.authAdminAPI, api.http(api.configuration.read)); + router.get('/configuration/:key', mw.authAdminApi, api.http(api.configuration.read)); // ## Posts - router.get('/posts', mw.authAdminAPI, apiv2.http(apiv2.posts.browse)); - router.post('/posts', mw.authAdminAPI, apiv2.http(apiv2.posts.add)); - router.get('/posts/:id', mw.authAdminAPI, apiv2.http(apiv2.posts.read)); - router.get('/posts/slug/:slug', mw.authAdminAPI, apiv2.http(apiv2.posts.read)); - router.put('/posts/:id', mw.authAdminAPI, apiv2.http(apiv2.posts.edit)); - router.del('/posts/:id', mw.authAdminAPI, apiv2.http(apiv2.posts.destroy)); + router.get('/posts', mw.authAdminApi, apiv2.http(apiv2.posts.browse)); + router.post('/posts', mw.authAdminApi, apiv2.http(apiv2.posts.add)); + router.get('/posts/:id', mw.authAdminApi, apiv2.http(apiv2.posts.read)); + router.get('/posts/slug/:slug', mw.authAdminApi, apiv2.http(apiv2.posts.read)); + router.put('/posts/:id', mw.authAdminApi, apiv2.http(apiv2.posts.edit)); + router.del('/posts/:id', mw.authAdminApi, apiv2.http(apiv2.posts.destroy)); // # Integrations - router.get('/integrations', mw.authAdminAPI, apiv2.http(apiv2.integrations.browse)); - router.get('/integrations/:id', mw.authAdminAPI, apiv2.http(apiv2.integrations.read)); - router.post('/integrations', mw.authAdminAPI, apiv2.http(apiv2.integrations.add)); - router.put('/integrations/:id', mw.authAdminAPI, apiv2.http(apiv2.integrations.edit)); - router.del('/integrations/:id', mw.authAdminAPI, apiv2.http(apiv2.integrations.destroy)); + router.get('/integrations', mw.authAdminApi, apiv2.http(apiv2.integrations.browse)); + router.get('/integrations/:id', mw.authAdminApi, apiv2.http(apiv2.integrations.read)); + router.post('/integrations', mw.authAdminApi, apiv2.http(apiv2.integrations.add)); + router.put('/integrations/:id', mw.authAdminApi, apiv2.http(apiv2.integrations.edit)); + router.del('/integrations/:id', mw.authAdminApi, apiv2.http(apiv2.integrations.destroy)); // ## Schedules router.put('/schedules/posts/:id', [ @@ -48,120 +48,120 @@ module.exports = function apiRoutes() { ], api.http(api.schedules.publishPost)); // ## Settings - router.get('/settings/routes/yaml', mw.authAdminAPI, apiv2.http(apiv2.settings.download)); + router.get('/settings/routes/yaml', mw.authAdminApi, apiv2.http(apiv2.settings.download)); router.post('/settings/routes/yaml', - mw.authAdminAPI, + mw.authAdminApi, upload.single('routes'), shared.middlewares.validation.upload({type: 'routes'}), apiv2.http(apiv2.settings.upload) ); - router.get('/settings', mw.authAdminAPI, apiv2.http(apiv2.settings.browse)); - router.get('/settings/:key', mw.authAdminAPI, apiv2.http(apiv2.settings.read)); - router.put('/settings', mw.authAdminAPI, apiv2.http(apiv2.settings.edit)); + router.get('/settings', mw.authAdminApi, apiv2.http(apiv2.settings.browse)); + router.get('/settings/:key', mw.authAdminApi, apiv2.http(apiv2.settings.read)); + router.put('/settings', mw.authAdminApi, apiv2.http(apiv2.settings.edit)); // ## Users - router.get('/users', mw.authAdminAPI, apiv2.http(apiv2.users.browse)); - router.get('/users/:id', mw.authAdminAPI, apiv2.http(apiv2.users.read)); - router.get('/users/slug/:slug', mw.authAdminAPI, apiv2.http(apiv2.users.read)); + router.get('/users', mw.authAdminApi, apiv2.http(apiv2.users.browse)); + router.get('/users/:id', mw.authAdminApi, apiv2.http(apiv2.users.read)); + router.get('/users/slug/:slug', mw.authAdminApi, apiv2.http(apiv2.users.read)); // NOTE: We don't expose any email addresses via the public api. - router.get('/users/email/:email', mw.authAdminAPI, apiv2.http(apiv2.users.read)); + router.get('/users/email/:email', mw.authAdminApi, apiv2.http(apiv2.users.read)); - router.put('/users/password', mw.authAdminAPI, apiv2.http(apiv2.users.changePassword)); - router.put('/users/owner', mw.authAdminAPI, apiv2.http(apiv2.users.transferOwnership)); - router.put('/users/:id', mw.authAdminAPI, apiv2.http(apiv2.users.edit)); - router.del('/users/:id', mw.authAdminAPI, apiv2.http(apiv2.users.destroy)); + router.put('/users/password', mw.authAdminApi, apiv2.http(apiv2.users.changePassword)); + router.put('/users/owner', mw.authAdminApi, apiv2.http(apiv2.users.transferOwnership)); + router.put('/users/:id', mw.authAdminApi, apiv2.http(apiv2.users.edit)); + router.del('/users/:id', mw.authAdminApi, apiv2.http(apiv2.users.destroy)); // ## Tags - router.get('/tags', mw.authAdminAPI, apiv2.http(apiv2.tags.browse)); - router.get('/tags/:id', mw.authAdminAPI, apiv2.http(apiv2.tags.read)); - router.get('/tags/slug/:slug', mw.authAdminAPI, apiv2.http(apiv2.tags.read)); - router.post('/tags', mw.authAdminAPI, apiv2.http(apiv2.tags.add)); - router.put('/tags/:id', mw.authAdminAPI, apiv2.http(apiv2.tags.edit)); - router.del('/tags/:id', mw.authAdminAPI, apiv2.http(apiv2.tags.destroy)); + router.get('/tags', mw.authAdminApi, apiv2.http(apiv2.tags.browse)); + router.get('/tags/:id', mw.authAdminApi, apiv2.http(apiv2.tags.read)); + router.get('/tags/slug/:slug', mw.authAdminApi, apiv2.http(apiv2.tags.read)); + router.post('/tags', mw.authAdminApi, apiv2.http(apiv2.tags.add)); + router.put('/tags/:id', mw.authAdminApi, apiv2.http(apiv2.tags.edit)); + router.del('/tags/:id', mw.authAdminApi, apiv2.http(apiv2.tags.destroy)); // ## Subscribers - router.get('/subscribers', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.browse)); - router.get('/subscribers/csv', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.exportCSV)); + router.get('/subscribers', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.browse)); + router.get('/subscribers/csv', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.exportCSV)); router.post('/subscribers/csv', shared.middlewares.labs.subscribers, - mw.authAdminAPI, + mw.authAdminApi, upload.single('subscribersfile'), shared.middlewares.validation.upload({type: 'subscribers'}), apiv2.http(apiv2.subscribers.importCSV) ); - router.get('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.read)); - router.get('/subscribers/email/:email', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.read)); - router.post('/subscribers', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.add)); - router.put('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.edit)); - router.del('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.destroy)); - router.del('/subscribers/email/:email', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.destroy)); + router.get('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.read)); + router.get('/subscribers/email/:email', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.read)); + router.post('/subscribers', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.add)); + router.put('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.edit)); + router.del('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.destroy)); + router.del('/subscribers/email/:email', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.destroy)); // ## Roles - router.get('/roles/', mw.authAdminAPI, apiv2.http(apiv2.roles.browse)); + router.get('/roles/', mw.authAdminApi, apiv2.http(apiv2.roles.browse)); // ## Clients router.get('/clients/slug/:slug', api.http(api.clients.read)); // ## Slugs - router.get('/slugs/:type/:name', mw.authAdminAPI, apiv2.http(apiv2.slugs.generate)); + router.get('/slugs/:type/:name', mw.authAdminApi, apiv2.http(apiv2.slugs.generate)); // ## Themes - router.get('/themes/', mw.authAdminAPI, api.http(api.themes.browse)); + router.get('/themes/', mw.authAdminApi, api.http(api.themes.browse)); router.get('/themes/:name/download', - mw.authAdminAPI, + mw.authAdminApi, api.http(api.themes.download) ); router.post('/themes/upload', - mw.authAdminAPI, + mw.authAdminApi, upload.single('theme'), shared.middlewares.validation.upload({type: 'themes'}), api.http(api.themes.upload) ); router.put('/themes/:name/activate', - mw.authAdminAPI, + mw.authAdminApi, api.http(api.themes.activate) ); router.del('/themes/:name', - mw.authAdminAPI, + mw.authAdminApi, api.http(api.themes.destroy) ); // ## Notifications - router.get('/notifications', mw.authAdminAPI, apiv2.http(apiv2.notifications.browse)); - router.post('/notifications', mw.authAdminAPI, apiv2.http(apiv2.notifications.add)); - router.del('/notifications/:notification_id', mw.authAdminAPI, apiv2.http(apiv2.notifications.destroy)); + router.get('/notifications', mw.authAdminApi, apiv2.http(apiv2.notifications.browse)); + router.post('/notifications', mw.authAdminApi, apiv2.http(apiv2.notifications.add)); + router.del('/notifications/:notification_id', mw.authAdminApi, apiv2.http(apiv2.notifications.destroy)); // ## DB - router.get('/db', mw.authAdminAPI, api.http(api.db.exportContent)); + router.get('/db', mw.authAdminApi, api.http(api.db.exportContent)); router.post('/db', - mw.authAdminAPI, + mw.authAdminApi, upload.single('importfile'), shared.middlewares.validation.upload({type: 