mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-02-24 23:48:13 -05:00
f22a2784f7
refs #8613, refs #9228 - if you send a request to /authentication/token with `grant_type:password` and a Bearer token, Ghost was not able to handle this combination - because it skipped the client authentication, see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/authenticate.js#L13 - and OAuth detects the `grant_type: password` and jumps in the target implementation - the target implementation for password authentication **again** tried to fetch the client and failed, because it relied on the previous client authentication - see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/oauth.js#L40 (client.slug is undefined if client authentication is skipped) - ^ so this is the bug - we **can** skip client authentication for requests to the API to fetch data for example e.g. GET /posts (including Bearer) - so when is a client authentication required? - RFC (https://tools.ietf.org/html/rfc6749#page-38) differentiates between confidential and public clients, Ghost has no implementation for this at the moment - so in theory, public clients don't have to be authenticated, only if the credentials are included - to not invent a breaking change, i decided to only make the client authentication required for password authentication - we could change this in Ghost 2.0 I have removed the extra client request to the database for the password authentication, this is not needed. We already do client password authentication [here](https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/auth-strategies.js#L19); If a Bearer token is present and you have not send a `grant_type` (which signalises OAuth to do authentication), you can skip the client authentication. |
||
|---|---|---|
| .. | ||
| adapters | ||
| api | ||
| apps | ||
| auth | ||
| config | ||
| controllers | ||
| data/importer | ||
| helpers | ||
| metadata | ||
| middleware | ||
| models/base | ||
| models_plugins | ||
| permissions | ||
| services | ||
| settings | ||
| sitemap | ||
| themes | ||
| utils | ||
| admin_spec.js | ||
| apps_filters_spec.js | ||
| errors_spec.js | ||
| exporter_spec.js | ||
| ghost_sdk_spec.js | ||
| migration_fixture_utils_spec.js | ||
| migration_spec.js | ||
| server_utils_spec.js | ||
| social-urls_spec.js | ||
| utils_pipeline_spec.js | ||
| validation_spec.js | ||