mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-02-10 23:36:14 -05:00
f22a2784f7
refs #8613, refs #9228 - if you send a request to /authentication/token with `grant_type:password` and a Bearer token, Ghost was not able to handle this combination - because it skipped the client authentication, see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/authenticate.js#L13 - and OAuth detects the `grant_type: password` and jumps in the target implementation - the target implementation for password authentication **again** tried to fetch the client and failed, because it relied on the previous client authentication - see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/oauth.js#L40 (client.slug is undefined if client authentication is skipped) - ^ so this is the bug - we **can** skip client authentication for requests to the API to fetch data for example e.g. GET /posts (including Bearer) - so when is a client authentication required? - RFC (https://tools.ietf.org/html/rfc6749#page-38) differentiates between confidential and public clients, Ghost has no implementation for this at the moment - so in theory, public clients don't have to be authenticated, only if the credentials are included - to not invent a breaking change, i decided to only make the client authentication required for password authentication - we could change this in Ghost 2.0 I have removed the extra client request to the database for the password authentication, this is not needed. We already do client password authentication [here](https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/auth-strategies.js#L19); If a Bearer token is present and you have not send a `grant_type` (which signalises OAuth to do authentication), you can skip the client authentication. |
||
|---|---|---|
| .. | ||
| adapters | ||
| admin | ||
| api | ||
| apps | ||
| auth | ||
| config | ||
| controllers | ||
| data | ||
| events | ||
| helpers | ||
| middleware | ||
| models | ||
| permissions | ||
| public | ||
| services | ||
| settings | ||
| site | ||
| themes | ||
| translations | ||
| utils | ||
| views | ||
| analytics-events.js | ||
| app.js | ||
| errors.js | ||
| filters.js | ||
| ghost-server.js | ||
| i18n.js | ||
| index.js | ||
| logging.js | ||
| overrides.js | ||
| update-check.js | ||