TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-22 10:21:36 +03:00
Code Issues Projects Releases Wiki Activity
2fc93e2582
Ghost/core/frontend/apps/private-blogging/lib/middleware.js

188 lines
6.3 KiB
JavaScript
Raw Normal View History

Updated private-sites to not redirect to full urls no-issue - Parse redirects as URL with blog as base - Redirect to the pathname property of parsed URL Credits: @j3ssie
2018-09-24 16:47:05 +03:00
const fs = require('fs-extra');
const session = require('cookie-session');
const crypto = require('crypto');
const path = require('path');
Moved config from server to shared (#11850) * moved `server/config` to `shared/config` * updated config import paths in server to use shared * updated config import paths in frontend to use shared * updated config import paths in test to use shared * updated config import paths in root to use shared * trigger regression tests * of course the rebase broke tests
2020-05-27 20:47:53 +03:00
const config = require('../../../../shared/config');
Moved core/server/lib/url-utils to core/shared/url-utils (#11856) * moved url-utils from server to shared * updated imports of url-utils
2020-05-28 13:57:02 +03:00
const urlUtils = require('../../../../shared/url-utils');
Replaced constants file with @tryghost/constants - extracted constants file into a new package - replaced all local requires of the file with new package
2020-08-11 14:51:16 +03:00
const constants = require('@tryghost/constants');
Switched frontend i18n requires to go through proxy - we export i18n from `core/frontend/services/proxy` and this is used in the most of the places in the frontend code - this commit aligns the rest of the code in core/frontend to use the proxy too - unfortunately core/frontend/services/themes/i18n.js loops back to the proxy so we have a circular dependency
2020-11-25 15:33:44 +03:00
const {i18n} = require('../../../services/proxy');
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope
2020-05-22 21:22:20 +03:00
const errors = require('@tryghost/errors');
Extracted frontend folder (#10780) refs #10790 - Moved /core/apps into core/frontend - Moved /core/server/helpers to /core/frontend/helpers along with /core/server/services/themes - Changed helper location in overrides - Moved /core/server/services/routing to /core/frontend/services - Moved /core/server/services/url to /core/frontend/services - Moved /core/server/data/meta to /core/frontend/meta - Moved /core/server/services/rss to /core/frontend/services - Moved /core/server/data/xml to /core/frontend/services
2019-06-19 12:30:28 +03:00
const settingsCache = require('../../../../server/services/settings/cache');
Updated private-sites to not redirect to full urls no-issue - Parse redirects as URL with blog as base - Redirect to the pathname property of parsed URL Credits: @j3ssie
2018-09-24 16:47:05 +03:00
// routeKeywords.private: 'private'
const privateRoute = '/private/';
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
function verifySessionHash(salt, hash) {
if (!salt || !hash) {
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
return false;
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
}
ES6 migration: server/apps/private-blogging (#9707) refs #9589
2018-06-28 11:50:03 +03:00
let hasher = crypto.createHash('sha256');
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
hasher.update(settingsCache.get('password') + salt, 'utf8');
return hasher.digest('hex') === hash;
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
}
Updated private-sites to not redirect to full urls no-issue - Parse redirects as URL with blog as base - Redirect to the pathname property of parsed URL Credits: @j3ssie
2018-09-24 16:47:05 +03:00
function getRedirectUrl(query) {
try {
Handled bad redirect URLs for private sites no issue - Sentry flagged up a redirect URL for the POST action of accessing a private site which would throw a 500 - `decodeURIComponent` would throw an error if it was passed bad data - this commit moves the `decodeURIComponent` inside the try-catch to handle the error
2020-03-02 11:18:49 +03:00
const redirect = decodeURIComponent(query.r || '/');
🔒 Fixed open redirect in private site login no refs - prevents redirect to external sites after providing private site password Credits: https://github.com/max-schaefer
2021-01-25 16:25:43 +03:00
const pathname = new URL(redirect, config.get('url')).pathname;
const base = new URL(config.get('url'));
const target = new URL(pathname, config.get('url'));
// Make sure we don't redirect outside of the instance
return target.host === base.host ? pathname : '/';
Updated private-sites to not redirect to full urls no-issue - Parse redirects as URL with blog as base - Redirect to the pathname property of parsed URL Credits: @j3ssie
2018-09-24 16:47:05 +03:00
} catch (e) {
return '/';
}
}
const privateBlogging = {
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
checkIsPrivate: function checkIsPrivate(req, res, next) {
ES6 migration: server/apps/private-blogging (#9707) refs #9589
2018-06-28 11:50:03 +03:00
let isPrivateBlog = settingsCache.get('is_private');
