Ghost/core/server/middleware/auth.js

var _           = require('lodash'),
    passport    = require('passport'),
    url         = require('url'),
    errors      = require('../errors'),
    config      = require('../config'),
    labs        = require('../utils/labs'),
    oauthServer,

    auth;

function cacheOauthServer(server) {
    oauthServer = server;
}

function isBearerAutorizationHeader(req) {
    var parts,
        scheme,
        credentials;

    if (req.headers && req.headers.authorization) {
        parts = req.headers.authorization.split(' ');
    } else {
        return false;
    }

    if (parts.length === 2) {
        scheme = parts[0];
        credentials = parts[1];
        if (/^Bearer$/i.test(scheme)) {
            return true;
        }
    }
    return false;
}

function isValidOrigin(origin, client) {
    if (origin && client && client.type === 'ua' && (
        _.some(client.trustedDomains, {trusted_domain: origin})
        || origin === url.parse(config.url).hostname
        || origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname
    )) {
        return true;
    } else {
        return false;
    }
}

auth = {

    // ### Authenticate Client Middleware
    authenticateClient: function authenticateClient(req, res, next) {
        // skip client authentication if bearer token is present
        if (isBearerAutorizationHeader(req)) {
            return next();
        }

        if (req.query && req.query.client_id) {
            req.body.client_id = req.query.client_id;
        }

        if (req.query && req.query.client_secret) {
            req.body.client_secret = req.query.client_secret;
        }

        if (!req.body.client_id || !req.body.client_secret) {
            return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);
        }

        return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},
            function authenticate(err, client) {
                var origin = null;
                if (err) {
                    return next(err); // will generate a 500 error
                }

                if (req.headers && req.headers.origin) {
                    origin = url.parse(req.headers.origin).hostname;
                }

                // req.body needs to be null for GET requests to build options correctly
                delete req.body.client_id;
                delete req.body.client_secret;

                if (!origin && client && client.type === 'ua') {
                    res.header('Access-Control-Allow-Origin', config.url);
                    req.client = client;
                    return next(null, client);
                }

                if (isValidOrigin(origin, client)) {
                    res.header('Access-Control-Allow-Origin', req.headers.origin);
                    req.client = client;
                    return next(null, client);
                } else {
                    return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);
                }
            }
        )(req, res, next);
    },

    // ### Authenticate User Middleware
    authenticateUser: function authenticateUser(req, res, next) {
        return passport.authenticate('bearer', {session: false, failWithError: false},
            function authenticate(err, user, info) {
                if (err) {
                    return next(err); // will generate a 500 error
                }

                if (user) {
                    req.authInfo = info;
                    req.user = user;
                    return next(null, user, info);
                } else if (isBearerAutorizationHeader(req)) {
                    return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);
                } else if (req.client) {
                    return next();
                }

                return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);
            }
        )(req, res, next);
    },

    // Workaround for missing permissions
    // TODO: rework when https://github.com/TryGhost/Ghost/issues/3911 is  done
    requiresAuthorizedUser: function requiresAuthorizedUser(req, res, next) {
        if (req.user) {
            return next();
        } else {
            return errors.handleAPIError(new errors.NoPermissionError('Please Sign In'), req, res, next);
        }
    },

    // ### Require user depending on public API being activated.
    requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {
        return labs.isSet('publicAPI').then(function (publicAPI) {
            if (publicAPI === true) {
                return next();
            } else {
                if (req.user) {
                    return next();
                } else {
                    return errors.handleAPIError(new errors.NoPermissionError('Please Sign In'), req, res, next);
                }
            }
        });
    },

    // ### Generate access token Middleware
    // register the oauth2orize middleware for password and refresh token grants
    generateAccessToken: function generateAccessToken(req, res, next) {
        return oauthServer.token()(req, res, next);
    }
};

module.exports = auth;
module.exports.cacheOauthServer = cacheOauthServer;
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`var _ = require('lodash'),`
			`passport = require('passport'),`
			`url = require('url'),`
			`errors = require('../errors'),`
			`config = require('../config'),`
Move get helper behind labs flag issue #5976 - break out the labs check into a utility - wrap the get helper in a labs check, so it only works if the checkbox is checked - make the get helper output an error to both the server and browser console if used when not enabled 2015-11-03 22:17:24 +03:00			`labs = require('../utils/labs'),`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`oauthServer,`

			`auth;`

			`function cacheOauthServer(server) {`
			`oauthServer = server;`
			`}`

			`function isBearerAutorizationHeader(req) {`
			`var parts,`
			`scheme,`
			`credentials;`

			`if (req.headers && req.headers.authorization) {`
			`parts = req.headers.authorization.split(' ');`
			`} else {`
			`return false;`
			`}`

