Ghost/core/server/api/canary/webhooks.js

const models = require('../../models');
const {i18n} = require('../../lib/common');
const errors = require('@tryghost/errors');

module.exports = {
    docName: 'webhooks',

    add: {
        statusCode: 201,
        headers: {
            // NOTE: remove if there is ever a 'read' method
            location: false
        },
        options: [],
        data: [],
        permissions: true,
        async query(frame) {
            const isIntegrationRequest = frame.options.context && frame.options.context.integration && frame.options.context.integration.id;

            // NOTE: this check can be removed once `webhooks.integration_id` gets foreigh ke constraint (Ghost 4.0)
            if (!isIntegrationRequest && frame.data.webhooks[0].integration_id) {
                const integration = await models.Integration.findOne({id: frame.data.webhooks[0].integration_id}, {context: {internal: true}});

                if (!integration) {
                    throw new errors.ValidationError({
                        message: i18n.t('notices.data.validation.index.schemaValidationFailed', {
                            key: 'integration_id'
                        }),
                        context: i18n.t('errors.api.webhooks.nonExistingIntegrationIdProvided.context'),
                        help: i18n.t('errors.api.webhooks.nonExistingIntegrationIdProvided.help')
                    });
                }
            }

            const webhook = await models.Webhook.getByEventAndTarget(
                frame.data.webhooks[0].event,
                frame.data.webhooks[0].target_url,
                frame.options
            );

            if (webhook) {
                throw new errors.ValidationError({message: i18n.t('errors.api.webhooks.webhookAlreadyExists')});
            }

            return models.Webhook.add(frame.data.webhooks[0], frame.options);
        }
    },

    edit: {
        permissions: {
            before: (frame) => {
                if (frame.options.context && frame.options.context.integration && frame.options.context.integration.id) {
                    return models.Webhook.findOne({id: frame.options.id})
                        .then((webhook) => {
                            if (!webhook) {
                                throw new errors.NotFoundError({
                                    message: i18n.t('errors.api.resource.resourceNotFound', {
                                        resource: 'Webhook'
                                    })
                                });
                            }

                            if (webhook.get('integration_id') !== frame.options.context.integration.id) {
                                throw new errors.NoPermissionError({
                                    message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {
                                        method: 'edit'
                                    }),
                                    context: i18n.t('errors.api.webhooks.noPermissionToEdit.context', {
                                        method: 'edit'
                                    })
                                });
                            }
                        });
                }
            }
        },
        data: [
            'name',
            'event',
            'target_url',
            'secret',
            'api_version'
        ],
        options: [
            'id'
        ],
        validation: {
            options: {
                id: {
                    required: true
                }
            }
        },
        query({data, options}) {
            return models.Webhook.edit(data.webhooks[0], Object.assign(options, {require: true}))
                .catch(models.Webhook.NotFoundError, () => {
                    throw new errors.NotFoundError({
                        message: i18n.t('errors.api.resource.resourceNotFound', {
                            resource: 'Webhook'
                        })
                    });
                });
        }
    },

    destroy: {
        statusCode: 204,
        headers: {},
        options: [
            'id'
        ],
        validation: {
            options: {
                id: {
                    required: true
                }
            }
        },
        permissions: {
            before: (frame) => {
                if (frame.options.context && frame.options.context.integration && frame.options.context.integration.id) {
                    return models.Webhook.findOne({id: frame.options.id})
                        .then((webhook) => {
                            if (!webhook) {
                                throw new errors.NotFoundError({
                                    message: i18n.t('errors.api.resource.resourceNotFound', {
                                        resource: 'Webhook'
                                    })
                                });
                            }

