From ed7ce2c00f5862fa2a4f47e7125a91966f93de0f Mon Sep 17 00:00:00 2001 From: "Fabien \"egg\" O'Carroll" Date: Tue, 5 Jul 2022 11:16:23 +0200 Subject: [PATCH] Added initial auth frame refs https://github.com/TryGhost/Team/issues/1664 This has no security features, we need to replace usage of "*" with the origin of the frontend site. --- core/frontend/src/admin-auth/index.html | 5 ++ .../src/admin-auth/message-handler.js | 67 +++++++++++++++++++ core/server/web/admin/app.js | 4 ++ core/shared/config/overrides.json | 1 + test/unit/shared/config/loader.test.js | 1 + 5 files changed, 78 insertions(+) create mode 100644 core/frontend/src/admin-auth/index.html create mode 100644 core/frontend/src/admin-auth/message-handler.js diff --git a/core/frontend/src/admin-auth/index.html b/core/frontend/src/admin-auth/index.html new file mode 100644 index 0000000000..d4165cfff2 --- /dev/null +++ b/core/frontend/src/admin-auth/index.html @@ -0,0 +1,5 @@ + + + + + diff --git a/core/frontend/src/admin-auth/message-handler.js b/core/frontend/src/admin-auth/message-handler.js new file mode 100644 index 0000000000..2d5e0e97a3 --- /dev/null +++ b/core/frontend/src/admin-auth/message-handler.js @@ -0,0 +1,67 @@ +window.addEventListener('message', async function (event) { + if (event.origin !== '*') { + // return; + } + let data = null; + try { + data = JSON.parse(event.data); + } catch (err) { + console.error(err); + } + + function respond(error, result) { + event.source.postMessage(JSON.stringify({ + uid: data.uid, + error: error, + result: result + }), '*'); + } + + if (data.action === 'getUser') { + try { + const res = await fetch( + 'https://admin.egg/blog/ghost/api/canary/admin/users/me/' + ); + const json = await res.json(); + respond(null, json); + } catch (err) { + respond(err, null); + } + } + + if (data.action === 'hideComment') { + try { + const res = await fetch('https://admin.egg/blog/ghost/api/canary/admin/comments/' + data.id + '/', { + method: 'PUT', + body: JSON.stringify({ + status: 'hidden' + }), + headers: { + 'Content-Type': 'application/json' + } + }); + const json = await res.json(); + respond(null, json); + } catch (err) { + respond(err, null); + } + } + + if (data.action === 'showComment') { + try { + const res = await fetch('https://admin.egg/blog/ghost/api/canary/admin/comments/' + data.id + '/', { + method: 'PUT', + body: JSON.stringify({ + status: 'published' + }), + headers: { + 'Content-Type': 'application/json' + } + }); + const json = await res.json(); + respond(null, json); + } catch (err) { + respond(err, null); + } + } +}); diff --git a/core/server/web/admin/app.js b/core/server/web/admin/app.js index f67dd7ff0f..b9479b3a43 100644 --- a/core/server/web/admin/app.js +++ b/core/server/web/admin/app.js @@ -21,6 +21,10 @@ module.exports = function setupAdminApp() { {maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : constants.ONE_YEAR_MS, fallthrough: false} )); + adminApp.use('/auth-frame', serveStatic( + config.get('paths').adminAuthAssets + )); + // Ember CLI's live-reload script if (config.get('env') === 'development') { adminApp.get('/ember-cli-live-reload.js', function emberLiveReload(req, res) { diff --git a/core/shared/config/overrides.json b/core/shared/config/overrides.json index f48b17d18d..86216c5ceb 100644 --- a/core/shared/config/overrides.json +++ b/core/shared/config/overrides.json @@ -3,6 +3,7 @@ "appRoot": ".", "corePath": "core/", "adminAssets": "core/built/assets", + "adminAuthAssets": "content/public/admin-auth", "helperTemplates": "core/frontend/helpers/tpl/", "adminViews": "core/server/web/admin/views/", "defaultViews": "core/server/views/", diff --git a/test/unit/shared/config/loader.test.js b/test/unit/shared/config/loader.test.js index b38577a984..437123fbbc 100644 --- a/test/unit/shared/config/loader.test.js +++ b/test/unit/shared/config/loader.test.js @@ -102,6 +102,7 @@ describe('Config Loader', function () { 'appRoot', 'corePath', 'adminAssets', + 'adminAuthAssets', 'helperTemplates', 'adminViews', 'defaultViews',