TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-15 11:34:24 +03:00
Code Issues Projects Releases Wiki Activity
68f32772d2
Ghost/core/server/middleware/middleware.js

338 lines
12 KiB
JavaScript
Raw Normal View History

Putting back relative redirects issue #1523 - also added some comments to indicate the difference between the two custom middleware files.
2013-11-26 00:31:18 +04:00
// # Custom Middleware
// The following custom middleware functions are all unit testable, and have accompanying unit tests in
// middleware_spec.js
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
Replace underscore with lodash.
2014-02-05 12:40:30 +04:00
var _ = require('lodash'),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
express = require('express'),
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`.
2013-12-04 06:47:39 +04:00
busboy = require('./ghost-busboy'),
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
config = require('../config'),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
path = require('path'),
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
api = require('../api'),
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
passport = require('passport'),
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
errors = require('../errors'),
Refactor: Make checkSSL unit-testable and add unit tests for it. - Code was moved to core/server/middleware/middleware.js, which is the home for unit-testable middleware. - Functional code coverage for this code also exists at: test/functional/routes/admin_test.js
2015-01-18 21:44:50 +03:00
url = require('url'),
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
utils = require('../utils'),
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
middleware,
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance`
2014-09-19 20:17:58 +04:00
blogApp,
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
oauthServer,
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
loginSecurity = [],
forgottenSecurity = [];
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
function isBlackListedFileType(file) {
Remove .txt from blacklist. fixes #1263
2013-10-25 02:55:51 +04:00
var blackListedFileTypes = ['.hbs', '.md', '.json'],
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
ext = path.extname(file);
return _.contains(blackListedFileTypes, ext);
}
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance`
2014-09-19 20:17:58 +04:00
function cacheBlogApp(app) {
blogApp = app;
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
}
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
function cacheOauthServer(server) {
oauthServer = server;
}
Refactor: Make checkSSL unit-testable and add unit tests for it. - Code was moved to core/server/middleware/middleware.js, which is the home for unit-testable middleware. - Functional code coverage for this code also exists at: test/functional/routes/admin_test.js
2015-01-18 21:44:50 +03:00
function isSSLrequired(isAdmin, configUrl, forceAdminSSL) {
var forceSSL = url.parse(configUrl).protocol === 'https:' ? true : false;
if (forceSSL || (isAdmin && forceAdminSSL)) {
return true;
}
return false;
}
// The guts of checkSSL. Indicate forbidden or redirect according to configuration.
// Required args: forceAdminSSL, url and urlSSL should be passed from config. reqURL from req.url
function sslForbiddenOrRedirect(opt) {
var forceAdminSSL = opt.forceAdminSSL,
reqUrl = opt.reqUrl, // expected to be relative-to-root
baseUrl = url.parse(opt.configUrlSSL || opt.configUrl),
response = {
// Check if forceAdminSSL: { redirect: false } is set, which means
// we should just deny non-SSL access rather than redirect
isForbidden: (forceAdminSSL && forceAdminSSL.redirect !== undefined && !forceAdminSSL.redirect),
// Append the request path to the base configuration path, trimming out a double "//"
redirectPathname: function () {
var pathname = baseUrl.path;
if (reqUrl[0] === '/' && pathname[pathname.length - 1] === '/') {
pathname += reqUrl.slice(1);
} else {
pathname += reqUrl;
}
return pathname;
},
redirectUrl: function (query) {
return url.format({
protocol: 'https:',
hostname: baseUrl.hostname,
port: baseUrl.port,
pathname: this.redirectPathname(),
query: query
});
}
};
return response;
}
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
middleware = {
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// ### Authenticate Middleware
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
// authentication has to be done for /ghost/* routes with
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// exceptions for signin, signout, signup, forgotten, reset only
// api and frontend use different authentication mechanisms atm
authenticate: function (req, res, next) {
Replace the old admin with the ember admin closes #3056 - Remove clientold - Remove clientold tests - Cleanup old admin helpers - Remove old routes from admin and controllers from admin controller - Comment out / remove old and broken tests - Cleanup Gruntfile.js, bower.js, package.json etc Still TODO: - cleanup / add removed tests - do we still need countable?