                            if (webhook.get('integration_id') !== frame.options.context.integration.id) {
                                throw new errors.NoPermissionError({
                                    message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {
                                        method: 'destroy'
                                    }),
                                    context: i18n.t('errors.api.webhooks.noPermissionToEdit.context', {
                                        method: 'destroy'
                                    })
                                });
                            }
                        });
                }
            }
        },
        query(frame) {
            frame.options.require = true;

            return models.Webhook.destroy(frame.options)
                .then(() => null)
                .catch(models.Webhook.NotFoundError, () => {
                    return Promise.reject(new errors.NotFoundError({
                        message: i18n.t('errors.api.resource.resourceNotFound', {
                            resource: 'Webhook'
                        })
                    }));
                });
        }
    }
};
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00			`const models = require('../../models');`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 21:22:20 +03:00			`const {i18n} = require('../../lib/common');`
			`const errors = require('@tryghost/errors');`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00
			`module.exports = {`
			`docName: 'webhooks',`

			`add: {`
			`statusCode: 201,`
✨ Added Location header to API's POST request responses (#12186) refs #2635 - Adds 'Location' header to endpoints which create new resources and have corresponding `GET` endpoint as speced in JSON API - https://jsonapi.org/format/#crud-creating-responses-201. Specifically: /posts/ /pages/ /integrations/ /tags/ /members/ /labels/ /notifications/ /invites/ - Adding the header should allow for better resource discoverability and improved logging readability - Added `url` property to the frame constructor. Data in `url` should give enough information to later build up the `Location` header URL for created resource. - Added Location header to headers handler. The Location value is built up from a combination of request URL and the id that is present in the response for the resource. The header is automatically added to requests coming to `add` controller methods which return `id` property in the frame result - Excluded Webhooks API as there is no "GET" endpoint available to fetch the resource 2020-09-14 13:33:37 +03:00			`headers: {`
			`// NOTE: remove if there is ever a 'read' method`
			`location: false`
			`},`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00			`options: [],`
			`data: [],`
			`permissions: true,`
Added check for parent integration_id when creating a webhook refs https://github.com/TryGhost/Ghost/issues/12033 refs https://github.com/TryGhost/Ghost/issues/10567 - Creating a webhook without valid parent integration leads to orphaned webhook records, which shoult not ever happen - This scenario is only possible for non-integration authentication, because in case of integration being authenticated it's id is automatically assigned to creatd webhook 2020-09-24 04:55:25 +03:00			`async query(frame) {`
			`const isIntegrationRequest = frame.options.context && frame.options.context.integration && frame.options.context.integration.id;`

			// NOTE: this check can be removed once `webhooks.integration_id` gets foreigh ke constraint (Ghost 4.0)
			`if (!isIntegrationRequest && frame.data.webhooks[0].integration_id) {`
			`const integration = await models.Integration.findOne({id: frame.data.webhooks[0].integration_id}, {context: {internal: true}});`

			`if (!integration) {`
			`throw new errors.ValidationError({`
			`message: i18n.t('notices.data.validation.index.schemaValidationFailed', {`
			`key: 'integration_id'`
			`}),`
			`context: i18n.t('errors.api.webhooks.nonExistingIntegrationIdProvided.context'),`
			`help: i18n.t('errors.api.webhooks.nonExistingIntegrationIdProvided.help')`
			`});`
			`}`
			`}`

			`const webhook = await models.Webhook.getByEventAndTarget(`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00			`frame.data.webhooks[0].event,`
			`frame.data.webhooks[0].target_url,`
			`frame.options`
Added check for parent integration_id when creating a webhook refs https://github.com/TryGhost/Ghost/issues/12033 refs https://github.com/TryGhost/Ghost/issues/10567 - Creating a webhook without valid parent integration leads to orphaned webhook records, which shoult not ever happen - This scenario is only possible for non-integration authentication, because in case of integration being authenticated it's id is automatically assigned to creatd webhook 2020-09-24 04:55:25 +03:00			`);`

