TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-15 03:12:54 +03:00
Code Issues Projects Releases Wiki Activity
44b4327423
Ghost/core/server/middleware/middleware.js

191 lines
6.3 KiB
JavaScript
Raw Normal View History

Putting back relative redirects issue #1523 - also added some comments to indicate the difference between the two custom middleware files.
2013-11-26 00:31:18 +04:00
// # Custom Middleware
// The following custom middleware functions are all unit testable, and have accompanying unit tests in
// middleware_spec.js
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
Replace underscore with lodash.
2014-02-05 12:40:30 +04:00
var _ = require('lodash'),
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
csrf = require('csurf'),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
express = require('express'),
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`.
2013-12-04 06:47:39 +04:00
busboy = require('./ghost-busboy'),
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
config = require('../config'),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
path = require('path'),
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
api = require('../api'),
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
expressServer,
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
ONE_HOUR_MS = 60 * 60 * 1000,
ONE_YEAR_MS = 365 * 24 * ONE_HOUR_MS;
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
function isBlackListedFileType(file) {
Remove .txt from blacklist. fixes #1263
2013-10-25 02:55:51 +04:00
var blackListedFileTypes = ['.hbs', '.md', '.json'],
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
ext = path.extname(file);
return _.contains(blackListedFileTypes, ext);
}
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
function cacheServer(server) {
expressServer = server;
}
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
var middleware = {
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// ### Authenticate Middleware
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
// authentication has to be done for /ghost/* routes with
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// exceptions for signin, signout, signup, forgotten, reset only
// api and frontend use different authentication mechanisms atm
authenticate: function (req, res, next) {
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
var noAuthNeeded = [
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
'/ghost/signin/', '/ghost/signout/', '/ghost/signup/',
New setup screen for blog installation. fixes #3072 - Change router to handle /ember/setup/ - Adjust doSignup to also handle setup - Adjust tests and add new where necessary - Add setup controller, setup validation, setup route - Adjust casper emberSetup to handle new setup
2014-06-25 16:12:48 +04:00
'/ghost/forgotten/', '/ghost/reset/', '/ghost/ember/',
'/ghost/setup/'
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
],
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
path,
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
subPath;
// SubPath is the url path starting after any default subdirectories
// it is stripped of anything after the two levels `/ghost/.*?/` as the reset link has an argument
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
path = req.path.substring(config().paths.subdir.length);
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
/*jslint regexp:true, unparam:true*/
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
subPath = path.replace(/^(\/.*?\/.*?\/)(.*)?/, function (match, a) {
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
return a;
});
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
if (res.isAdmin) {
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
if (subPath.indexOf('/ghost/api/') === 0 && path.indexOf('/ghost/api/v0.1/authentication/passwordreset/') !== 0) {
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
return middleware.authAPI(req, res, next);
}
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
if (noAuthNeeded.indexOf(subPath) < 0 && subPath.indexOf('/ghost/api/') !== 0) {
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
return middleware.auth(req, res, next);
}
}
next();
},
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
// ### Auth Middleware
// Authenticate a request by redirecting to login if not logged in.
// We strip /ghost/ out of the redirect parameter for neatness
auth: function (req, res, next) {
if (!req.session.user) {
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
var subPath = req.path.substring(config().paths.subdir.length),
reqPath = subPath.replace(/^\/ghost\/?/gi, ''),
New setup screen for blog installation. fixes #3072 - Change router to handle /ember/setup/ - Adjust doSignup to also handle setup - Adjust tests and add new where necessary - Add setup controller, setup validation, setup route - Adjust casper emberSetup to handle new setup
2014-06-25 16:12:48 +04:00
redirect = '';
if (reqPath !== '') {
redirect = '?r=' + encodeURIComponent(reqPath);
}
if (subPath.indexOf('/ember') > -1) {
return res.redirect(config().paths.subdir + '/ghost/ember/signin/');
}
return res.redirect(config().paths.subdir + '/ghost/signin/' + redirect);
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
}
next();
},
// ## AuthApi Middleware
// Authenticate a request to the API by responding with a 401 and json error details
authAPI: function (req, res, next) {
if (!req.session.user) {
res.json(401, { error: 'Please sign in' });
return;
}
next();
},
// Check if we're logged in, and if so, redirect people back to dashboard
// Login and signup forms in particular
redirectToDashboard: function (req, res, next) {
Settings API Primary Document refactor Closes #2606 - Refactor settings api responses to { settings: [ ] } format - Update all code using api.settings to handle new response format - Update test stubs to return new format - Update client site settings model to parse new format into one object of key/value pairs - Refactor to include all setting values - Remove unused settingsCollection method - Update settingsCache to store all attributes - Update settingsResult to send all attributes - Remove unnecessary when() wraps - Reject if editing a setting that doesn't exist - Reject earlier if setting key is empty - Update tests with new error messages - Use setting.add instead of edit that was incorrectly adding - Update importer to properly import activePlugins and installedPlugins - Update expected setting result fields - Fix a weird situation where hasOwnProperty didn't exist :shrug:
2014-04-28 03:28:50 +04:00
if (req.session && req.session.user) {
