Ghost/core/server/middleware/authStrategies.js

var passport = require('passport'),
    BearerStrategy = require('passport-http-bearer').Strategy,
    ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
    models  = require('../models');

/**
 * ClientPasswordStrategy
 *
 * This strategy is used to authenticate registered OAuth clients.  It is
 * employed to protect the `token` endpoint, which consumers use to obtain
 * access tokens.  The OAuth 2.0 specification suggests that clients use the
 * HTTP Basic scheme to authenticate (not implemented yet).

 * Use of the client password strategy is implemented to support ember-simple-auth.
 */
passport.use(new ClientPasswordStrategy(
    function (clientId, clientSecret, done) {
        models.Client.forge({slug: clientId})
        .fetch()
        .then(function (model) {
            if (model) {
                var client = model.toJSON();
                if (client.secret === clientSecret) {
                    return done(null, client);
                }
            }
            return done(null, false);
        });
    }
));

/**
 * BearerStrategy
 *
 * This strategy is used to authenticate users based on an access token (aka a
 * bearer token).  The user must have previously authorized a client
 * application, which is issued an access token to make requests on behalf of
 * the authorizing user.
 */
passport.use(new BearerStrategy(
    function (accessToken, done) {
        models.Accesstoken.forge({token: accessToken})
        .fetch()
        .then(function (model) {
            if (model) {
                var token = model.toJSON();
                if (token.expires > Date.now()) {
                    models.User.forge({id: token.user_id})
                    .fetch()
                    .then(function (model) {
                        if (model) {
                            var user = model.toJSON(),
                                info = { scope: '*' };
                            return done(null, {id: user.id}, info);
                        }
                        return done(null, false);
                    });
                } else {
                    return done(null, false);
                }
            } else {
                return done(null, false);
            }
        });
    }
));
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 Attention - oldClient doesn't work with this PR anymore, session authentication was removed 2014-06-30 16:58:10 +04:00			`var passport = require('passport'),`
			`BearerStrategy = require('passport-http-bearer').Strategy,`
			`ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,`
			`models = require('../models');`

			`/**`
			`* ClientPasswordStrategy`
			`*`
			`* This strategy is used to authenticate registered OAuth clients. It is`
			* employed to protect the `token` endpoint, which consumers use to obtain
			`* access tokens. The OAuth 2.0 specification suggests that clients use the`
			`* HTTP Basic scheme to authenticate (not implemented yet).`

			`* Use of the client password strategy is implemented to support ember-simple-auth.`
			`*/`
			`passport.use(new ClientPasswordStrategy(`
			`function (clientId, clientSecret, done) {`
			`models.Client.forge({slug: clientId})`
			`.fetch()`
			`.then(function (model) {`
			`if (model) {`
			`var client = model.toJSON();`
			`if (client.secret === clientSecret) {`
			`return done(null, client);`
			`}`
			`}`
			`return done(null, false);`
			`});`
			`}`
			`));`

			`/**`
			`* BearerStrategy`
			`*`
			`* This strategy is used to authenticate users based on an access token (aka a`
			`* bearer token). The user must have previously authorized a client`
			`* application, which is issued an access token to make requests on behalf of`
			`* the authorizing user.`
			`*/`
			`passport.use(new BearerStrategy(`
			`function (accessToken, done) {`
			`models.Accesstoken.forge({token: accessToken})`
			`.fetch()`
			`.then(function (model) {`
			`if (model) {`
			`var token = model.toJSON();`
			`if (token.expires > Date.now()) {`
			`models.User.forge({id: token.user_id})`
			`.fetch()`
			`.then(function (model) {`
			`if (model) {`
			`var user = model.toJSON(),`
			`info = { scope: '*' };`
			`return done(null, {id: user.id}, info);`
			`}`
			`return done(null, false);`
			`});`
			`} else {`
			`return done(null, false);`
			`}`
			`} else {`
			`return done(null, false);`
			`}`
			`});`
			`}`
			`));`