			`if (webhook) {`
			`throw new errors.ValidationError({message: i18n.t('errors.api.webhooks.webhookAlreadyExists')});`
			`}`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00
Added check for parent integration_id when creating a webhook refs https://github.com/TryGhost/Ghost/issues/12033 refs https://github.com/TryGhost/Ghost/issues/10567 - Creating a webhook without valid parent integration leads to orphaned webhook records, which shoult not ever happen - This scenario is only possible for non-integration authentication, because in case of integration being authenticated it's id is automatically assigned to creatd webhook 2020-09-24 04:55:25 +03:00			`return models.Webhook.add(frame.data.webhooks[0], frame.options);`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00			`}`
			`},`

			`edit: {`
Fixed integration_id handling in Webhooks Admin API no issue - Changes introduced to both API v3 and v2 - Makes sure to use the same integration_id as authenticated integration for the webhook's data. - Makde it is impossible to create orphaned webhooks using token authentication - Allowed only parent integration to edit it's children webhooks. Throwing permission error otherwise 2020-07-08 07:54:31 +03:00			`permissions: {`
			`before: (frame) => {`
Fixed integration_id assignment for webhook when creating through API key auth refs 173e3292fadb4760a82a8944c41b5e40bcb21925 - The bug was initially introduced in referenced commit. When request is done with `api_key` context, there should always be an `integration` object associated with it - https://github.com/TryGhost/Ghost/blob/71c17539d816479e532685c06701d1ec2bd8cde5/core/server/services/permissions/parse-context.js#L36 . An `id` from `context.integration` not `context.api_key` has to be assigned to newly created webhook! - The webhooks API is about to be declared stable in upcoming release, so no migration will be done 2020-08-04 07:43:24 +03:00			`if (frame.options.context && frame.options.context.integration && frame.options.context.integration.id) {`
Fixed integration_id handling in Webhooks Admin API no issue - Changes introduced to both API v3 and v2 - Makes sure to use the same integration_id as authenticated integration for the webhook's data. - Makde it is impossible to create orphaned webhooks using token authentication - Allowed only parent integration to edit it's children webhooks. Throwing permission error otherwise 2020-07-08 07:54:31 +03:00			`return models.Webhook.findOne({id: frame.options.id})`
			`.then((webhook) => {`
🐛 Fixed 500 error in webhooks API when modifying non-existing webhooks closes #12064 - Handled permission check bug by returning 404, same way it is returned in other permissions related places when handling non-existing resource. Example - https://github.com/TryGhost/Ghost/blob/60907a7ae430647a6b639e57419c78ad7daf56f5/core/server/models/relations/authors.js#L355-L358 2020-08-03 14:08:47 +03:00			`if (!webhook) {`
			`throw new errors.NotFoundError({`
			`message: i18n.t('errors.api.resource.resourceNotFound', {`
			`resource: 'Webhook'`
			`})`
			`});`
			`}`

Fixed integration_id assignment for webhook when creating through API key auth refs 173e3292fadb4760a82a8944c41b5e40bcb21925 - The bug was initially introduced in referenced commit. When request is done with `api_key` context, there should always be an `integration` object associated with it - https://github.com/TryGhost/Ghost/blob/71c17539d816479e532685c06701d1ec2bd8cde5/core/server/services/permissions/parse-context.js#L36 . An `id` from `context.integration` not `context.api_key` has to be assigned to newly created webhook! - The webhooks API is about to be declared stable in upcoming release, so no migration will be done 2020-08-04 07:43:24 +03:00			`if (webhook.get('integration_id') !== frame.options.context.integration.id) {`
Fixed integration_id handling in Webhooks Admin API no issue - Changes introduced to both API v3 and v2 - Makes sure to use the same integration_id as authenticated integration for the webhook's data. - Makde it is impossible to create orphaned webhooks using token authentication - Allowed only parent integration to edit it's children webhooks. Throwing permission error otherwise 2020-07-08 07:54:31 +03:00			`throw new errors.NoPermissionError({`
			`message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {`
			`method: 'edit'`
			`}),`
			`context: i18n.t('errors.api.webhooks.noPermissionToEdit.context', {`
			`method: 'edit'`
			`})`
			`});`
			`}`
			`});`
			`}`
			`}`
			`},`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00			`data: [`
			`'name',`
			`'event',`
			`'target_url',`
			`'secret',`
			`'api_version'`
			`],`
			`options: [`
			`'id'`
			`],`
			`validation: {`
			`options: {`
			`id: {`
			`required: true`
			`}`
			`}`
			`},`
			`query({data, options}) {`
			`return models.Webhook.edit(data.webhooks[0], Object.assign(options, {require: true}))`
			`.catch(models.Webhook.NotFoundError, () => {`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 21:22:20 +03:00			`throw new errors.NotFoundError({`
			`message: i18n.t('errors.api.resource.resourceNotFound', {`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00			`resource: 'Webhook'`
			`})`
			`});`
			`});`
			`}`
			`},`

