TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-15 03:12:54 +03:00
Code Issues Projects Releases Wiki Activity
6390c6bdc8
Ghost/core/server/middleware/middleware.js

202 lines
6.7 KiB
JavaScript
Raw Normal View History

Putting back relative redirects issue #1523 - also added some comments to indicate the difference between the two custom middleware files.
2013-11-26 00:31:18 +04:00
// # Custom Middleware
// The following custom middleware functions are all unit testable, and have accompanying unit tests in
// middleware_spec.js
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
Replace underscore with lodash.
2014-02-05 12:40:30 +04:00
var _ = require('lodash'),
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
csrf = require('csurf'),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
express = require('express'),
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`.
2013-12-04 06:47:39 +04:00
busboy = require('./ghost-busboy'),
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
config = require('../config'),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
path = require('path'),
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
api = require('../api'),
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
expressServer,
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
ONE_HOUR_MS = 60 * 60 * 1000,
ONE_YEAR_MS = 365 * 24 * ONE_HOUR_MS;
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
function isBlackListedFileType(file) {
Remove .txt from blacklist. fixes #1263
2013-10-25 02:55:51 +04:00
var blackListedFileTypes = ['.hbs', '.md', '.json'],
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
ext = path.extname(file);
return _.contains(blackListedFileTypes, ext);
}
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
function cacheServer(server) {
expressServer = server;
}
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
var middleware = {
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// ### Authenticate Middleware
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
// authentication has to be done for /ghost/* routes with
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// exceptions for signin, signout, signup, forgotten, reset only
// api and frontend use different authentication mechanisms atm
authenticate: function (req, res, next) {
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
var noAuthNeeded = [
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
'/ghost/signin/', '/ghost/signout/', '/ghost/signup/',
Ember Data with Posts Ref #2699 - Introduce ember data dependency - Add loadInitializers and refactor most initializers into one combined - Add Post ember data model - Refactor generateSlug to use title of post and ghostPaths - Refactor post controller to not reference model.property everywhere - Use RESTAdapter for posts, users and tags - Setup author and tag relations in Post model - Fix broken API calls by adding CSRF header - Add initiaizer for csrf value - Use actual User model for current user initializer - Add action for setting featured post, test with actual api call - Fix the sending of UUID's up to the server - Refactor current-user to use ember-data store - If a user is preloaded in the application, use pushPayload to put it in the store - Do a lookup on the store to get an actual User model for injection - Fix posts/post controllerName in route/new.js - Alter signup process to push user into ember data store
2014-05-09 09:00:10 +04:00
'/ghost/forgotten/', '/ghost/reset/', '/ghost/ember/',
'/ghost/ember/signin'
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
],
subPath;
// SubPath is the url path starting after any default subdirectories
// it is stripped of anything after the two levels `/ghost/.*?/` as the reset link has an argument
subPath = req.path.substring(config().paths.subdir.length);
/*jslint regexp:true, unparam:true*/
subPath = subPath.replace(/^(\/.*?\/.*?\/)(.*)?/, function (match, a) {
return a;
});
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
if (res.isAdmin) {
if (subPath.indexOf('/ghost/api/') === 0) {
return middleware.authAPI(req, res, next);
}
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
if (noAuthNeeded.indexOf(subPath) < 0) {
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
return middleware.auth(req, res, next);
}
}
next();
},
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
// ### Auth Middleware
// Authenticate a request by redirecting to login if not logged in.