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
if (!isPrivateBlog) {
res.isPrivateBlog = false;
return next();
}
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
res.isPrivateBlog = true;
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
return session({
💡 Renamed the cookie used for the private mode issue https://github.com/TryGhost/Ghost/issues/12564 - This change means users who have already entered the site password will need to do it again
2021-01-28 17:28:38 +03:00
name: 'ghost-private',
Moved utils constants to lib/constants refs #9178
2017-12-14 16:13:40 +03:00
maxAge: constants.ONE_MONTH_MS,
🐛 Fixed "View site" not logging into private sites with separate admin domains no issue - browsers now block cross-origin cookies unless they are explicitly set with `SameSite=none` and `Secure=true` options which was preventing the login request made by Ghost-Admin from working - added an explicit `SameSite=none` option to the private site session cookie - will only work when the front-end site is served over HTTPS - there's no way to get browsers to accept cross-origin cookies over HTTP
2020-04-15 12:51:47 +03:00
signed: false,
sameSite: 'none'
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
})(req, res, next);
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
},
filterPrivateRoutes: function filterPrivateRoutes(req, res, next) {
🐛 Fixed private blogging exposing 404 and robots (#11922) - There were various cases where it was possible to trigger a private site to display a 404 instead of redirecting to /private/ - Private mode was also not always displaying the correct robots.txt - This PR includes tests for all cases in test/frontend-acceptance/default_routes_spec.js & where possible the unit tests have also been updated for completeness - Fixing the 404 issues required - Better handling of paths using req.path instead of req.url in filterPrivateRoutes - Additional error handling, to cover the case that a tag/author RSS feed does not exist - Fixing the robots.txt required the order of middleware to be changed, so that private blogging gets a chance to render first - NOTE private blogging is the only app with a setupMiddleware function so nothing else is affected
2020-06-16 13:42:32 +03:00
// If this site is not in private mode, skip
if (!res.isPrivateBlog) {
return next();
}
// CASE: this is the /private/ page, continue (allow this to be rendered)
if (req.path === `${privateRoute}`) {
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
return next();
}
🐛 Fixed private blogging exposing 404 and robots (#11922) - There were various cases where it was possible to trigger a private site to display a 404 instead of redirecting to /private/ - Private mode was also not always displaying the correct robots.txt - This PR includes tests for all cases in test/frontend-acceptance/default_routes_spec.js & where possible the unit tests have also been updated for completeness - Fixing the 404 issues required - Better handling of paths using req.path instead of req.url in filterPrivateRoutes - Additional error handling, to cover the case that a tag/author RSS feed does not exist - Fixing the robots.txt required the order of middleware to be changed, so that private blogging gets a chance to render first - NOTE private blogging is the only app with a setupMiddleware function so nothing else is affected
2020-06-16 13:42:32 +03:00
// CASE: this is the robots.txt file, serve a special private version
if (req.path === '/robots.txt') {
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
return fs.readFile(path.resolve(__dirname, '../', 'robots.txt'), function readFile(err, buf) {
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
if (err) {
return next(err);
}
🎨 add cache control configurations into the default config refs #7488 - cache control can be overridden if needed
2017-05-29 23:10:32 +03:00
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
res.writeHead(200, {
'Content-Type': 'text/plain',
'Content-Length': buf.length,
🎨 add cache control configurations into the default config refs #7488 - cache control can be overridden if needed
2017-05-29 23:10:32 +03:00
'Cache-Control': 'public, max-age=' + config.get('caching:robotstxt:maxAge')
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
});
🎨 add cache control configurations into the default config refs #7488 - cache control can be overridden if needed
2017-05-29 23:10:32 +03:00
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
res.end(buf);
});
}
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
✨ Private RSS feed (#9088) refs #9001 When a blog is in private mode there is now an unguessable URL that allows access to the RSS feed for internal use, commenting systems, etc. - add public hash for private blogging - auto generate on bootstrap if missing - global hash, we can re-use in the future - update private blogging middleware to detect the private RSS URL and rewrite it so that the normal rss route/code is used for display - if a normal `/rss/` route is accessed with a private session return a 404
2017-10-05 13:07:32 +03:00
// CASE: Allow private RSS feed urls.