			`destroy: {`
			`statusCode: 204,`
			`headers: {},`
			`options: [`
			`'id'`
			`],`
			`validation: {`
			`options: {`
			`id: {`
			`required: true`
			`}`
			`}`
			`},`
Fixed integration_id handling in Webhooks Admin API no issue - Changes introduced to both API v3 and v2 - Makes sure to use the same integration_id as authenticated integration for the webhook's data. - Makde it is impossible to create orphaned webhooks using token authentication - Allowed only parent integration to edit it's children webhooks. Throwing permission error otherwise 2020-07-08 07:54:31 +03:00			`permissions: {`
			`before: (frame) => {`
Fixed integration_id assignment for webhook when creating through API key auth refs 173e3292fadb4760a82a8944c41b5e40bcb21925 - The bug was initially introduced in referenced commit. When request is done with `api_key` context, there should always be an `integration` object associated with it - https://github.com/TryGhost/Ghost/blob/71c17539d816479e532685c06701d1ec2bd8cde5/core/server/services/permissions/parse-context.js#L36 . An `id` from `context.integration` not `context.api_key` has to be assigned to newly created webhook! - The webhooks API is about to be declared stable in upcoming release, so no migration will be done 2020-08-04 07:43:24 +03:00			`if (frame.options.context && frame.options.context.integration && frame.options.context.integration.id) {`
Fixed integration_id handling in Webhooks Admin API no issue - Changes introduced to both API v3 and v2 - Makes sure to use the same integration_id as authenticated integration for the webhook's data. - Makde it is impossible to create orphaned webhooks using token authentication - Allowed only parent integration to edit it's children webhooks. Throwing permission error otherwise 2020-07-08 07:54:31 +03:00			`return models.Webhook.findOne({id: frame.options.id})`
			`.then((webhook) => {`
🐛 Fixed 500 error in webhooks API when modifying non-existing webhooks closes #12064 - Handled permission check bug by returning 404, same way it is returned in other permissions related places when handling non-existing resource. Example - https://github.com/TryGhost/Ghost/blob/60907a7ae430647a6b639e57419c78ad7daf56f5/core/server/models/relations/authors.js#L355-L358 2020-08-03 14:08:47 +03:00			`if (!webhook) {`
			`throw new errors.NotFoundError({`
			`message: i18n.t('errors.api.resource.resourceNotFound', {`
			`resource: 'Webhook'`
			`})`
			`});`
			`}`

