2015-11-09 16:41:28 +03:00
|
|
|
var _ = require('lodash'),
|
|
|
|
|
passport = require('passport'),
|
|
|
|
|
url = require('url'),
|
2015-11-26 15:11:31 +03:00
|
|
|
os = require('os'),
|
2015-11-09 16:41:28 +03:00
|
|
|
errors = require('../errors'),
|
|
|
|
|
config = require('../config'),
|
|
|
|
|
labs = require('../utils/labs'),
|
2015-11-12 15:29:45 +03:00
|
|
|
i18n = require('../i18n'),
|
2015-10-22 16:28:47 +03:00
|
|
|
|
|
|
|
|
auth;
|
|
|
|
|
|
|
|
|
|
function isBearerAutorizationHeader(req) {
|
|
|
|
|
var parts,
|
|
|
|
|
scheme,
|
|
|
|
|
credentials;
|
|
|
|
|
|
|
|
|
|
if (req.headers && req.headers.authorization) {
|
|
|
|
|
parts = req.headers.authorization.split(' ');
|
2015-11-12 20:26:18 +03:00
|
|
|
} else if (req.query && req.query.access_token) {
|
|
|
|
|
return true;
|
2015-10-22 16:28:47 +03:00
|
|
|
} else {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (parts.length === 2) {
|
|
|
|
|
scheme = parts[0];
|
|
|
|
|
credentials = parts[1];
|
|
|
|
|
if (/^Bearer$/i.test(scheme)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2015-11-26 15:11:31 +03:00
|
|
|
function getIPs() {
|
|
|
|
|
var ifaces = os.networkInterfaces(),
|
|
|
|
|
ips = [];
|
|
|
|
|
|
|
|
|
|
Object.keys(ifaces).forEach(function (ifname) {
|
|
|
|
|
ifaces[ifname].forEach(function (iface) {
|
|
|
|
|
// only support IPv4
|
|
|
|
|
if (iface.family !== 'IPv4') {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
ips.push(iface.address);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
return ips;
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-22 16:28:47 +03:00
|
|
|
function isValidOrigin(origin, client) {
|
2015-11-26 15:11:31 +03:00
|
|
|
var configHostname = url.parse(config.url).hostname;
|
2015-11-23 20:21:19 +03:00
|
|
|
|
2015-10-22 16:28:47 +03:00
|
|
|
if (origin && client && client.type === 'ua' && (
|
2015-11-26 15:11:31 +03:00
|
|
|
_.indexOf(getIPs(), origin) >= 0
|
|
|
|
|
|| _.some(client.trustedDomains, {trusted_domain: origin})
|
|
|
|
|
|| origin === configHostname
|
|
|
|
|
|| configHostname === 'my-ghost-blog.com'
|
2015-10-22 16:28:47 +03:00
|
|
|
|| origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname
|
2015-12-14 18:35:19 +03:00
|
|
|
// @TODO do this in dev mode only, once we can auto-configure the url #2240
|
2015-11-26 15:11:31 +03:00
|
|
|
|| (origin === 'localhost')
|
2015-10-22 16:28:47 +03:00
|
|
|
)) {
|
|
|
|
|
return true;
|
|
|
|
|
} else {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
auth = {
|
|
|
|
|
|
|
|
|
|
// ### Authenticate Client Middleware
|
|
|
|
|
authenticateClient: function authenticateClient(req, res, next) {
|
|
|
|
|
// skip client authentication if bearer token is present
|
|
|
|
|
if (isBearerAutorizationHeader(req)) {
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (req.query && req.query.client_id) {
|
|
|
|
|
req.body.client_id = req.query.client_id;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (req.query && req.query.client_secret) {
|
|
|
|
|
req.body.client_secret = req.query.client_secret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!req.body.client_id || !req.body.client_secret) {
|
2015-12-14 18:35:19 +03:00
|
|
|
errors.logError(
|
2015-11-12 15:29:45 +03:00
|
|
|
i18n.t('errors.middleware.auth.clientAuthenticaionFailed'),
|
|
|
|
|
i18n.t('errors.middleware.auth.clientCredentialsNotProvided'),
|
|
|
|
|
i18n.t('errors.middleware.auth.forInformationRead', {url: 'http://api.ghost.org/docs/client-authentication'})
|
2015-12-14 18:35:19 +03:00
|
|
|
);
|
2015-11-12 15:29:45 +03:00
|
|
|
return errors.handleAPIError(new errors.UnauthorizedError(i18n.t('errors.middleware.auth.accessDenied')), req, res, next);
|
2015-10-22 16:28:47 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},
|
|
|
|
|
function authenticate(err, client) {
|
2016-03-26 21:26:57 +03:00
|
|
|
var origin = null;
|
|
|
|
|
|
2015-10-22 16:28:47 +03:00
|
|
|
if (err) {
|
|
