Ghost/core/server/api/v2/authentication.js

const api = require('./index');
const config = require('../../../shared/config');
const {i18n} = require('../../lib/common');
const errors = require('@tryghost/errors');
const web = require('../../web');
const models = require('../../models');
const auth = require('../../services/auth');
const invitations = require('../../services/invitations');

module.exports = {
    docName: 'authentication',

    setup: {
        statusCode: 201,
        permissions: false,
        validation: {
            docName: 'setup'
        },
        query(frame) {
            return Promise.resolve()
                .then(() => {
                    return auth.setup.assertSetupCompleted(false)();
                })
                .then(() => {
                    const setupDetails = {
                        name: frame.data.setup[0].name,
                        email: frame.data.setup[0].email,
                        password: frame.data.setup[0].password,
                        blogTitle: frame.data.setup[0].blogTitle,
                        status: 'active'
                    };

                    return auth.setup.setupUser(setupDetails);
                })
                .then((data) => {
                    return auth.setup.doSettings(data, api.settings);
                })
                .then((user) => {
                    return auth.setup.sendWelcomeEmail(user.get('email'), api.mail)
                        .then(() => user);
                });
        }
    },

    updateSetup: {
        permissions: (frame) => {
            return models.User.findOne({role: 'Owner', status: 'all'})
                .then((owner) => {
                    if (owner.id !== frame.options.context.user) {
                        throw new errors.NoPermissionError({message: i18n.t('errors.api.authentication.notTheBlogOwner')});
                    }
                });
        },
        validation: {
            docName: 'setup'
        },
        query(frame) {
            return Promise.resolve()
                .then(() => {
                    return auth.setup.assertSetupCompleted(true)();
                })
                .then(() => {
                    const setupDetails = {
                        name: frame.data.setup[0].name,
                        email: frame.data.setup[0].email,
                        password: frame.data.setup[0].password,
                        blogTitle: frame.data.setup[0].blogTitle,
                        status: 'active'
                    };

                    return auth.setup.setupUser(setupDetails);
                })
                .then((data) => {
                    return auth.setup.doSettings(data, api.settings);
                });
        }
    },

    isSetup: {
        permissions: false,
        query() {
            return auth.setup.checkIsSetup()
                .then((isSetup) => {
                    return {
                        status: isSetup,
                        // Pre-populate from config if, and only if the values exist in config.
                        title: config.title || undefined,
                        name: config.user_name || undefined,
                        email: config.user_email || undefined
                    };
                });
        }
    },

    generateResetToken: {
        validation: {
            docName: 'passwordreset'
        },
        permissions: true,
        options: [
            'email'
        ],
        query(frame) {
            return Promise.resolve()
                .then(() => {
                    return auth.setup.assertSetupCompleted(true)();
                })
                .then(() => {
                    return auth.passwordreset.generateToken(frame.data.passwordreset[0].email, api.settings);
                })
                .then((token) => {
                    return auth.passwordreset.sendResetNotification(token, api.mail);
                });
        }
    },

    resetPassword: {
        validation: {
            docName: 'passwordreset',
            data: {
                newPassword: {required: true},
                ne2Password: {required: true}
            }
        },
        permissions: false,
        options: [
            'ip'
        ],
        query(frame) {
            return Promise.resolve()
                .then(() => {
                    return auth.setup.assertSetupCompleted(true)();
                })
                .then(() => {
                    return auth.passwordreset.extractTokenParts(frame);
                })
                .then((params) => {
                    return auth.passwordreset.protectBruteForce(params);
                })
                .then(({options, tokenParts}) => {
                    options = Object.assign(options, {context: {internal: true}});
                    return auth.passwordreset.doReset(options, tokenParts, api.settings)
                        .then((params) => {
                            web.shared.middlewares.api.spamPrevention.userLogin().reset(frame.options.ip, `${tokenParts.email}login`);
                            return params;
                        });
                });
        }
    },

    acceptInvitation: {
        validation: {
            docName: 'invitations'
        },
        permissions: false,
        query(frame) {
            return Promise.resolve()
                .then(() => {
                    return auth.setup.assertSetupCompleted(true)();
                })
                .then(() => {
                    return invitations.accept(frame.data);
                });
        }
    },

    isInvitation: {
        data: [
            'email'
        ],
        validation: {
            docName: 'invitations'
        },
        permissions: false,
        query(frame) {
            return Promise.resolve()
                .then(() => {
                    return auth.setup.assertSetupCompleted(true)();
                })
                .then(() => {
                    const email = frame.data.email;