// We strip /ghost/ out of the redirect parameter for neatness
auth: function (req, res, next) {
if (!req.session.user) {
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
var subPath = req.path.substring(config().paths.subdir.length),
reqPath = subPath.replace(/^\/ghost\/?/gi, ''),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
redirect = '',
msg;
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
return api.notifications.browse().then(function (notifications) {
if (reqPath !== '') {
msg = {
type: 'error',
message: 'Please Sign In',
Proper endpoints for persistent notifications closes #2637 - Add new get API route for all notifications - Wrap API responses to comply with JSON-API - Add new tests / adjust fixtures - Adjust all occurences of passive notifications
2014-04-29 00:58:18 +04:00
status: 'passive'
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
};
// let's only add the notification once
if (!_.contains(_.pluck(notifications, 'id'), 'failedauth')) {
Complete moveover to new Notification API format fixes #2775 - Fix all occurences of notifications.add to use proper API format
2014-06-16 09:24:19 +04:00
api.notifications.add({ notifications: [msg] });
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
}
redirect = '?r=' + encodeURIComponent(reqPath);
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
}
Implement signup in Ember Closes #2410 - Add signup action that posts to signup endpoint - Fix nav bar showing on signup page - Fix image link when a user hasn't set their image yet - Redirect to the ember/signin page if requesting an ember page
2014-05-15 05:24:49 +04:00
if (subPath.indexOf('/ember') > -1) {
return res.redirect(config().paths.subdir + '/ghost/ember/signin');
}
Improve bootstrap flow of a Ghost application addresses #1789, #1364 - Moves ./core/server/loader -> ./core/bootstrap. The bootstrap file is only accessed once during startup, and it’s sole job is to ensure a config.js file exists (creating one if it doesn’t) and then validates the contents of the config file. Since this is directly related to the initializing the application is is appropriate to have it in the ./core folder, named bootstrap as that is what it does. This also improves the dependency graph, as now the bootstrap file require’s the ./core/server/config module and is responsible for passing in the validated config file. Whereas before we had ./core/server/config require’ing ./core/server/loader and running its init code and then passing that value back to itself, the flow is now more straight forward of ./core/bootstrap handling initialization and then instatiation of config module - Merges ./core/server/config/paths into ./core/server/config This flow was always confusing me to that some config options were on the config object, and some were on the paths object. This change now incorporates all of the variables previously defined in config/paths directly into the config module, and in extension, the config.js file. This means that you now have the option of deciding at startup where the content directory for ghost should reside. - broke out loader tests in config_spec to bootstrap_spec - updated all relevant files to now use config().paths - moved urlFor and urlForPost function into ./server/config/url.js
2014-01-05 10:40:53 +04:00
return res.redirect(config().paths.subdir + '/ghost/signin/' + redirect);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
});
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
}
next();
},
// ## AuthApi Middleware
// Authenticate a request to the API by responding with a 401 and json error details
authAPI: function (req, res, next) {
if (!req.session.user) {
res.json(401, { error: 'Please sign in' });
return;
}
next();
},
// Check if we're logged in, and if so, redirect people back to dashboard
// Login and signup forms in particular
redirectToDashboard: function (req, res, next) {
Settings API Primary Document refactor Closes #2606 - Refactor settings api responses to { settings: [ ] } format - Update all code using api.settings to handle new response format - Update test stubs to return new format - Update client site settings model to parse new format into one object of key/value pairs - Refactor to include all setting values - Remove unused settingsCollection method - Update settingsCache to store all attributes - Update settingsResult to send all attributes - Remove unnecessary when() wraps - Reject if editing a setting that doesn't exist - Reject earlier if setting key is empty - Update tests with new error messages - Use setting.add instead of edit that was incorrectly adding - Update importer to properly import activePlugins and installedPlugins - Update expected setting result fields - Fix a weird situation where hasOwnProperty didn't exist :shrug:
2014-04-28 03:28:50 +04:00
if (req.session && req.session.user) {
Improve bootstrap flow of a Ghost application addresses #1789, #1364 - Moves ./core/server/loader -> ./core/bootstrap. The bootstrap file is only accessed once during startup, and it’s sole job is to ensure a config.js file exists (creating one if it doesn’t) and then validates the contents of the config file. Since this is directly related to the initializing the application is is appropriate to have it in the ./core folder, named bootstrap as that is what it does. This also improves the dependency graph, as now the bootstrap file require’s the ./core/server/config module and is responsible for passing in the validated config file. Whereas before we had ./core/server/config require’ing ./core/server/loader and running its init code and then passing that value back to itself, the flow is now more straight forward of ./core/bootstrap handling initialization and then instatiation of config module - Merges ./core/server/config/paths into ./core/server/config This flow was always confusing me to that some config options were on the config object, and some were on the paths object. This change now incorporates all of the variables previously defined in config/paths directly into the config module, and in extension, the config.js file. This means that you now have the option of deciding at startup where the content directory for ghost should reside. - broke out loader tests in config_spec to bootstrap_spec - updated all relevant files to now use config().paths - moved urlFor and urlForPost function into ./server/config/url.js
2014-01-05 10:40:53 +04:00
return res.redirect(config().paths.subdir + '/ghost/');
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
}
next();
},
// While we're here, let's clean up on aisle 5
// That being ghost.notifications, and let's remove the passives from there
// plus the local messages, as they have already been added at this point
// otherwise they'd appear one too many times
Proper endpoints for persistent notifications closes #2637 - Add new get API route for all notifications - Wrap API responses to comply with JSON-API - Add new tests / adjust fixtures - Adjust all occurences of passive notifications
2014-04-29 00:58:18 +04:00
// ToDo: Remove once ember handles passive notifications.
