0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-06 22:40:14 -05:00
Independent technology for modern publishing, memberships, subscriptions and newsletters.
Find a file
Katharina Irrgang f22a2784f7 🐛 Fixed error for password authentication with Bearer Token (#9227)
refs #8613, refs #9228

- if you send a request to /authentication/token with `grant_type:password` and a Bearer token, Ghost was not able to handle this combination
- because it skipped the client authentication, see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/authenticate.js#L13
- and OAuth detects the `grant_type: password` and jumps in the target implementation
- the target implementation for password authentication **again** tried to fetch the client and failed, because it relied on the previous client authentication
- see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/oauth.js#L40 (client.slug is undefined if client authentication is skipped)
- ^ so this is the bug
- we **can** skip client authentication for requests to the API to fetch data for example e.g. GET /posts (including Bearer)
- so when is a client authentication required?
- RFC (https://tools.ietf.org/html/rfc6749#page-38) differentiates between confidential and public clients, Ghost has no implementation for this at the moment
  - so in theory, public clients don't have to be authenticated, only if the credentials are included
- to not invent a breaking change, i decided to only make the client authentication required for password authentication
- we could change this in Ghost 2.0

I have removed the extra client request to the database for the password authentication, this is not needed. We already do client password authentication [here](https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/auth-strategies.js#L19);
If a Bearer token is present and you have not send a `grant_type` (which signalises OAuth to do authentication), you can skip the client authentication.
2017-11-09 14:11:29 +00:00
.github PRs don't need to squash commits anymore 2017-10-19 12:51:40 +01:00
content Upgrading Casper to 2.1.6 2017-10-26 19:09:37 +07:00
core 🐛 Fixed error for password authentication with Bearer Token (#9227) 2017-11-09 14:11:29 +00:00
.editorconfig Various post-repo-split cleanup (#6910) 2016-07-12 11:55:46 -06:00
.eslintrc.json ESlint rule: no-multiple-empty-lines 2017-11-06 10:12:18 +00:00
.gitignore Support for Node v8 (#9183) 2017-10-26 11:37:58 +01:00
.gitmodules
.npmignore Added package-lock.json to npmignore (#9193) 2017-10-31 17:29:46 +01:00
.travis.yml Fixed comment about node version changes (#9223) 2017-11-08 00:27:47 +01:00
Gruntfile.js Switch to Eslint (#9197) 2017-11-01 13:44:54 +00:00
index.js Used ghost-ignition.debug, removed debug dep (#8881) 2017-08-15 18:29:27 +07:00
LICENSE 2017 (#7819) 2017-01-04 10:05:57 +00:00
MigratorConfig.js 🎨 optimise requires for MigratorConfig (#8088) 2017-03-02 16:02:23 +00:00
package.json Version bump to 1.17.0 2017-11-07 13:41:35 +00:00
PRIVACY.md Update config location and docs url in PRIVACY (#8817) 2017-08-01 19:21:38 -04:00
README.md Remove wishlist links (#8981) 2017-09-07 09:04:33 +02:00
SECURITY.md
yarn.lock Switch to Eslint (#9197) 2017-11-01 13:44:54 +00:00

Ghost Build status

The project is maintained by a non-profit organisation called the Ghost Foundation, along with an amazing group of independent contributors. We're trying to make publishing software that changes the shape of online journalism.

NOTE: If youre stuck, cant get something working or need some help, please head on over and join our Slack community rather than opening an issue.

 

Ghost

 

Hosting a live Ghost site

Ghost(Pro)

The easiest way to deploy Ghost is with our official Ghost(Pro) managed service. You can have a fresh instance up and running in a couple of clicks with a worldwide CDN, backups, security and maintenance all done for you.

Not only will it save you hours of maintenance per month, but all revenue goes to the Ghost Foundation, which funds the maintenance and further development of Ghost itself. So youll be supporting open source software and getting a great service at the same time! Talk about win/win. 🏆

Self-Hosters

Other options are also available if you prefer playing around with servers by yourself, of course. The freedom of choice is in your hands.

Theme Developers

If you are developing a Ghost theme for your own site or creating themes for others to use we recommend installing Ghost on your own local machine. Luckily we have a brand new Ghost CLI to make this really easy 😄

Contributors & Advanced Developers

For anyone wishing to contribute to Ghost or to hack/customise core files we recommend following our development setup guides:

Staying Up to Date

When a new version of Ghost comes out, you'll want to look over these upgrade instructions for what to do next.

You can talk to other Ghost users and developers in our public Slack team (it's pretty awesome).

New releases are announced on the dev blog. You can subscribe by email or follow @TryGhost_Dev on Twitter, if you prefer your updates bite-sized and facetious. 🎷🐢

 

Copyright & License

Copyright (c) 2013-2017 Ghost Foundation - Released under the MIT license. Ghost and the Ghost Logo are trademarks of Ghost Foundation Ltd. Please see our trademark policy for info on acceptable usage.