                    return models.Invite.findOne({email: email, status: 'sent'}, frame.options);
                });
        }
    }
};
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`const api = require('./index');`
Moved config from server to shared (#11850) * moved `server/config` to `shared/config` * updated config import paths in server to use shared * updated config import paths in frontend to use shared * updated config import paths in test to use shared * updated config import paths in root to use shared * trigger regression tests * of course the rebase broke tests 2020-05-27 20:47:53 +03:00			`const config = require('../../../shared/config');`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 21:22:20 +03:00			`const {i18n} = require('../../lib/common');`
			`const errors = require('@tryghost/errors');`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`const web = require('../../web');`
Migrated authentication.isInvitation method to v2 2019-07-24 15:53:09 +03:00			`const models = require('../../models');`
Migrated authentication.acceptInvitation method to v2 2019-07-24 13:40:18 +03:00			`const auth = require('../../services/auth');`
			`const invitations = require('../../services/invitations');`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00
			`module.exports = {`
Added validation layer to password reset - Adding a new method in all.js seems a little dirty, but that seems like the best place for now as similar method was added for changePassword method 2019-07-23 19:30:17 +03:00			`docName: 'authentication',`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00
Migrated setup method 2019-07-24 21:21:42 +03:00			`setup: {`
Switched to use v2 http module instead of ovelooked v1 - Small adjustments in controller that came along with the switch 2019-08-01 14:06:15 +03:00			`statusCode: 201,`
Migrated setup method 2019-07-24 21:21:42 +03:00			`permissions: false,`
			`validation: {`
			`docName: 'setup'`
			`},`
			`query(frame) {`
			`return Promise.resolve()`
			`.then(() => {`
			`return auth.setup.assertSetupCompleted(false)();`
			`})`
			`.then(() => {`
			`const setupDetails = {`
			`name: frame.data.setup[0].name,`
			`email: frame.data.setup[0].email,`
			`password: frame.data.setup[0].password,`
			`blogTitle: frame.data.setup[0].blogTitle,`
			`status: 'active'`
			`};`

			`return auth.setup.setupUser(setupDetails);`
			`})`
			`.then((data) => {`
			`return auth.setup.doSettings(data, api.settings);`
Added missing notification email when setting up a site 2019-07-30 15:44:56 +03:00			`})`
			`.then((user) => {`
Renamed sendNotification to sendWelcomeMail - The only thing the method does now is sending welcome mail, so new naming seems natural :) 2019-07-30 17:15:53 +03:00			`return auth.setup.sendWelcomeEmail(user.get('email'), api.mail)`
Added missing notification email when setting up a site 2019-07-30 15:44:56 +03:00			`.then(() => user);`
Migrated setup method 2019-07-24 21:21:42 +03:00			`});`
			`}`
			`},`

Migrated authentication.updateSetup method to v2 2019-07-25 18:10:46 +03:00			`updateSetup: {`
			`permissions: (frame) => {`
			`return models.User.findOne({role: 'Owner', status: 'all'})`
			`.then((owner) => {`
			`if (owner.id !== frame.options.context.user) {`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 21:22:20 +03:00			`throw new errors.NoPermissionError({message: i18n.t('errors.api.authentication.notTheBlogOwner')});`
Migrated authentication.updateSetup method to v2 2019-07-25 18:10:46 +03:00			`}`
			`});`
			`},`
			`validation: {`
			`docName: 'setup'`
			`},`
			`query(frame) {`
			`return Promise.resolve()`
			`.then(() => {`
			`return auth.setup.assertSetupCompleted(true)();`
			`})`
			`.then(() => {`
			`const setupDetails = {`
			`name: frame.data.setup[0].name,`
			`email: frame.data.setup[0].email,`
			`password: frame.data.setup[0].password,`
			`blogTitle: frame.data.setup[0].blogTitle,`
			`status: 'active'`
			`};`

Added missing doSettings call in updateSetup 2019-07-30 17:52:37 +03:00			`return auth.setup.setupUser(setupDetails);`
			`})`
			`.then((data) => {`
			`return auth.setup.doSettings(data, api.settings);`
Migrated authentication.updateSetup method to v2 2019-07-25 18:10:46 +03:00			`});`
			`}`
			`},`

Migrated authentication.isSetup method to v2 2019-07-25 15:36:51 +03:00			`isSetup: {`
			`permissions: false,`
			`query() {`
			`return auth.setup.checkIsSetup()`
			`.then((isSetup) => {`
			`return {`
			`status: isSetup,`
			`// Pre-populate from config if, and only if the values exist in config.`
			`title: config.title \|\| undefined,`
			`name: config.user_name \|\| undefined,`
			`email: config.user_email \|\| undefined`
			`};`
			`});`
			`}`
			`},`

Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`generateResetToken: {`
Expanded authentication test suite with cases for password reset flow - Added missing endpoint coverage - Minor fixes with formatting and validations uncovered by the test - Added same test to v0.1 coverage 2019-07-30 23:48:59 +03:00			`validation: {`
			`docName: 'passwordreset'`
			`},`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`permissions: true,`
			`options: [`
			`'email'`
			`],`
			`query(frame) {`
			`return Promise.resolve()`
			`.then(() => {`
Migrated setup method 2019-07-24 21:21:42 +03:00			`return auth.setup.assertSetupCompleted(true)();`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`})`
			`.then(() => {`
Expanded authentication test suite with cases for password reset flow - Added missing endpoint coverage - Minor fixes with formatting and validations uncovered by the test - Added same test to v0.1 coverage 2019-07-30 23:48:59 +03:00			`return auth.passwordreset.generateToken(frame.data.passwordreset[0].email, api.settings);`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`})`
			`.then((token) => {`
Removed separate reset/forced-reset emails and updated email copy refs https://github.com/TryGhost/Ghost/pull/11790 - reduced complexity by sticking to one email for both normal reset and forced reset (locked staff accounts) - exposed `siteTitle` for use in any email templates - updated email copy to be suitable for both types of password reset 2020-05-06 15:19:47 +03:00			`return auth.passwordreset.sendResetNotification(token, api.mail);`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`});`
			`}`
			`},`
Migrated setup method 2019-07-24 21:21:42 +03:00
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`resetPassword: {`
Added validation layer to password reset - Adding a new method in all.js seems a little dirty, but that seems like the best place for now as similar method was added for changePassword method 2019-07-23 19:30:17 +03:00			`validation: {`
			`docName: 'passwordreset',`
			`data: {`
			`newPassword: {required: true},`
			`ne2Password: {required: true}`
			`}`
			`},`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`permissions: false,`
			`options: [`
			`'ip'`
			`],`
			`query(frame) {`
			`return Promise.resolve()`
			`.then(() => {`
Migrated setup method 2019-07-24 21:21:42 +03:00			`return auth.setup.assertSetupCompleted(true)();`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`})`
			`.then(() => {`
			`return auth.passwordreset.extractTokenParts(frame);`
			`})`
			`.then((params) => {`
			`return auth.passwordreset.protectBruteForce(params);`
			`})`
			`.then(({options, tokenParts}) => {`
			`options = Object.assign(options, {context: {internal: true}});`
			`return auth.passwordreset.doReset(options, tokenParts, api.settings)`
			`.then((params) => {`
			web.shared.middlewares.api.spamPrevention.userLogin().reset(frame.options.ip, `${tokenParts.email}login`);
			`return params;`
			`});`
			`});`
			`}`
Migrated authentication.acceptInvitation method to v2 2019-07-24 13:40:18 +03:00			`},`

			`acceptInvitation: {`
			`validation: {`
			`docName: 'invitations'`
			`},`
			`permissions: false,`
			`query(frame) {`
			`return Promise.resolve()`
			`.then(() => {`
Migrated setup method 2019-07-24 21:21:42 +03:00			`return auth.setup.assertSetupCompleted(true)();`
Migrated authentication.acceptInvitation method to v2 2019-07-24 13:40:18 +03:00			`})`
			`.then(() => {`
			`return invitations.accept(frame.data);`
			`});`
			`}`
Migrated authentication.isInvitation method to v2 2019-07-24 15:53:09 +03:00			`},`

			`isInvitation: {`
Switched to use v2 http module instead of ovelooked v1 - Small adjustments in controller that came along with the switch 2019-08-01 14:06:15 +03:00			`data: [`
			`'email'`
			`],`
Migrated authentication.isInvitation method to v2 2019-07-24 15:53:09 +03:00			`validation: {`
			`docName: 'invitations'`
			`},`
			`permissions: false,`
			`query(frame) {`
			`return Promise.resolve()`
			`.then(() => {`
Migrated setup method 2019-07-24 21:21:42 +03:00			`return auth.setup.assertSetupCompleted(true)();`
Migrated authentication.isInvitation method to v2 2019-07-24 15:53:09 +03:00			`})`
			`.then(() => {`
			`const email = frame.data.email;`

Fixed lint error 2019-07-24 17:18:44 +03:00			`return models.Invite.findOne({email: email, status: 'sent'}, frame.options);`
Migrated authentication.isInvitation method to v2 2019-07-24 15:53:09 +03:00			`});`
			`}`
Migrated authentication.resetPassword method to v2 2019-07-17 17:43:07 +03:00			`}`
			`};`