🐛 Fixed private blogging exposing 404 and robots (#11922) - There were various cases where it was possible to trigger a private site to display a 404 instead of redirecting to /private/ - Private mode was also not always displaying the correct robots.txt - This PR includes tests for all cases in test/frontend-acceptance/default_routes_spec.js & where possible the unit tests have also been updated for completeness - Fixing the 404 issues required - Better handling of paths using req.path instead of req.url in filterPrivateRoutes - Additional error handling, to cover the case that a tag/author RSS feed does not exist - Fixing the robots.txt required the order of middleware to be changed, so that private blogging gets a chance to render first - NOTE private blogging is the only app with a setupMiddleware function so nothing else is affected
2020-06-16 13:42:32 +03:00
// If the path matches the private rss feed URL we rewrite the url. Even Express uses rewriting when using `app.use()`.
let isPrivateRSS = new RegExp(`/${settingsCache.get('public_hash')}/rss(/)?$`);
if (isPrivateRSS.test(req.path)) {
✨ Private RSS feed (#9088) refs #9001 When a blog is in private mode there is now an unguessable URL that allows access to the RSS feed for internal use, commenting systems, etc. - add public hash for private blogging - auto generate on bootstrap if missing - global hash, we can re-use in the future - update private blogging middleware to detect the private RSS URL and rewrite it so that the normal rss route/code is used for display - if a normal `/rss/` route is accessed with a private session return a 404
2017-10-05 13:07:32 +03:00
req.url = req.url.replace(settingsCache.get('public_hash') + '/', '');
return next();
}
// NOTE: Redirect to /private if the session does not exist.
privateBlogging.authenticatePrivateSession(req, res, function onSessionVerified() {
// CASE: RSS is disabled for private blogging e.g. they create overhead
Private blogging misc cleanup This is a bunch of small changes, that simplifies working with the private blogging module: - remove reference to really old paginated RSS behaviour - remove handling for /rss and allow our standard redirects to redirect to /rss/ and then execute - readd should to tests so that they can be run standalone - fix eslint warning
2020-06-15 22:13:35 +03:00
if (req.path.match(/\/rss\/$/)) {
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope
2020-05-22 21:22:20 +03:00
return next(new errors.NotFoundError({
message: i18n.t('errors.errors.pageNotFound')
✨ Private RSS feed (#9088) refs #9001 When a blog is in private mode there is now an unguessable URL that allows access to the RSS feed for internal use, commenting systems, etc. - add public hash for private blogging - auto generate on bootstrap if missing - global hash, we can re-use in the future - update private blogging middleware to detect the private RSS URL and rewrite it so that the normal rss route/code is used for display - if a normal `/rss/` route is accessed with a private session return a 404
2017-10-05 13:07:32 +03:00
}));
}
next();
});
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
},
authenticatePrivateSession: function authenticatePrivateSession(req, res, next) {
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const hash = req.session.token || '';
const salt = req.session.salt || '';
const isVerified = verifySessionHash(salt, hash);
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
if (isVerified) {
return next();
} else {
Private blogging misc cleanup This is a bunch of small changes, that simplifies working with the private blogging module: - remove reference to really old paginated RSS behaviour - remove handling for /rss and allow our standard redirects to redirect to /rss/ and then execute - readd should to tests so that they can be run standalone - fix eslint warning
2020-06-15 22:13:35 +03:00
let redirectUrl = urlUtils.urlFor({relativeUrl: privateRoute});
redirectUrl += '?r=' + encodeURIComponent(req.url);
🐛 Fixed private blogging exposing 404 and robots (#11922) - There were various cases where it was possible to trigger a private site to display a 404 instead of redirecting to /private/ - Private mode was also not always displaying the correct robots.txt - This PR includes tests for all cases in test/frontend-acceptance/default_routes_spec.js & where possible the unit tests have also been updated for completeness - Fixing the 404 issues required - Better handling of paths using req.path instead of req.url in filterPrivateRoutes - Additional error handling, to cover the case that a tag/author RSS feed does not exist - Fixing the robots.txt required the order of middleware to be changed, so that private blogging gets a chance to render first - NOTE private blogging is the only app with a setupMiddleware function so nothing else is affected
2020-06-16 13:42:32 +03:00
Private blogging misc cleanup This is a bunch of small changes, that simplifies working with the private blogging module: - remove reference to really old paginated RSS behaviour - remove handling for /rss and allow our standard redirects to redirect to /rss/ and then execute - readd should to tests so that they can be run standalone - fix eslint warning
2020-06-15 22:13:35 +03:00
return res.redirect(redirectUrl);
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
}
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
},
// This is here so a call to /private/ after a session is verified will redirect to home;
Rename private blogging mw functions - This is just a nicety, trying to make it easier to follow the logic of private blogging
2020-06-15 22:55:59 +03:00
redirectPrivateToHomeIfLoggedIn: function redirectPrivateToHomeIfLoggedIn(req, res, next) {
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
if (!res.isPrivateBlog) {
Migrated to use url-utils from Ghost-SDK (#10787) closes #10773 - The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK - Added url-utils stubbing utility for test suites - Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
2019-06-18 16:13:55 +03:00
return res.redirect(urlUtils.urlFor('home', true));
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
}
Updated var declarations to const/let and no lists - All var declarations are now const or let as per ES6 - All comma-separated lists / chained declarations are now one declaration per line - This is for clarity/readability but also made running the var-to-const/let switch smoother - ESLint rules updated to match How this was done: - npm install -g jscodeshift - git clone https://github.com/cpojer/js-codemod.git - git clone git@github.com:TryGhost/Ghost.git shallow-ghost - cd shallow-ghost - jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2 - jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2 - yarn - yarn test - yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode - grunt test-regression - sorted!