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
cleanNotifications: function (req, res, next) {
/*jslint unparam:true*/
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
api.notifications.browse().then(function (notifications) {
Proper endpoints for persistent notifications closes #2637 - Add new get API route for all notifications - Wrap API responses to comply with JSON-API - Add new tests / adjust fixtures - Adjust all occurences of passive notifications
2014-04-29 00:58:18 +04:00
_.each(notifications.notifications, function (notification) {
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
if (notification.status === 'passive') {
api.notifications.destroy(notification);
}
});
next();
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
});
},
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
// ### CacheControl Middleware
// provide sensible cache control headers
cacheControl: function (options) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
/*jslint unparam:true*/
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
var profiles = {
'public': 'public, max-age=0',
'private': 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
},
output;
if (_.isString(options) && profiles.hasOwnProperty(options)) {
output = profiles[options];
}
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
return function cacheControlHeaders(req, res, next) {
if (output) {
res.set({'Cache-Control': output});
}
next();
};
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
},
// ### whenEnabled Middleware
// Selectively use middleware
// From https://github.com/senchalabs/connect/issues/676#issuecomment-9569658
whenEnabled: function (setting, fn) {
return function settingEnabled(req, res, next) {
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
// Set from server/middleware/index.js for now
if (expressServer.enabled(setting)) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
fn(req, res, next);
} else {
next();
}
};
},
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
staticTheme: function () {
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
return function blackListStatic(req, res, next) {
if (isBlackListedFileType(req.url)) {
return next();
}
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
return middleware.forwardToExpressStatic(req, res, next);
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
};
},
// to allow unit testing
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
forwardToExpressStatic: function (req, res, next) {
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
api.settings.read({context: {internal: true}, key: 'activeTheme'}).then(function (response) {
Settings API Primary Document refactor Closes #2606 - Refactor settings api responses to { settings: [ ] } format - Update all code using api.settings to handle new response format - Update test stubs to return new format - Update client site settings model to parse new format into one object of key/value pairs - Refactor to include all setting values - Remove unused settingsCollection method - Update settingsCache to store all attributes - Update settingsResult to send all attributes - Remove unnecessary when() wraps - Reject if editing a setting that doesn't exist - Reject earlier if setting key is empty - Update tests with new error messages - Use setting.add instead of edit that was incorrectly adding - Update importer to properly import activePlugins and installedPlugins - Update expected setting result fields - Fix a weird situation where hasOwnProperty didn't exist :shrug:
2014-04-28 03:28:50 +04:00
var activeTheme = response.settings[0];
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
express['static'](path.join(config().paths.themePath, activeTheme.value), {maxAge: ONE_YEAR_MS})(req, res, next);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
});
Remove cookie from Frontend closes #1437 closes #1472 - changed cookie to path:'/ghost' - added conditional CSRF middleware - added redirects for signup, signin, signout to /ghost/sign*/
2013-11-26 13:38:54 +04:00
},
conditionalCSRF: function (req, res, next) {
// CSRF is needed for admin only
if (res.isAdmin) {
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
csrf()(req, res, next);
Remove cookie from Frontend closes #1437 closes #1472 - changed cookie to path:'/ghost' - added conditional CSRF middleware - added redirects for signup, signin, signout to /ghost/sign*/
2013-11-26 13:38:54 +04:00
return;
}
next();
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`.
2013-12-04 06:47:39 +04:00
},
busboy: busboy
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
};
module.exports = middleware;
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
module.exports.cacheServer = cacheServer;
Reference in New Issue Copy Permalink