|
|
|
return next(err); // will generate a 500 error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (req.headers && req.headers.origin) {
|
|
|
|
|
origin = url.parse(req.headers.origin).hostname;
|
|
|
|
|
}
|
|
|
|
|
|
2015-10-28 21:39:10 +03:00
|
|
|
// req.body needs to be null for GET requests to build options correctly
|
|
|
|
|
delete req.body.client_id;
|
|
|
|
|
delete req.body.client_secret;
|
|
|
|
|
|
2015-12-14 18:35:19 +03:00
|
|
|
if (!client || client.type !== 'ua') {
|
|
|
|
|
errors.logError(
|
2015-11-12 15:29:45 +03:00
|
|
|
i18n.t('errors.middleware.auth.clientAuthenticaionFailed'),
|
|
|
|
|
i18n.t('errors.middleware.auth.clientCredentialsNotValid'),
|
|
|
|
|
i18n.t('errors.middleware.auth.forInformationRead', {url: 'http://api.ghost.org/docs/client-authentication'})
|
2015-12-14 18:35:19 +03:00
|
|
|
);
|
2015-11-12 15:29:45 +03:00
|
|
|
return errors.handleAPIError(new errors.UnauthorizedError(i18n.t('errors.middleware.auth.accessDenied')), req, res, next);
|
2015-12-14 18:35:19 +03:00
|
|
|
}
|
|
|
|
|
|
2015-10-22 16:28:47 +03:00
|
|
|
if (!origin && client && client.type === 'ua') {
|
|
|
|
|
res.header('Access-Control-Allow-Origin', config.url);
|
2016-03-26 21:26:57 +03:00
|
|
|
} else if (isValidOrigin(origin, client)) {
|
2015-10-22 16:28:47 +03:00
|
|
|
res.header('Access-Control-Allow-Origin', req.headers.origin);
|
|
|
|
|
}
|
2016-03-26 21:26:57 +03:00
|
|
|
|
|
|
|
|
req.client = client;
|
|
|
|
|
return next(null, client);
|
2015-10-22 16:28:47 +03:00
|
|
|
}
|
|
|
|
|
)(req, res, next);
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// ### Authenticate User Middleware
|
|
|
|
|
authenticateUser: function authenticateUser(req, res, next) {
|
|
|
|
|
return passport.authenticate('bearer', {session: false, failWithError: false},
|
|
|
|
|
function authenticate(err, user, info) {
|
|
|
|
|
if (err) {
|
|
|
|
|
return next(err); // will generate a 500 error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (user) {
|
|
|
|
|
req.authInfo = info;
|
|
|
|
|
req.user = user;
|
|
|
|
|
return next(null, user, info);
|
|
|
|
|
} else if (isBearerAutorizationHeader(req)) {
|
2015-11-12 15:29:45 +03:00
|
|
|
return errors.handleAPIError(new errors.UnauthorizedError(i18n.t('errors.middleware.auth.accessDenied')), req, res, next);
|
2015-10-22 16:28:47 +03:00
|
|
|
} else if (req.client) {
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
2015-11-12 15:29:45 +03:00
|
|
|
return errors.handleAPIError(new errors.UnauthorizedError(i18n.t('errors.middleware.auth.accessDenied')), req, res, next);
|
2015-10-22 16:28:47 +03:00
|
|
|
}
|
|
|
|
|
)(req, res, next);
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Workaround for missing permissions
|
|
|
|
|
// TODO: rework when https://github.com/TryGhost/Ghost/issues/3911 is done
|
|
|
|
|
requiresAuthorizedUser: function requiresAuthorizedUser(req, res, next) {
|
|
|
|
|
if (req.user) {
|
|
|
|
|
return next();
|
|
|
|
|
} else {
|
2015-11-12 15:29:45 +03:00
|
|
|
return errors.handleAPIError(new errors.NoPermissionError(i18n.t('errors.middleware.auth.pleaseSignIn')), req, res, next);
|
2015-10-22 16:28:47 +03:00
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
|
2015-10-23 12:03:38 +03:00
|
|
|
// ### Require user depending on public API being activated.
|
|
|
|
|
requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {
|
2015-12-03 18:50:52 +03:00
|
|
|
if (labs.isSet('publicAPI') === true) {
|
|
|
|
|
return next();
|
|
|
|
|
} else {
|
|
|
|
|
if (req.user) {
|
2015-10-23 12:03:38 +03:00
|
|
|
return next();
|
|
|
|
|
} else {
|
2015-11-12 15:29:45 +03:00
|
|
|
return errors.handleAPIError(new errors.NoPermissionError(i18n.t('errors.middleware.auth.pleaseSignIn')), req, res, next);
|
2015-10-23 12:03:38 +03:00
|
|
|
}
|
2015-12-03 18:50:52 +03:00
|
|
|
}
|
2015-10-22 16:28:47 +03:00
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
module.exports = auth;
|