2014-07-01 03:26:08 +04:00
var path,
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
subPath;
// SubPath is the url path starting after any default subdirectories
// it is stripped of anything after the two levels `/ghost/.*?/` as the reset link has an argument
Makes the Ghost application more express middleware friendly. refs #827 - Moves ./index to use Ghost in a similar manner to how someone uses Ghost as an npm module. - Allows Ghost to be cleanly mounted on another express application on any arbitrary endpoint, all you need to customize is the mount path.
2014-08-24 00:42:44 +04:00
path = req.path;
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
/*jslint regexp:true, unparam:true*/
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
subPath = path.replace(/^(\/.*?\/.*?\/)(.*)?/, function (match, a) {
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
return a;
});
Have /ghost use its own express instance closes #1961 - Refactor admin to use its own express instance - Refactor middlewares to work with /ghost mounted admin express instance
2014-09-17 01:02:31 +04:00
if (subPath.indexOf('/ghost/api/') === 0
&& path.indexOf('/ghost/api/v0.1/authentication/') !== 0) {
return passport.authenticate('bearer', {session: false, failWithError: true},
function (err, user, info) {
if (err) {
return next(err); // will generate a 500 error
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
}
Have /ghost use its own express instance closes #1961 - Refactor admin to use its own express instance - Refactor middlewares to work with /ghost mounted admin express instance
2014-09-17 01:02:31 +04:00
// Generate a JSON response reflecting authentication status
if (!user) {
var msg = {
type: 'error',
message: 'Please Sign In',
status: 'passive'
};
res.status(401);
return res.send(msg);
}
// TODO: figure out, why user & authInfo is lost
req.authInfo = info;
req.user = user;
return next(null, user, info);
}
)(req, res, next);
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
}
next();
},
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
// ### CacheControl Middleware
// provide sensible cache control headers
cacheControl: function (options) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
/*jslint unparam:true*/
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
var profiles = {
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
public: 'public, max-age=0',
private: 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
},
output;
if (_.isString(options) && profiles.hasOwnProperty(options)) {
output = profiles[options];
}
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
return function cacheControlHeaders(req, res, next) {
if (output) {
res.set({'Cache-Control': output});
}
next();
};
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
},
// ### whenEnabled Middleware
// Selectively use middleware
// From https://github.com/senchalabs/connect/issues/676#issuecomment-9569658
whenEnabled: function (setting, fn) {
return function settingEnabled(req, res, next) {
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
// Set from server/middleware/index.js for now
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance`
2014-09-19 20:17:58 +04:00
if (blogApp.enabled(setting)) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
fn(req, res, next);
} else {
next();
}
};
},
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
staticTheme: function () {
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
return function blackListStatic(req, res, next) {
if (isBlackListedFileType(req.url)) {
return next();
}
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
return middleware.forwardToExpressStatic(req, res, next);
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
};
},
// to allow unit testing
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
forwardToExpressStatic: function (req, res, next) {
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
api.settings.read({context: {internal: true}, key: 'activeTheme'}).then(function (response) {
Settings API Primary Document refactor Closes #2606 - Refactor settings api responses to { settings: [ ] } format - Update all code using api.settings to handle new response format - Update test stubs to return new format - Update client site settings model to parse new format into one object of key/value pairs - Refactor to include all setting values - Remove unused settingsCollection method - Update settingsCache to store all attributes - Update settingsResult to send all attributes - Remove unnecessary when() wraps - Reject if editing a setting that doesn't exist - Reject earlier if setting key is empty - Update tests with new error messages - Use setting.add instead of edit that was incorrectly adding - Update importer to properly import activePlugins and installedPlugins - Update expected setting result fields - Fix a weird situation where hasOwnProperty didn't exist :shrug:
2014-04-28 03:28:50 +04:00
var activeTheme = response.settings[0];
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
express['static'](path.join(config.paths.themePath, activeTheme.value), {maxAge: utils.ONE_YEAR_MS})(req, res, next);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
