0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00

Added initial auth frame

refs https://github.com/TryGhost/Team/issues/1664

This has no security features, we need to replace usage of "*" with the origin of
the frontend site.
This commit is contained in:
Fabien "egg" O'Carroll 2022-07-05 11:16:23 +02:00 committed by Simon Backx
parent e60ec64454
commit ed7ce2c00f
5 changed files with 78 additions and 0 deletions

View file

@ -0,0 +1,5 @@
<html>
<head>
<script src="message-handler.js"></script>
</head>
</html>

View file

@ -0,0 +1,67 @@
window.addEventListener('message', async function (event) {
if (event.origin !== '*') {
// return;
}
let data = null;
try {
data = JSON.parse(event.data);
} catch (err) {
console.error(err);
}
function respond(error, result) {
event.source.postMessage(JSON.stringify({
uid: data.uid,
error: error,
result: result
}), '*');
}
if (data.action === 'getUser') {
try {
const res = await fetch(
'https://admin.egg/blog/ghost/api/canary/admin/users/me/'
);
const json = await res.json();
respond(null, json);
} catch (err) {
respond(err, null);
}
}
if (data.action === 'hideComment') {
try {
const res = await fetch('https://admin.egg/blog/ghost/api/canary/admin/comments/' + data.id + '/', {
method: 'PUT',
body: JSON.stringify({
status: 'hidden'
}),
headers: {
'Content-Type': 'application/json'
}
});
const json = await res.json();
respond(null, json);
} catch (err) {
respond(err, null);
}
}
if (data.action === 'showComment') {
try {
const res = await fetch('https://admin.egg/blog/ghost/api/canary/admin/comments/' + data.id + '/', {
method: 'PUT',
body: JSON.stringify({
status: 'published'
}),
headers: {
'Content-Type': 'application/json'
}
});
const json = await res.json();
respond(null, json);
} catch (err) {
respond(err, null);
}
}
});

View file

@ -21,6 +21,10 @@ module.exports = function setupAdminApp() {
{maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : constants.ONE_YEAR_MS, fallthrough: false}
));
adminApp.use('/auth-frame', serveStatic(
config.get('paths').adminAuthAssets
));
// Ember CLI's live-reload script
if (config.get('env') === 'development') {
adminApp.get('/ember-cli-live-reload.js', function emberLiveReload(req, res) {

View file

@ -3,6 +3,7 @@
"appRoot": ".",
"corePath": "core/",
"adminAssets": "core/built/assets",
"adminAuthAssets": "content/public/admin-auth",
"helperTemplates": "core/frontend/helpers/tpl/",
"adminViews": "core/server/web/admin/views/",
"defaultViews": "core/server/views/",

View file

@ -102,6 +102,7 @@ describe('Config Loader', function () {
'appRoot',
'corePath',
'adminAssets',
'adminAuthAssets',
'helperTemplates',
'adminViews',
'defaultViews',