Ghost/core/server/api/v2/session.js

const Promise = require('bluebird');
const {i18n} = require('../../lib/common');
const errors = require('@tryghost/errors');
const models = require('../../models');
const auth = require('../../services/auth');
const api = require('./index');

const session = {
    read(frame) {
        /*
         * TODO
         * Don't query db for user, when new api http wrapper is in we can
         * have direct access to req.user, we can also get access to some session
         * inofrmation too and send it back
         */
        return models.User.findOne({id: frame.options.context.user});
    },
    add(frame) {
        const object = frame.data;

        if (!object || !object.username || !object.password) {
            return Promise.reject(new errors.UnauthorizedError({
                message: i18n.t('errors.middleware.auth.accessDenied')
            }));
        }

        return models.User.check({
            email: object.username,
            password: object.password
        }).then((user) => {
            return Promise.resolve((req, res, next) => {
                req.brute.reset(function (err) {
                    if (err) {
                        return next(err);
                    }
                    req.user = user;
                    auth.session.createSession(req, res, next);
                });
            });
        }).catch(async (err) => {
            if (!errors.utils.isIgnitionError(err)) {
                throw new errors.UnauthorizedError({
                    message: i18n.t('errors.middleware.auth.accessDenied'),
                    err
                });
            }

            if (err.errorType === 'PasswordResetRequiredError') {
                await api.authentication.generateResetToken({
                    passwordreset: [{
                        email: object.username
                    }]
                }, frame.options.context);
            }

            throw err;
        });
    },
    delete() {
        return Promise.resolve((req, res, next) => {
            auth.session.destroySession(req, res, next);
        });
    }
};

module.exports = session;
Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00			`const Promise = require('bluebird');`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 21:22:20 +03:00			`const {i18n} = require('../../lib/common');`
			`const errors = require('@tryghost/errors');`
Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00			`const models = require('../../models');`
			`const auth = require('../../services/auth');`
Improved password reset and session invalidation for "locked" users (#11790) - Fixed session invalidation for "locked" user - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password - Fixed error message returned by session API - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user - Added automatic password reset email to locked users on sign-in - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset - Backported the auto sending of required password reset email to v2 sign-in route - used by 3rd party clients where the email is necessary for users to know why login is failing Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk> 2020-05-05 21:37:53 +03:00			`const api = require('./index');`
Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00
			`const session = {`
💡Migrated session controllers for compatibility with "frame" (#11101) no issue - Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. - Changes here are just a long-awaited cleanup to allow completely remove v0.1 code 2019-09-11 12:28:55 +03:00			`read(frame) {`
Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00			`/*`
			`* TODO`
			`* Don't query db for user, when new api http wrapper is in we can`
			`* have direct access to req.user, we can also get access to some session`
			`* inofrmation too and send it back`
			`*/`
💡Migrated session controllers for compatibility with "frame" (#11101) no issue - Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. - Changes here are just a long-awaited cleanup to allow completely remove v0.1 code 2019-09-11 12:28:55 +03:00			`return models.User.findOne({id: frame.options.context.user});`
Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00			`},`
💡Migrated session controllers for compatibility with "frame" (#11101) no issue - Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. - Changes here are just a long-awaited cleanup to allow completely remove v0.1 code 2019-09-11 12:28:55 +03:00			`add(frame) {`
			`const object = frame.data;`

Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00			`if (!object \|\| !object.username \|\| !object.password) {`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 21:22:20 +03:00			`return Promise.reject(new errors.UnauthorizedError({`
			`message: i18n.t('errors.middleware.auth.accessDenied')`
Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00			`}));`
			`}`

			`return models.User.check({`
			`email: object.username,`
			`password: object.password`
			`}).then((user) => {`
			`return Promise.resolve((req, res, next) => {`
Added spam prevention for v2 sessions (#10030) no-issue - Added spam prevention to POST /session - This blocks repeated requests the the /session endpoint preventing brute force password attacks - Updated session controller to reset brute middleware - This updates the session controller to reset the brute force protection on a successful login. This is required so that a user is not locked out forever :o!! 2018-10-18 11:58:29 +03:00			`req.brute.reset(function (err) {`
			`if (err) {`
			`return next(err);`
			`}`
			`req.user = user;`
			`auth.session.createSession(req, res, next);`
			`});`
Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00			`});`
Improved password reset and session invalidation for "locked" users (#11790) - Fixed session invalidation for "locked" user - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password - Fixed error message returned by session API - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user - Added automatic password reset email to locked users on sign-in - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset - Backported the auto sending of required password reset email to v2 sign-in route - used by 3rd party clients where the email is necessary for users to know why login is failing Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk> 2020-05-05 21:37:53 +03:00			`}).catch(async (err) => {`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 21:22:20 +03:00			`if (!errors.utils.isIgnitionError(err)) {`
			`throw new errors.UnauthorizedError({`
			`message: i18n.t('errors.middleware.auth.accessDenied'),`
Improved password reset and session invalidation for "locked" users (#11790) - Fixed session invalidation for "locked" user - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password - Fixed error message returned by session API - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user - Added automatic password reset email to locked users on sign-in - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset - Backported the auto sending of required password reset email to v2 sign-in route - used by 3rd party clients where the email is necessary for users to know why login is failing Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk> 2020-05-05 21:37:53 +03:00			`err`
			`});`
			`}`

			`if (err.errorType === 'PasswordResetRequiredError') {`
			`await api.authentication.generateResetToken({`
			`passwordreset: [{`
			`email: object.username`
Removed separate reset/forced-reset emails and updated email copy refs https://github.com/TryGhost/Ghost/pull/11790 - reduced complexity by sticking to one email for both normal reset and forced reset (locked staff accounts) - exposed `siteTitle` for use in any email templates - updated email copy to be suitable for both types of password reset 2020-05-06 15:19:47 +03:00			`}]`
Improved password reset and session invalidation for "locked" users (#11790) - Fixed session invalidation for "locked" user - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password - Fixed error message returned by session API - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user - Added automatic password reset email to locked users on sign-in - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset - Backported the auto sending of required password reset email to v2 sign-in route - used by 3rd party clients where the email is necessary for users to know why login is failing Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk> 2020-05-05 21:37:53 +03:00			`}, frame.options.context);`
			`}`

			`throw err;`
Created session controller (#9911) refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session 2018-10-03 16:45:42 +03:00			`});`
			`},`
			`delete() {`
			`return Promise.resolve((req, res, next) => {`
			`auth.session.destroySession(req, res, next);`
			`});`
			`}`
			`};`

			`module.exports = session;`