});
Remove cookie from Frontend closes #1437 closes #1472 - changed cookie to path:'/ghost' - added conditional CSRF middleware - added redirects for signup, signin, signout to /ghost/sign*/
2013-11-26 13:38:54 +04:00
},
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
// ### Spam prevention Middleware
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
// limit signin requests to ten failed requests per IP per hour
spamSigninPrevention: function (req, res, next) {
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
var currentTime = process.hrtime()[0],
remoteAddress = req.connection.remoteAddress,
Update spam prevention closes #3468 - added rate limit to deny more than 5 attempt every hour - updated spam prevention to be configurable - added config values spamTimeout, ratePeriod, rateAttempts - added ratePeriod:1 to config.example.js to prevent functional tests from hitting the rate limit - commented spam test, I’ll fix it tomorrow
2014-08-01 02:58:32 +04:00
deniedRateLimit = '',
ipCount = '',
Cleaner spam prevention error messages closes #3589 - Full error messages appear in stderr - Clean error messages for user
2014-08-06 13:00:21 +04:00
message = 'Too many attempts.',
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
rateSigninPeriod = config.rateSigninPeriod || 3600,
rateSigninAttempts = config.rateSigninAttempts || 10;
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
Fix token refresh no issue - spam prevention causes token refresh to return an error
2014-08-06 13:11:44 +04:00
if (req.body.username && req.body.grant_type === 'password') {
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
loginSecurity.push({ip: remoteAddress, time: currentTime, email: req.body.username});
Fix token refresh no issue - spam prevention causes token refresh to return an error
2014-08-06 13:11:44 +04:00
} else if (req.body.grant_type === 'refresh_token') {
return next();
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
} else {
return next(new errors.BadRequestError('No username.'));
}
// filter entries that are older than rateSigninPeriod
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
loginSecurity = _.filter(loginSecurity, function (logTime) {
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
return (logTime.time + rateSigninPeriod > currentTime);
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
});
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
// check number of tries per IP address
Update spam prevention closes #3468 - added rate limit to deny more than 5 attempt every hour - updated spam prevention to be configurable - added config values spamTimeout, ratePeriod, rateAttempts - added ratePeriod:1 to config.example.js to prevent functional tests from hitting the rate limit - commented spam test, I’ll fix it tomorrow
2014-08-01 02:58:32 +04:00
ipCount = _.chain(loginSecurity).countBy('ip').value();
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
deniedRateLimit = (ipCount[remoteAddress] > rateSigninAttempts);
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
if (deniedRateLimit) {
Cleaner spam prevention error messages closes #3589 - Full error messages appear in stderr - Clean error messages for user
2014-08-06 13:00:21 +04:00
errors.logError(
'Only ' + rateSigninAttempts + ' tries per IP address every ' + rateSigninPeriod + ' seconds.',
'Too many login attempts.'
);
message += rateSigninPeriod === 3600 ? ' Please wait 1 hour.' : ' Please try again later';
return next(new errors.UnauthorizedError(message));
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
}
next();
},
// ### Spam prevention Middleware
// limit forgotten password requests to five requests per IP per hour for different email addresses
// limit forgotten password requests to five requests per email address
spamForgottenPrevention: function (req, res, next) {
var currentTime = process.hrtime()[0],
remoteAddress = req.connection.remoteAddress,
rateForgottenPeriod = config.rateForgottenPeriod || 3600,
rateForgottenAttempts = config.rateForgottenAttempts || 5,
email = req.body.passwordreset[0].email,
ipCount = '',
deniedRateLimit = '',
deniedEmailRateLimit = '',
Cleaner spam prevention error messages closes #3589 - Full error messages appear in stderr - Clean error messages for user
2014-08-06 13:00:21 +04:00
message = 'Too many attempts.',
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
index = _.findIndex(forgottenSecurity, function (logTime) {
return (logTime.ip === remoteAddress && logTime.email === email);
});
if (email) {
if (index !== -1) {
forgottenSecurity[index].count = forgottenSecurity[index].count + 1;
Update spam prevention closes #3468 - added rate limit to deny more than 5 attempt every hour - updated spam prevention to be configurable - added config values spamTimeout, ratePeriod, rateAttempts - added ratePeriod:1 to config.example.js to prevent functional tests from hitting the rate limit - commented spam test, I’ll fix it tomorrow
2014-08-01 02:58:32 +04:00
} else {
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
forgottenSecurity.push({ip: remoteAddress, time: currentTime, email: email, count: 0});