'db'}), api.http(api.db.importContent) ); - router.del('/db', mw.authAdminAPI, api.http(api.db.deleteAllContent)); + router.del('/db', mw.authAdminApi, api.http(api.db.deleteAllContent)); // ## Mail - router.post('/mail', mw.authAdminAPI, apiv2.http(apiv2.mail.send)); - router.post('/mail/test', mw.authAdminAPI, apiv2.http(apiv2.mail.sendTest)); + router.post('/mail', mw.authAdminApi, apiv2.http(apiv2.mail.send)); + router.post('/mail/test', mw.authAdminApi, apiv2.http(apiv2.mail.sendTest)); // ## Slack - router.post('/slack/test', mw.authAdminAPI, apiv2.http(apiv2.slack.sendTest)); + router.post('/slack/test', mw.authAdminApi, apiv2.http(apiv2.slack.sendTest)); // ## Sessions - router.get('/session', mw.authAdminAPI, api.http(apiv2.session.read)); + router.get('/session', mw.authAdminApi, api.http(apiv2.session.read)); // We don't need auth when creating a new session (logging in) router.post('/session', shared.middlewares.brute.globalBlock, shared.middlewares.brute.userLogin, api.http(apiv2.session.add) ); - router.del('/session', mw.authAdminAPI, api.http(apiv2.session.delete)); + router.del('/session', mw.authAdminApi, api.http(apiv2.session.delete)); // ## Authentication router.post('/authentication/passwordreset', @@ -173,13 +173,13 @@ module.exports = function apiRoutes() { router.post('/authentication/invitation', api.http(api.authentication.acceptInvitation)); router.get('/authentication/invitation', api.http(api.authentication.isInvitation)); router.post('/authentication/setup', api.http(api.authentication.setup)); - router.put('/authentication/setup', mw.authAdminAPI, api.http(api.authentication.updateSetup)); + router.put('/authentication/setup', mw.authAdminApi, api.http(api.authentication.updateSetup)); router.get('/authentication/setup', api.http(api.authentication.isSetup)); // ## Uploads // @TODO: rename endpoint to /images/upload (or similar) router.post('/uploads', - mw.authAdminAPI, + mw.authAdminApi, upload.single('uploadimage'), shared.middlewares.validation.upload({type: 'images'}), shared.middlewares.image.normalize, @@ -187,7 +187,7 @@ module.exports = function apiRoutes() { ); router.post('/uploads/profile-image', - mw.authAdminAPI, + mw.authAdminApi, upload.single('uploadimage'), shared.middlewares.validation.upload({type: 'images'}), shared.middlewares.validation.profileImage, @@ -198,7 +198,7 @@ module.exports = function apiRoutes() { router.post('/db/backup', mw.authenticateClient('Ghost Backup'), api.http(api.db.backupContent)); router.post('/uploads/icon', - mw.authAdminAPI, + mw.authAdminApi, upload.single('uploadimage'), shared.middlewares.validation.upload({type: 'icons'}), shared.middlewares.validation.blogIcon(), @@ -206,27 +206,27 @@ module.exports = function apiRoutes() { ); // ## Invites - router.get('/invites', mw.authAdminAPI, apiv2.http(apiv2.invites.browse)); - router.get('/invites/:id', mw.authAdminAPI, apiv2.http(apiv2.invites.read)); - router.post('/invites', mw.authAdminAPI, apiv2.http(apiv2.invites.add)); - router.del('/invites/:id', mw.authAdminAPI, apiv2.http(apiv2.invites.destroy)); + router.get('/invites', mw.authAdminApi, apiv2.http(apiv2.invites.browse)); + router.get('/invites/:id', mw.authAdminApi, apiv2.http(apiv2.invites.read)); + router.post('/invites', mw.authAdminApi, apiv2.http(apiv2.invites.add)); + router.del('/invites/:id', mw.authAdminApi, apiv2.http(apiv2.invites.destroy)); // ## Redirects (JSON based) - router.get('/redirects/json', mw.authAdminAPI, api.http(api.redirects.download)); + router.get('/redirects/json', mw.authAdminApi, api.http(api.redirects.download)); router.post('/redirects/json', - mw.authAdminAPI, + mw.authAdminApi, upload.single('redirects'), shared.middlewares.validation.upload({type: 'redirects'}), api.http(api.redirects.upload) ); // ## Webhooks (RESTHooks) - router.post('/webhooks', mw.authAdminAPI, apiv2.http(apiv2.webhooks.add)); - router.put('/webhooks/:id', mw.authAdminAPI, apiv2.http(apiv2.webhooks.edit)); - router.del('/webhooks/:id', mw.authAdminAPI, apiv2.http(apiv2.webhooks.destroy)); + router.post('/webhooks', mw.authAdminApi, apiv2.http(apiv2.webhooks.add)); + router.put('/webhooks/:id', mw.authAdminApi, apiv2.http(apiv2.webhooks.edit)); + router.del('/webhooks/:id', mw.authAdminApi, apiv2.http(apiv2.webhooks.destroy)); // ## Oembed (fetch response from oembed provider) - router.get('/oembed', mw.authAdminAPI, apiv2.http(apiv2.oembed.read)); + router.get('/oembed', mw.authAdminApi, apiv2.http(apiv2.oembed.read)); return router; };