2020-04-29 18:44:27 +03:00
const hash = req.session.token || '';
const salt = req.session.salt || '';
const isVerified = verifySessionHash(salt, hash);
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
if (isVerified) {
// redirect to home if user is already authenticated
Migrated to use url-utils from Ghost-SDK (#10787) closes #10773 - The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK - Added url-utils stubbing utility for test suites - Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
2019-06-18 16:13:55 +03:00
return res.redirect(urlUtils.urlFor('home', true));
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
} else {
return next();
}
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
},
Rename private blogging mw functions - This is just a nicety, trying to make it easier to follow the logic of private blogging
2020-06-15 22:55:59 +03:00
doLoginToPrivateSite: function doLoginToPrivateSite(req, res, next) {
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
// if errors have been generated from the previous call
if (res.error) {
return next();
}
Updated private-sites to not redirect to full urls no-issue - Parse redirects as URL with blog as base - Redirect to the pathname property of parsed URL Credits: @j3ssie
2018-09-24 16:47:05 +03:00
const bodyPass = req.body.password;
const pass = settingsCache.get('password');
const hasher = crypto.createHash('sha256');
const salt = Date.now().toString();
const forward = getRedirectUrl(req.query);
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
if (pass === bodyPass) {
hasher.update(bodyPass + salt, 'utf8');
req.session.token = hasher.digest('hex');
req.session.salt = salt;
Migrated to use url-utils from Ghost-SDK (#10787) closes #10773 - The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK - Added url-utils stubbing utility for test suites - Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
2019-06-18 16:13:55 +03:00
return res.redirect(urlUtils.urlFor({relativeUrl: forward}));
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
} else {
res.error = {
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope
2020-05-22 21:22:20 +03:00
message: i18n.t('errors.middleware.privateblogging.wrongPassword')
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway
2017-10-03 14:40:53 +03:00
};
return next();
}
🐛 Fixed private blogging exposing 404 and robots (#11922) - There were various cases where it was possible to trigger a private site to display a 404 instead of redirecting to /private/ - Private mode was also not always displaying the correct robots.txt - This PR includes tests for all cases in test/frontend-acceptance/default_routes_spec.js & where possible the unit tests have also been updated for completeness - Fixing the 404 issues required - Better handling of paths using req.path instead of req.url in filterPrivateRoutes - Additional error handling, to cover the case that a tag/author RSS feed does not exist - Fixing the robots.txt required the order of middleware to be changed, so that private blogging gets a chance to render first - NOTE private blogging is the only app with a setupMiddleware function so nothing else is affected
2020-06-16 13:42:32 +03:00
},
/**
* We should never render a 404 error for private sites, as these can leak information
*/
handle404: function handle404(err, req, res, next) {
// CASE: not a private site, skip to next handler
if (!res.isPrivateBlog) {
return next(err);
}
// CASE: not a private 404, something else went wrong, show an error
if (err.statusCode !== 404) {
return next(err);
}
// CASE: 404 - redirect this page back to /private/ if the user isn't verified
return privateBlogging.authenticatePrivateSession(req, res, function onSessionVerified() {
// CASE: User is logged in, render an error
return next(err);
});
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286
2015-07-15 19:01:23 +03:00
}
};
deps: grunt-jscs@2.1.0 no issue - update grunt-jscs dependency - fix deprecated `validateJSDoc` configuration - fix numerous linting errors, including: - use of future-reserved `public` and `private` variable names - use of `[]` instead of dot-notation (especially `express['static']` and `cacheRules['x']`) - extra spaces in `const { run } = Ember` style constructs One issue that did become apparent is that there are conflicting rules that prevent the use of object function shorthand such that both of these: ``` { myFunc() {} } { myFunc () {} } ``` are called out due to either the missing or the extra space before the `(`
2015-10-12 19:54:15 +03:00
module.exports = privateBlogging;
Reference in New Issue Copy Permalink