Ghost/core/server/middleware/middleware.js

// # Custom Middleware
// The following custom middleware functions are all unit testable, and have accompanying unit tests in
// middleware_spec.js

var _           = require('lodash'),
    express     = require('express'),
    busboy      = require('./ghost-busboy'),
    config      = require('../config'),
    path        = require('path'),
    api         = require('../api'),

    expressServer,
    ONE_HOUR_MS = 60 * 60 * 1000;

function isBlackListedFileType(file) {
    var blackListedFileTypes = ['.hbs', '.md', '.json'],
        ext = path.extname(file);
    return _.contains(blackListedFileTypes, ext);
}

function cacheServer(server) {
    expressServer = server;
}

var middleware = {

    // ### Auth Middleware
    // Authenticate a request by redirecting to login if not logged in.
    // We strip /ghost/ out of the redirect parameter for neatness
    auth: function (req, res, next) {
        if (!req.session.user) {
            var reqPath = req.path.replace(/^\/ghost\/?/gi, ''),
                redirect = '',
                msg;

            return api.notifications.browse().then(function (notifications) {
                if (reqPath !== '') {
                    msg = {
                        type: 'error',
                        message: 'Please Sign In',
                        status: 'passive',
                        id: 'failedauth'
                    };
                    // let's only add the notification once
                    if (!_.contains(_.pluck(notifications, 'id'), 'failedauth')) {
                        api.notifications.add(msg);
                    }
                    redirect = '?r=' + encodeURIComponent(reqPath);
                }
                return res.redirect(config.paths().subdir + '/ghost/signin/' + redirect);
            });
        }
        next();
    },

    // ## AuthApi Middleware
    // Authenticate a request to the API by responding with a 401 and json error details
    authAPI: function (req, res, next) {
        if (!req.session.user) {
            res.json(401, { error: 'Please sign in' });
            return;
        }

        next();
    },

    // Check if we're logged in, and if so, redirect people back to dashboard
    // Login and signup forms in particular
    redirectToDashboard: function (req, res, next) {
        if (req.session.user) {
            return res.redirect(config.paths().subdir + '/ghost/');
        }

        next();
    },

    // While we're here, let's clean up on aisle 5
    // That being ghost.notifications, and let's remove the passives from there
    // plus the local messages, as they have already been added at this point
    // otherwise they'd appear one too many times
    cleanNotifications: function (req, res, next) {
        /*jslint unparam:true*/
        api.notifications.browse().then(function (notifications) {
            _.each(notifications, function (notification) {
                if (notification.status === 'passive') {
                    api.notifications.destroy(notification);
                }
            });
            next();
        });
    },

    // ### CacheControl Middleware
    // provide sensible cache control headers
    cacheControl: function (options) {
        /*jslint unparam:true*/
        var profiles = {
                'public': 'public, max-age=0',
                'private': 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
            },
            output;

        if (_.isString(options) && profiles.hasOwnProperty(options)) {
            output = profiles[options];
        }

        return function cacheControlHeaders(req, res, next) {
            if (output) {
                res.set({'Cache-Control': output});
            }
            next();
        };
    },

    // ### whenEnabled Middleware
    // Selectively use middleware
    // From https://github.com/senchalabs/connect/issues/676#issuecomment-9569658
    whenEnabled: function (setting, fn) {
        return function settingEnabled(req, res, next) {
            // Set from server/middleware/index.js for now
            if (expressServer.enabled(setting)) {
                fn(req, res, next);
            } else {
                next();
            }
        };
    },

    staticTheme: function () {
        return function blackListStatic(req, res, next) {
            if (isBlackListedFileType(req.url)) {
                return next();
            }

            return middleware.forwardToExpressStatic(req, res, next);
        };
    },

    // to allow unit testing
    forwardToExpressStatic: function (req, res, next) {
        api.settings.read('activeTheme').then(function (activeTheme) {
            // For some reason send divides the max age number by 1000
            express['static'](path.join(config.paths().themePath, activeTheme.value), {maxAge: ONE_HOUR_MS})(req, res, next);
        });
    },

    conditionalCSRF: function (req, res, next) {
        var csrf = express.csrf();
        // CSRF is needed for admin only
        if (res.isAdmin) {
            csrf(req, res, next);
            return;
        }
        next();
    },

    busboy: busboy
};

module.exports = middleware;
module.exports.cacheServer = cacheServer;
Putting back relative redirects issue #1523 - also added some comments to indicate the difference between the two custom middleware files. 2013-11-26 00:31:18 +04:00			`// # Custom Middleware`
			`// The following custom middleware functions are all unit testable, and have accompanying unit tests in`
			`// middleware_spec.js`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00
Replace underscore with lodash. 2014-02-05 12:40:30 +04:00			`var _ = require('lodash'),`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`express = require('express'),`
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`. 2013-12-04 06:47:39 +04:00			`busboy = require('./ghost-busboy'),`
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need. 2013-11-20 17:58:52 +04:00			`config = require('../config'),`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`path = require('path'),`
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests 2013-12-06 12:51:35 +04:00			`api = require('../api'),`
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00
			`expressServer,`
			`ONE_HOUR_MS = 60 * 60 * 1000;`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00
			`function isBlackListedFileType(file) {`
Remove .txt from blacklist. fixes #1263 2013-10-25 02:55:51 +04:00			`var blackListedFileTypes = ['.hbs', '.md', '.json'],`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`ext = path.extname(file);`
			`return _.contains(blackListedFileTypes, ext);`
			`}`

Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use. 2013-12-06 18:13:15 +04:00			`function cacheServer(server) {`
			`expressServer = server;`
			`}`

Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`var middleware = {`

Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`// ### Auth Middleware`
			`// Authenticate a request by redirecting to login if not logged in.`
			`// We strip /ghost/ out of the redirect parameter for neatness`
			`auth: function (req, res, next) {`
			`if (!req.session.user) {`
Putting back relative redirects issue #1523 - also added some comments to indicate the difference between the two custom middleware files. 2013-11-26 00:31:18 +04:00			`var reqPath = req.path.replace(/^\/ghost\/?/gi, ''),`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`redirect = '',`
			`msg;`

remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests 2013-12-06 12:51:35 +04:00			`return api.notifications.browse().then(function (notifications) {`
			`if (reqPath !== '') {`
			`msg = {`
			`type: 'error',`
			`message: 'Please Sign In',`
			`status: 'passive',`
			`id: 'failedauth'`
			`};`
			`// let's only add the notification once`
			`if (!_.contains(_.pluck(notifications, 'id'), 'failedauth')) {`
			`api.notifications.add(msg);`
			`}`
			`redirect = '?r=' + encodeURIComponent(reqPath);`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`}`
Path, url and subdir cleanup & test issue #1754 - remove path (it was only used once, and not needed) - change webroot to subdir - add unit tests for config.paths - various other cleanup - renamed client-side ghostRoot to subdir - added url helper for client 2013-12-28 20:01:08 +04:00			`return res.redirect(config.paths().subdir + '/ghost/signin/' + redirect);`
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests 2013-12-06 12:51:35 +04:00			`});`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`}`
			`next();`
			`},`

			`// ## AuthApi Middleware`
			`// Authenticate a request to the API by responding with a 401 and json error details`
			`authAPI: function (req, res, next) {`
			`if (!req.session.user) {`
			`res.json(401, { error: 'Please sign in' });`
			`return;`
			`}`

			`next();`
			`},`

			`// Check if we're logged in, and if so, redirect people back to dashboard`
			`// Login and signup forms in particular`
			`redirectToDashboard: function (req, res, next) {`
			`if (req.session.user) {`
Path, url and subdir cleanup & test issue #1754 - remove path (it was only used once, and not needed) - change webroot to subdir - add unit tests for config.paths - various other cleanup - renamed client-side ghostRoot to subdir - added url helper for client 2013-12-28 20:01:08 +04:00			`return res.redirect(config.paths().subdir + '/ghost/');`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`}`

			`next();`
			`},`

			`// While we're here, let's clean up on aisle 5`
			`// That being ghost.notifications, and let's remove the passives from there`
			`// plus the local messages, as they have already been added at this point`
			`// otherwise they'd appear one too many times`
			`cleanNotifications: function (req, res, next) {`
			`/jslint unparam:true/`
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests 2013-12-06 12:51:35 +04:00			`api.notifications.browse().then(function (notifications) {`
			`_.each(notifications, function (notification) {`
			`if (notification.status === 'passive') {`
			`api.notifications.destroy(notification);`
			`}`
			`});`
			`next();`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`});`
			`},`

Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`// ### CacheControl Middleware`
			`// provide sensible cache control headers`
			`cacheControl: function (options) {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`/jslint unparam:true/`
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`var profiles = {`
			`'public': 'public, max-age=0',`
			`'private': 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'`
			`},`
			`output;`

			`if (_.isString(options) && profiles.hasOwnProperty(options)) {`
			`output = profiles[options];`
			`}`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`return function cacheControlHeaders(req, res, next) {`
			`if (output) {`
			`res.set({'Cache-Control': output});`
			`}`
			`next();`
			`};`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`},`

			`// ### whenEnabled Middleware`
			`// Selectively use middleware`
			`// From https://github.com/senchalabs/connect/issues/676#issuecomment-9569658`
			`whenEnabled: function (setting, fn) {`
			`return function settingEnabled(req, res, next) {`
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use. 2013-12-06 18:13:15 +04:00			`// Set from server/middleware/index.js for now`
			`if (expressServer.enabled(setting)) {`
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests. 2013-11-05 09:41:36 +04:00			`fn(req, res, next);`
			`} else {`
			`next();`
			`}`
			`};`
			`},`

Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need. 2013-11-20 17:58:52 +04:00			`staticTheme: function () {`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`return function blackListStatic(req, res, next) {`
			`if (isBlackListedFileType(req.url)) {`
			`return next();`
			`}`

Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need. 2013-11-20 17:58:52 +04:00			`return middleware.forwardToExpressStatic(req, res, next);`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`};`
			`},`

			`// to allow unit testing`
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need. 2013-11-20 17:58:52 +04:00			`forwardToExpressStatic: function (req, res, next) {`
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests 2013-12-06 12:51:35 +04:00			`api.settings.read('activeTheme').then(function (activeTheme) {`
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests 2013-12-31 03:13:25 +04:00			`// For some reason send divides the max age number by 1000`
			`express['static'](path.join(config.paths().themePath, activeTheme.value), {maxAge: ONE_HOUR_MS})(req, res, next);`
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests 2013-12-06 12:51:35 +04:00			`});`
Remove cookie from Frontend closes #1437 closes #1472 - changed cookie to path:'/ghost' - added conditional CSRF middleware - added redirects for signup, signin, signout to /ghost/sign*/ 2013-11-26 13:38:54 +04:00			`},`

			`conditionalCSRF: function (req, res, next) {`
			`var csrf = express.csrf();`
			`// CSRF is needed for admin only`
			`if (res.isAdmin) {`
			`csrf(req, res, next);`
			`return;`
			`}`
			`next();`
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`. 2013-12-04 06:47:39 +04:00			`},`

			`busboy: busboy`
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types 2013-10-05 14:17:08 +04:00			`};`

			`module.exports = middleware;`
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use. 2013-12-06 18:13:15 +04:00			`module.exports.cacheServer = cacheServer;`