			`if (parts.length === 2) {`
			`scheme = parts[0];`
			`credentials = parts[1];`
			`if (/^Bearer$/i.test(scheme)) {`
			`return true;`
			`}`
			`}`
			`return false;`
			`}`

			`function isValidOrigin(origin, client) {`
			`if (origin && client && client.type === 'ua' && (`
			`_.some(client.trustedDomains, {trusted_domain: origin})`
			`\|\| origin === url.parse(config.url).hostname`
			`\|\| origin === url.parse(config.urlSSL ? config.urlSSL : '').hostname`
			`)) {`
			`return true;`
			`} else {`
			`return false;`
			`}`
			`}`

			`auth = {`

			`// ### Authenticate Client Middleware`
			`authenticateClient: function authenticateClient(req, res, next) {`
			`// skip client authentication if bearer token is present`
			`if (isBearerAutorizationHeader(req)) {`
			`return next();`
			`}`

			`if (req.query && req.query.client_id) {`
			`req.body.client_id = req.query.client_id;`
			`}`

			`if (req.query && req.query.client_secret) {`
			`req.body.client_secret = req.query.client_secret;`
			`}`

			`if (!req.body.client_id \|\| !req.body.client_secret) {`
			`return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);`
			`}`

			`return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},`
			`function authenticate(err, client) {`
			`var origin = null;`
			`if (err) {`
			`return next(err); // will generate a 500 error`
			`}`

			`if (req.headers && req.headers.origin) {`
			`origin = url.parse(req.headers.origin).hostname;`
			`}`

Ensure public api can uses limit parameter No Issue - removes client id and secret after authentication - adds tests to check default limit, all and integer 2015-10-28 21:39:10 +03:00			`// req.body needs to be null for GET requests to build options correctly`
			`delete req.body.client_id;`
			`delete req.body.client_secret;`

Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`if (!origin && client && client.type === 'ua') {`
			`res.header('Access-Control-Allow-Origin', config.url);`
			`req.client = client;`
			`return next(null, client);`
			`}`

			`if (isValidOrigin(origin, client)) {`
			`res.header('Access-Control-Allow-Origin', req.headers.origin);`
			`req.client = client;`
			`return next(null, client);`
			`} else {`
			`return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);`
			`}`
			`}`
			`)(req, res, next);`
			`},`

			`// ### Authenticate User Middleware`
			`authenticateUser: function authenticateUser(req, res, next) {`
			`return passport.authenticate('bearer', {session: false, failWithError: false},`
			`function authenticate(err, user, info) {`
			`if (err) {`
			`return next(err); // will generate a 500 error`
			`}`

			`if (user) {`
			`req.authInfo = info;`
			`req.user = user;`
			`return next(null, user, info);`
			`} else if (isBearerAutorizationHeader(req)) {`
			`return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);`
			`} else if (req.client) {`
			`return next();`
			`}`

			`return errors.handleAPIError(new errors.UnauthorizedError('Access denied.'), req, res, next);`
			`}`
			`)(req, res, next);`
			`},`

			`// Workaround for missing permissions`
			`// TODO: rework when https://github.com/TryGhost/Ghost/issues/3911 is done`
			`requiresAuthorizedUser: function requiresAuthorizedUser(req, res, next) {`
			`if (req.user) {`
			`return next();`
			`} else {`
			`return errors.handleAPIError(new errors.NoPermissionError('Please Sign In'), req, res, next);`
			`}`
			`},`

Move Public API behind labs flag closes #5941 - added UI to labs page - added method to determine if full authentication is required - updated public_api tests to enable public api first 2015-10-23 12:03:38 +03:00			`// ### Require user depending on public API being activated.`
			`requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {`
Move get helper behind labs flag issue #5976 - break out the labs check into a utility - wrap the get helper in a labs check, so it only works if the checkbox is checked - make the get helper output an error to both the server and browser console if used when not enabled 2015-11-03 22:17:24 +03:00			`return labs.isSet('publicAPI').then(function (publicAPI) {`
			`if (publicAPI === true) {`
Move Public API behind labs flag closes #5941 - added UI to labs page - added method to determine if full authentication is required - updated public_api tests to enable public api first 2015-10-23 12:03:38 +03:00			`return next();`
			`} else {`
			`if (req.user) {`
			`return next();`
			`} else {`
			`return errors.handleAPIError(new errors.NoPermissionError('Please Sign In'), req, res, next);`
			`}`
			`}`
			`});`
			`},`

Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`// ### Generate access token Middleware`
			`// register the oauth2orize middleware for password and refresh token grants`
			`generateAccessToken: function generateAccessToken(req, res, next) {`
			`return oauthServer.token()(req, res, next);`
			`}`
			`};`

			`module.exports = auth;`
			`module.exports.cacheOauthServer = cacheOauthServer;`