Ghost/core/server/middleware/auth-strategies.js

var models = require('../models'),
    strategies;

strategies = {

    /**
     * ClientPasswordStrategy
     *
     * This strategy is used to authenticate registered OAuth clients.  It is
     * employed to protect the `token` endpoint, which consumers use to obtain
     * access tokens.  The OAuth 2.0 specification suggests that clients use the
     * HTTP Basic scheme to authenticate (not implemented yet).
     * Use of the client password strategy is implemented to support ember-simple-auth.
     */
    clientPasswordStrategy: function clientPasswordStrategy(clientId, clientSecret, done) {
        return models.Client.findOne({slug: clientId}, {withRelated: ['trustedDomains']})
            .then(function then(model) {
                if (model) {
                    var client = model.toJSON({include: ['trustedDomains']});
                    if (client.status === 'enabled' && client.secret === clientSecret) {
                        return done(null, client);
                    }
                }
                return done(null, false);
            });
    },

    /**
     * BearerStrategy
     *
     * This strategy is used to authenticate users based on an access token (aka a
     * bearer token).  The user must have previously authorized a client
     * application, which is issued an access token to make requests on behalf of
     * the authorizing user.
     */
    bearerStrategy: function bearerStrategy(accessToken, done) {
        return models.Accesstoken.findOne({token: accessToken})
            .then(function then(model) {
                if (model) {
                    var token = model.toJSON();
                    if (token.expires > Date.now()) {
                        return models.User.findOne({id: token.user_id})
                            .then(function then(model) {
                                if (model) {
                                    var user = model.toJSON(),
                                        info = {scope: '*'};
                                    return done(null, {id: user.id}, info);
                                }
                                return done(null, false);
                            });
                    } else {
                        return done(null, false);
                    }
                } else {
                    return done(null, false);
                }
            });
    }
};

module.exports = strategies;
Improve middleware coverage refs #5286 - changed auth-strategies to be testable - added tests 2015-08-22 00:46:42 +03:00			`var models = require('../models'),`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`strategies;`
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 Attention - oldClient doesn't work with this PR anymore, session authentication was removed 2014-06-30 16:58:10 +04:00
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`strategies = {`
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 Attention - oldClient doesn't work with this PR anymore, session authentication was removed 2014-06-30 16:58:10 +04:00
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`/**`
			`* ClientPasswordStrategy`
			`*`
			`* This strategy is used to authenticate registered OAuth clients. It is`
			* employed to protect the `token` endpoint, which consumers use to obtain
			`* access tokens. The OAuth 2.0 specification suggests that clients use the`
			`* HTTP Basic scheme to authenticate (not implemented yet).`
			`* Use of the client password strategy is implemented to support ember-simple-auth.`
			`*/`
Improve middleware coverage refs #5286 - changed auth-strategies to be testable - added tests 2015-08-22 00:46:42 +03:00			`clientPasswordStrategy: function clientPasswordStrategy(clientId, clientSecret, done) {`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`return models.Client.findOne({slug: clientId}, {withRelated: ['trustedDomains']})`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`.then(function then(model) {`
			`if (model) {`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`var client = model.toJSON({include: ['trustedDomains']});`
Check client is enabled before auth no issue - add a check that the client has status 'enabled' to client auth strategy - this permits the disabling of clients easily - update tests 2015-11-04 19:59:56 +03:00			`if (client.status === 'enabled' && client.secret === clientSecret) {`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`return done(null, client);`
			`}`
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 Attention - oldClient doesn't work with this PR anymore, session authentication was removed 2014-06-30 16:58:10 +04:00			`}`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`return done(null, false);`
			`});`
Improve middleware coverage refs #5286 - changed auth-strategies to be testable - added tests 2015-08-22 00:46:42 +03:00			`},`
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 Attention - oldClient doesn't work with this PR anymore, session authentication was removed 2014-06-30 16:58:10 +04:00
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`/**`
			`* BearerStrategy`
			`*`
			`* This strategy is used to authenticate users based on an access token (aka a`
			`* bearer token). The user must have previously authorized a client`
			`* application, which is issued an access token to make requests on behalf of`
			`* the authorizing user.`
			`*/`
Improve middleware coverage refs #5286 - changed auth-strategies to be testable - added tests 2015-08-22 00:46:42 +03:00			`bearerStrategy: function bearerStrategy(accessToken, done) {`
Refactor auth-strategies to use `findOne` - Simplifies both strategy & test code - Should have no side effects 2015-10-16 21:23:18 +03:00			`return models.Accesstoken.findOne({token: accessToken})`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`.then(function then(model) {`
			`if (model) {`
			`var token = model.toJSON();`
			`if (token.expires > Date.now()) {`
Refactor auth-strategies to use `findOne` - Simplifies both strategy & test code - Should have no side effects 2015-10-16 21:23:18 +03:00			`return models.User.findOne({id: token.user_id})`
Improve middleware coverage refs #5286 - changed auth-strategies to be testable - added tests 2015-08-22 00:46:42 +03:00			`.then(function then(model) {`
			`if (model) {`
			`var user = model.toJSON(),`
			`info = {scope: '*'};`
			`return done(null, {id: user.id}, info);`
			`}`
			`return done(null, false);`
			`});`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`} else {`
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 Attention - oldClient doesn't work with this PR anymore, session authentication was removed 2014-06-30 16:58:10 +04:00			`return done(null, false);`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`}`
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 Attention - oldClient doesn't work with this PR anymore, session authentication was removed 2014-06-30 16:58:10 +04:00			`} else {`
			`return done(null, false);`
			`}`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`});`
Improve middleware coverage refs #5286 - changed auth-strategies to be testable - added tests 2015-08-22 00:46:42 +03:00			`}`
Auth tests - added tests for authentication middleware - changed use of auth strategies 2015-08-09 13:50:05 +03:00			`};`

			`module.exports = strategies;`