Fixed integration_id assignment for webhook when creating through API key auth refs 173e3292fadb4760a82a8944c41b5e40bcb21925 - The bug was initially introduced in referenced commit. When request is done with `api_key` context, there should always be an `integration` object associated with it - https://github.com/TryGhost/Ghost/blob/71c17539d816479e532685c06701d1ec2bd8cde5/core/server/services/permissions/parse-context.js#L36 . An `id` from `context.integration` not `context.api_key` has to be assigned to newly created webhook! - The webhooks API is about to be declared stable in upcoming release, so no migration will be done 2020-08-04 07:43:24 +03:00			`if (webhook.get('integration_id') !== frame.options.context.integration.id) {`
Fixed integration_id handling in Webhooks Admin API no issue - Changes introduced to both API v3 and v2 - Makes sure to use the same integration_id as authenticated integration for the webhook's data. - Makde it is impossible to create orphaned webhooks using token authentication - Allowed only parent integration to edit it's children webhooks. Throwing permission error otherwise 2020-07-08 07:54:31 +03:00			`throw new errors.NoPermissionError({`
			`message: i18n.t('errors.api.webhooks.noPermissionToEdit.message', {`
Fixed typos in webhook error message no issue 2020-07-20 11:05:56 +03:00			`method: 'destroy'`
Fixed integration_id handling in Webhooks Admin API no issue - Changes introduced to both API v3 and v2 - Makes sure to use the same integration_id as authenticated integration for the webhook's data. - Makde it is impossible to create orphaned webhooks using token authentication - Allowed only parent integration to edit it's children webhooks. Throwing permission error otherwise 2020-07-08 07:54:31 +03:00			`}),`
			`context: i18n.t('errors.api.webhooks.noPermissionToEdit.context', {`
			`method: 'destroy'`
			`})`
			`});`
			`}`
			`});`
			`}`
			`}`
			`},`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00			`query(frame) {`
			`frame.options.require = true;`
Fixed 500 error when deleting items that don't exist fixes #11723 - when deleting an invite/label/tag/webhook that doesn't exist, Ghost would throw a 500 error - this commit catches the NotFoundError - also rejects from model if nothing was found - spotted in Sentry 2020-04-13 13:21:47 +03:00
			`return models.Webhook.destroy(frame.options)`
			`.then(() => null)`
			`.catch(models.Webhook.NotFoundError, () => {`
Refactored `common` lib import to use destructuring (#11835) * refactored `core/frontend/apps` to destructure common imports * refactored `core/frontend/services/{apps, redirects, routing}` to destructure common imports * refactored `core/frontend/services/settings` to destructure common imports * refactored remaining `core/frontend/services` to destructure common imports * refactored `core/server/adapters` to destructure common imports * refactored `core/server/data/{db, exporter, schema, validation}` to destructure common imports * refactored `core/server/data/importer` to destructure common imports * refactored `core/server/models/{base, plugins, relations}` to destructure common imports * refactored remaining `core/server/models` to destructure common imports * refactored `core/server/api/canary/utils/serializers/output` to destructure common imports * refactored remaining `core/server/api/canary/utils` to destructure common imports * refactored remaining `core/server/api/canary` to destructure common imports * refactored `core/server/api/shared` to destructure common imports * refactored `core/server/api/v2/utils` to destructure common imports * refactored remaining `core/server/api/v2` to destructure common imports * refactored `core/frontend/meta` to destructure common imports * fixed some tests referencing `common.errors` instead of `@tryghost/errors` - Not all of them need to be updated; only updating the ones that are causing failures * fixed errors import being shadowed by local scope 2020-05-22 21:22:20 +03:00			`return Promise.reject(new errors.NotFoundError({`
			`message: i18n.t('errors.api.resource.resourceNotFound', {`
Fixed 500 error when deleting items that don't exist fixes #11723 - when deleting an invite/label/tag/webhook that doesn't exist, Ghost would throw a 500 error - this commit catches the NotFoundError - also rejects from model if nothing was found - spotted in Sentry 2020-04-13 13:21:47 +03:00			`resource: 'Webhook'`
			`})`
			`}));`
			`});`
💡 Added canary api endpoint no issue Adds new canary api endpoint, currently replicating v2 endpoint but paving way for future updates to new version 2019-08-09 17:11:24 +03:00			`}`
			`}`
			`};`