TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-19 00:11:49 +03:00
Code Issues Projects Releases Wiki Activity
345d69102a
Ghost/ghost/members-api/static/gateway/bundle.js

296 lines
8.2 KiB
JavaScript
Raw Normal View History

Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
/* global atob window document location fetch */
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
(function () {
if (window.parent === window) {
return;
}
let storage;
try {
storage = window.localStorage;
} catch (e) {
storage = window.sessionStorage;
}
const origin = new URL(document.referrer).origin;
const handlers = {};
function addMethod(method, fn) {
handlers[method] = function ({uid, options}) {
fn(options)
.then(function (data) {
window.parent.postMessage({uid, data}, origin);
})
.catch(function (error) {
window.parent.postMessage({uid, error: error.message}, origin);
});
};
}
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
function isTokenExpired(token) {
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
const claims = getClaims(token);
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
if (!claims) {
return true;
}
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
const expiry = claims.exp * 1000;
const now = Date.now();
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
const nearFuture = now + (30 * 1000);
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
if (expiry < nearFuture) {
return true;
}
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
return false;
}
function getClaims(token) {
try {
const [header, claims, signature] = token.split('.'); // eslint-disable-line no-unused-vars
const parsedClaims = JSON.parse(atob(claims.replace('+', '-').replace('/', '_')));
return parsedClaims;
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
} catch (e) {
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
return null;
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
}
}
function getStoredToken(audience) {
const tokenKey = 'members:token:aud:' + audience;
const storedToken = storage.getItem(tokenKey);
if (isTokenExpired(storedToken)) {
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
const storedTokenKeys = getStoredTokenKeys();
storage.setItem('members:tokens', JSON.stringify(storedTokenKeys.filter(key => key !== tokenKey)));
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
storage.removeItem(tokenKey);
return null;
}
return storedToken;
}
function getStoredTokenKeys() {
try {
return JSON.parse(storage.getItem('members:tokens') || '[]');
} catch (e) {
storage.removeItem('members:tokens');
return [];
}
}
function addStoredToken(audience, token) {
const storedTokenKeys = getStoredTokenKeys();
const tokenKey = 'members:token:aud:' + audience;
storage.setItem(tokenKey, token);
if (!storedTokenKeys.includes(tokenKey)) {
storage.setItem('members:tokens', JSON.stringify(storedTokenKeys.concat(tokenKey)));
}
}
function clearStorage() {
storage.removeItem('signedin');
const storedTokenKeys = getStoredTokenKeys();
storedTokenKeys.forEach(function (key) {
storage.removeItem(key);
});
storage.removeItem('members:tokens');
}
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
// @TODO this needs to be configurable
const membersApi = location.pathname.replace(/\/members\/gateway\/?$/, '/ghost/api/v2/members');
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
function getToken({audience, fresh}) {
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
const storedToken = getStoredToken(audience);
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
if (storedToken && !fresh) {
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
return Promise.resolve(storedToken);
}
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
return fetch(`${membersApi}/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
origin,
audience: audience || origin
})
}).then((res) => {
if (!res.ok) {
if (res.status === 401) {
storage.removeItem('signedin');
}
return null;
}
storage.setItem('signedin', true);
return res.text();
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
}).then(function (token) {
if (token) {
addStoredToken(audience, token);
}
return token;
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
});
}
addMethod('init', function init() {
if (storage.getItem('signedin')) {
window.parent.postMessage({event: 'signedin'}, origin);
} else {
Added support for serverside rendering of members content (#10522) no-issue - Added member auth middleware to siteApp - Passed member as context in routing service - set Cache-Control: private for member requests - fucked up some tests - Added member as global template variable - Updated tokens to have expiry of subscription_period_end
2019-02-25 19:03:27 +03:00
getToken({audience: origin, fresh: true});
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
}
return Promise.resolve();
});
addMethod('getToken', getToken);
Updated signup page for members (#10493) no issue * Added new subscribe page with stripe integration
2019-02-14 19:59:41 +03:00
addMethod('createSubscription', function createSubscription({adapter, plan, stripeToken}) {
return fetch(`${membersApi}/subscription`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
origin,
adapter,
plan,
stripeToken
})
}).then((res) => {
if (res.ok) {
storage.setItem('signedin', true);
}
return res.ok;
});
});
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
addMethod('signin', function signin({email, password}) {
return fetch(`${membersApi}/signin`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
origin,
email,
password
})
}).then((res) => {
if (res.ok) {
storage.setItem('signedin', true);
}
return res.ok;
});
});
addMethod('signup', function signin({name, email, password}) {
return fetch(`${membersApi}/signup`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
origin,
name,
email,
password
})
}).then((res) => {
if (res.ok) {
storage.setItem('signedin', true);
}
return res.ok;
});
});
addMethod('signout', function signout(/*options*/) {
return fetch(`${membersApi}/signout`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
origin
})
}).then((res) => {
if (res.ok) {
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
clearStorage();
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
}
return res.ok;
});
});
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
addMethod('requestPasswordReset', function requestPasswordReset({email}) {
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
return fetch(`${membersApi}/request-password-reset`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
origin,
email
})
}).then((res) => {
return res.ok;
});
});
Improved Members security and performance (#10511) no-issue * Corrected function names for rpc methods * Updated gateway to store tokens locally * Fixed lint * Added hardcoded 30 minute expiry for member tokens * Added default contentApiAccess config; * Updated validateAudience method This is required for security, we need to restrict which domains can access tokens meant for the content api
2019-02-23 06:47:42 +03:00
addMethod('resetPassword', function resetPassword({token, password}) {
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
return fetch(`${membersApi}/reset-password`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
origin,
token,
password
})
}).then((res) => {
if (res.ok) {
storage.setItem('signedin', true);
}
return res.ok;
});
Added config endpoint to Member API (#10467) no-issue * Added getPublicConfig method to stripe payment processor * Added getPublicConfig method to subscriptions service * Added initial config endpoint for members api * Added getConfig method to members gateway
2019-02-13 12:12:15 +03:00
});
addMethod('getConfig', function getConfig() {
return fetch(`${membersApi}/config`, {
method: 'GET'
}).then((res) => {
return res.json();
});
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init
2018-12-11 09:47:44 +03:00
});
window.addEventListener('storage', function (event) {
if (event.storageArea !== storage) {
return;
}
const newValue = event.newValue;
const oldValue = event.oldValue;
if (event.key === 'signedin') {
if (newValue && !oldValue) {
return window.parent.postMessage({event: 'signedin'}, origin);
}
if (!newValue && oldValue) {
return window.parent.postMessage({event: 'signedout'}, origin);
}
}
});
window.addEventListener('message', function (event) {
if (event.origin !== origin) {
return;
}
if (!event.data || !event.data.uid) {
return;
}
if (!handlers[event.data.method]) {
return window.parent.postMessage({
uid: event.data.uid,
error: 'Unknown method'
}, origin);
}
handlers[event.data.method](event.data);
});
})();
Reference in New Issue Copy Permalink