Improve bootstrap flow of a Ghost application addresses #1789, #1364 - Moves ./core/server/loader -> ./core/bootstrap. The bootstrap file is only accessed once during startup, and it’s sole job is to ensure a config.js file exists (creating one if it doesn’t) and then validates the contents of the config file. Since this is directly related to the initializing the application is is appropriate to have it in the ./core folder, named bootstrap as that is what it does. This also improves the dependency graph, as now the bootstrap file require’s the ./core/server/config module and is responsible for passing in the validated config file. Whereas before we had ./core/server/config require’ing ./core/server/loader and running its init code and then passing that value back to itself, the flow is now more straight forward of ./core/bootstrap handling initialization and then instatiation of config module - Merges ./core/server/config/paths into ./core/server/config This flow was always confusing me to that some config options were on the config object, and some were on the paths object. This change now incorporates all of the variables previously defined in config/paths directly into the config module, and in extension, the config.js file. This means that you now have the option of deciding at startup where the content directory for ghost should reside. - broke out loader tests in config_spec to bootstrap_spec - updated all relevant files to now use config().paths - moved urlFor and urlForPost function into ./server/config/url.js
2014-01-05 10:40:53 +04:00
return res.redirect(config().paths.subdir + '/ghost/');
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
}
next();
},
// While we're here, let's clean up on aisle 5
// That being ghost.notifications, and let's remove the passives from there
// plus the local messages, as they have already been added at this point
// otherwise they'd appear one too many times
Proper endpoints for persistent notifications closes #2637 - Add new get API route for all notifications - Wrap API responses to comply with JSON-API - Add new tests / adjust fixtures - Adjust all occurences of passive notifications
2014-04-29 00:58:18 +04:00
// ToDo: Remove once ember handles passive notifications.
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
cleanNotifications: function (req, res, next) {
/*jslint unparam:true*/
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
api.notifications.browse().then(function (notifications) {
Proper endpoints for persistent notifications closes #2637 - Add new get API route for all notifications - Wrap API responses to comply with JSON-API - Add new tests / adjust fixtures - Adjust all occurences of passive notifications
2014-04-29 00:58:18 +04:00
_.each(notifications.notifications, function (notification) {
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
if (notification.status === 'passive') {
api.notifications.destroy(notification);
}
});
next();
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
});
},
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
// ### CacheControl Middleware
// provide sensible cache control headers
cacheControl: function (options) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
/*jslint unparam:true*/
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
var profiles = {
'public': 'public, max-age=0',
'private': 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
},
output;
if (_.isString(options) && profiles.hasOwnProperty(options)) {
output = profiles[options];
}
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
return function cacheControlHeaders(req, res, next) {
if (output) {
res.set({'Cache-Control': output});
}
next();
};
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
},
// ### whenEnabled Middleware
// Selectively use middleware
// From https://github.com/senchalabs/connect/issues/676#issuecomment-9569658
whenEnabled: function (setting, fn) {
return function settingEnabled(req, res, next) {
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
// Set from server/middleware/index.js for now
if (expressServer.enabled(setting)) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
fn(req, res, next);
} else {
next();
}
};
},
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
staticTheme: function () {
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
return function blackListStatic(req, res, next) {
if (isBlackListedFileType(req.url)) {
return next();
}
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
return middleware.forwardToExpressStatic(req, res, next);
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
};
},
// to allow unit testing
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
forwardToExpressStatic: function (req, res, next) {
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
api.settings.read({context: {internal: true}, key: 'activeTheme'}).then(function (response) {
Settings API Primary Document refactor Closes #2606 - Refactor settings api responses to { settings: [ ] } format - Update all code using api.settings to handle new response format - Update test stubs to return new format - Update client site settings model to parse new format into one object of key/value pairs - Refactor to include all setting values - Remove unused settingsCollection method - Update settingsCache to store all attributes - Update settingsResult to send all attributes - Remove unnecessary when() wraps - Reject if editing a setting that doesn't exist - Reject earlier if setting key is empty - Update tests with new error messages - Use setting.add instead of edit that was incorrectly adding - Update importer to properly import activePlugins and installedPlugins - Update expected setting result fields - Fix a weird situation where hasOwnProperty didn't exist :shrug:
2014-04-28 03:28:50 +04:00
var activeTheme = response.settings[0];
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
express['static'](path.join(config().paths.themePath, activeTheme.value), {maxAge: ONE_YEAR_MS})(req, res, next);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
});
Remove cookie from Frontend closes #1437 closes #1472 - changed cookie to path:'/ghost' - added conditional CSRF middleware - added redirects for signup, signin, signout to /ghost/sign*/
2013-11-26 13:38:54 +04:00
},
conditionalCSRF: function (req, res, next) {
// CSRF is needed for admin only
if (res.isAdmin) {
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
csrf()(req, res, next);
Remove cookie from Frontend closes #1437 closes #1472 - changed cookie to path:'/ghost' - added conditional CSRF middleware - added redirects for signup, signin, signout to /ghost/sign*/
2013-11-26 13:38:54 +04:00
return;
}
next();
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`.
2013-12-04 06:47:39 +04:00
},
busboy: busboy
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
};
module.exports = middleware;
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
module.exports.cacheServer = cacheServer;
Reference in New Issue Copy Permalink