ghost/core/server/services/auth/members/index.js

const jwt = require('express-jwt');
const membersService = require('../../members');
const labs = require('../../labs');
const config = require('../../../../shared/config');

let UNO_MEMBERINO;

module.exports = {
    get authenticateMembersToken() {
        if (!labs.isSet('members')) {
            return function (req, res, next) {
                return next();
            };
        }

        if (!UNO_MEMBERINO) {
            const url = require('url');
            const {protocol, host} = url.parse(config.get('url'));
            const siteOrigin = `${protocol}//${host}`;

            UNO_MEMBERINO = membersService.api.getPublicConfig().then(({issuer}) => jwt({
                credentialsRequired: false,
                requestProperty: 'member',
                audience: siteOrigin,
                issuer,
                algorithm: 'RS512',
                secret(req, payload, done) {
                    membersService.api.getPublicConfig().then(({publicKey}) => {
                        done(null, publicKey);
                    }).catch(done);
                },
                getToken(req) {
                    if (!req.get('authorization')) {
                        return null;
                    }

                    const [scheme, credentials] = req.get('authorization').split(/\s+/);

                    if (scheme !== 'GhostMembers') {
                        return null;
                    }

                    return credentials;
                }
            }));
        }
        return function (req, res, next) {
            UNO_MEMBERINO.then(fn => fn(req, res, next)).catch(next);
        };
    }
};