🐛 Fixed error for password authentication with Bearer Token (#9227)

refs #8613, refs #9228 - if you send a request to /authentication/token with `grant_type:password` and a Bearer token, Ghost was not able to handle this combination - because it skipped the client authentication, see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/authenticate.js#L13 - and OAuth detects the `grant_type: password` and jumps in the target implementation - the target implementation for password authentication **again** tried to fetch the client and failed, because it relied on the previous client authentication - see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/oauth.js#L40 (client.slug is undefined if client authentication is skipped) - ^ so this is the bug - we **can** skip client authentication for requests to the API to fetch data for example e.g. GET /posts (including Bearer) - so when is a client authentication required? - RFC (https://tools.ietf.org/html/rfc6749#page-38) differentiates between confidential and public clients, Ghost has no implementation for this at the moment - so in theory, public clients don't have to be authenticated, only if the credentials are included - to not invent a breaking change, i decided to only make the client authentication required for password authentication - we could change this in Ghost 2.0 I have removed the extra client request to the database for the password authentication, this is not needed. We already do client password authentication [here](https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/auth-strategies.js#L19); If a Bearer token is present and you have not send a `grant_type` (which signalises OAuth to do authentication), you can skip the client authentication.
2025-03-11 02:12:21 -05:00 · 2017-11-09 15:11:29 +01:00 · 2017-11-09 15:11:29 +01:00 · f22a2784f7
commit f22a2784f7
parent 016ee17ebb
4 changed files with 48 additions and 37 deletions
--- a/core/server/auth/authenticate.js
+++ b/core/server/auth/authenticate.js
@ -9,8 +9,24 @@ var passport = require('passport'),
 authenticate = {
    // ### Authenticate Client Middleware
    authenticateClient: function authenticateClient(req, res, next) {
-        // skip client authentication if bearer token is present
+        /**
-        if (authUtils.getBearerAutorizationToken(req)) {
+         * In theory, client authentication is not required for public clients, only for confidential clients.
         * See e.g. https://tools.ietf.org/html/rfc6749#page-38. Ghost has no differentiation for this at the moment.
         * See also See https://tools.ietf.org/html/rfc6749#section-2.1.
         *
         * Ghost requires client authentication for `grant_type: password`, because we have to ensure that
         * we tie a client to a new access token. That means `grant_type: refresh_token` does not require
         * client authentication, because binding a client already happened.
         *
         * To sum up:
         *   - password authentication requires client authentication
         *   - refreshing a token does not require client authentication
         *   - public API requires client authentication
         *      - as soon as you send an access token in the header or via query
         *      - we deny public API access
         *   - API access with a Bearer does not require client authentication
         */
        if (authUtils.getBearerAutorizationToken(req) && !authUtils.hasGrantType(req, 'password')) {
            return next();
        }
--- a/core/server/auth/oauth.js
+++ b/core/server/auth/oauth.js
@ -37,29 +37,26 @@ function exchangeRefreshToken(client, refreshToken, scope, body, authInfo, done)
 }
 // We are required to pass in authInfo in order to reset spam counter for user login
 function exchangePassword(client, username, password, scope, body, authInfo, done) {
-    models.Client.findOne({slug: client.slug})
+    if (!client || !client.id) {
-        .then(function then(client) {
+        return done(new errors.UnauthorizedError({
-            if (!client) {
+            message: i18n.t('errors.middleware.auth.clientCredentialsNotProvided')
-                return done(new errors.NoPermissionError({
+        }), false);
-                    message: i18n.t('errors.middleware.oauth.invalidClient')
+    }
                }), false);
            }
-            // Validate the user
+    // Validate the user
-            return models.User.check({email: username, password: password})
+    return models.User.check({email: username, password: password})
-                .then(function then(user) {
+        .then(function then(user) {
-                    return authUtils.createTokens({
+            return authUtils.createTokens({
-                        clientId: client.id,
+                clientId: client.id,
-                        userId: user.id
+                userId: user.id
-                    });
+            });
                })
                .then(function then(response) {
                    spamPrevention.userLogin().reset(authInfo.ip, username + 'login');
                    return done(null, response.access_token, response.refresh_token, {expires_in: response.expires_in});
                });
        })
-        .catch(function handleError(error) {
+        .then(function then(response) {
-            return done(error, false);
+            spamPrevention.userLogin().reset(authInfo.ip, username + 'login');
            return done(null, response.access_token, response.refresh_token, {expires_in: response.expires_in});
        })
        .catch(function (err) {
            done(err, false);
        });
 }
--- a/core/server/auth/utils.js
+++ b/core/server/auth/utils.js
@ -115,3 +115,8 @@ module.exports.getBearerAutorizationToken = function (req) {
    return token;
 };
 module.exports.hasGrantType = function hasGrantType(req, type) {
    return req.body && req.body.hasOwnProperty('grant_type') && req.body.grant_type === type
        || req.query && req.query.hasOwnProperty('grant_type') && req.query.grant_type === type;
 };
--- a/core/test/unit/auth/oauth_spec.js
+++ b/core/test/unit/auth/oauth_spec.js
@ -50,14 +50,12 @@ describe('OAuth', function () {
            req.body.grant_type = 'password';
            req.body.username = 'username';
            req.body.password = 'password';
            req.client = {
                id: 1
            };
            res.setHeader = {};
            res.end = {};
            sandbox.stub(models.Client, 'findOne')
                .withArgs({slug: 'test'}).returns(new Promise.resolve({
                id: 1
            }));
            sandbox.stub(models.User, 'check')
                .withArgs({email: 'username', password: 'password'}).returns(new Promise.resolve({
                id: 1
@ -105,11 +103,8 @@ describe('OAuth', function () {
            res.setHeader = {};
            res.end = {};
            sandbox.stub(models.Client, 'findOne')
                .withArgs({slug: 'test'}).returns(new Promise.resolve());
            oAuth.generateAccessToken(req, res, function (err) {
-                err.errorType.should.eql('NoPermissionError');
+                err.errorType.should.eql('UnauthorizedError');
                done();
            });
        });
@ -124,14 +119,12 @@ describe('OAuth', function () {
            req.body.grant_type = 'password';
            req.body.username = 'username';
            req.body.password = 'password';
            req.client = {
                id: 1
            };
            res.setHeader = {};
            res.end = {};
            sandbox.stub(models.Client, 'findOne')
                .withArgs({slug: 'test'}).returns(new Promise.resolve({
                id: 1
            }));
            sandbox.stub(models.User, 'check')
                .withArgs({email: 'username', password: 'password'}).returns(new Promise.resolve({
                id: 1