Update spam prevention closes #3468 - added rate limit to deny more than 5 attempt every hour - updated spam prevention to be configurable - added config values spamTimeout, ratePeriod, rateAttempts - added ratePeriod:1 to config.example.js to prevent functional tests from hitting the rate limit - commented spam test, I’ll fix it tomorrow
2014-08-01 02:58:32 +04:00
}
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
} else {
return next(new errors.BadRequestError('No email.'));
}
// filter entries that are older than rateForgottenPeriod
forgottenSecurity = _.filter(forgottenSecurity, function (logTime) {
return (logTime.time + rateForgottenPeriod > currentTime);
});
// check number of tries with different email addresses per IP
ipCount = _.chain(forgottenSecurity).countBy('ip').value();
deniedRateLimit = (ipCount[remoteAddress] > rateForgottenAttempts);
if (index !== -1) {
deniedEmailRateLimit = (forgottenSecurity[index].count > rateForgottenAttempts);
}
Cleaner spam prevention error messages closes #3589 - Full error messages appear in stderr - Clean error messages for user
2014-08-06 13:00:21 +04:00
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
if (deniedEmailRateLimit) {
Cleaner spam prevention error messages closes #3589 - Full error messages appear in stderr - Clean error messages for user
2014-08-06 13:00:21 +04:00
errors.logError(
'Only ' + rateForgottenAttempts + ' forgotten password attempts per email every ' +
rateForgottenPeriod + ' seconds.',
'Forgotten password reset attempt failed'
);
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
}
if (deniedRateLimit) {
Cleaner spam prevention error messages closes #3589 - Full error messages appear in stderr - Clean error messages for user
2014-08-06 13:00:21 +04:00
errors.logError(
'Only ' + rateForgottenAttempts + ' tries per IP address every ' + rateForgottenPeriod + ' seconds.',
'Forgotten password reset attempt failed'
);
}
if (deniedEmailRateLimit || deniedRateLimit) {
message += rateForgottenPeriod === 3600 ? ' Please wait 1 hour.' : ' Please try again later';
return next(new errors.UnauthorizedError(message));
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
}
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
next();
},
resetSpamCounter: function (email) {
loginSecurity = _.filter(loginSecurity, function (logTime) {
return (logTime.email !== email);
});
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
},
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
// work around to handle missing client_secret
// oauth2orize needs it, but untrusted clients don't have it
addClientSecret: function (req, res, next) {
if (!req.body.client_secret) {
req.body.client_secret = 'not_available';
}
next();
},
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
// ### Authenticate Client Middleware
// authenticate client that is asking for an access token
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
authenticateClient: function (req, res, next) {
Add jscs task to grunt file and clean up files to adhere to jscs rules. resolves #1920 - updates all files to conform to style settings.
2014-09-10 08:06:24 +04:00
return passport.authenticate(['oauth2-client-password'], {session: false})(req, res, next);
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
},
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
// ### Generate access token Middleware
// register the oauth2orize middleware for password and refresh token grants
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
generateAccessToken: function (req, res, next) {
return oauthServer.token()(req, res, next);
},
Refactor: Make checkSSL unit-testable and add unit tests for it. - Code was moved to core/server/middleware/middleware.js, which is the home for unit-testable middleware. - Functional code coverage for this code also exists at: test/functional/routes/admin_test.js
2015-01-18 21:44:50 +03:00
// Check to see if we should use SSL
// and redirect if needed
checkSSL: function (req, res, next) {
if (isSSLrequired(res.isAdmin, config.url, config.forceAdminSSL)) {
if (!req.secure) {
var response = sslForbiddenOrRedirect({
forceAdminSSL: config.forceAdminSSL,
configUrlSSL: config.urlSSL,
configUrl: config.url,
reqUrl: req.url
});
if (response.isForbidden) {
return res.sendStatus(403);
} else {
return res.redirect(301, response.redirectUrl(req.query));
}
}
}
next();
},
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`.
2013-12-04 06:47:39 +04:00
busboy: busboy
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
};
module.exports = middleware;
Naming cleanup closes #4069 - Rename everything from camelCase to lowercase + dashes - Remove usage of `server`, `app` and `instance`
2014-09-19 20:17:58 +04:00
module.exports.cacheBlogApp = cacheBlogApp;
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
module.exports.cacheOauthServer = cacheOauthServer;
Refactor: Make checkSSL unit-testable and add unit tests for it. - Code was moved to core/server/middleware/middleware.js, which is the home for unit-testable middleware. - Functional code coverage for this code also exists at: test/functional/routes/admin_test.js
2015-01-18 21:44:50 +03:00
// SSL helper functions are exported primarily for unity testing.
module.exports.isSSLrequired = isSSLrequired;
module.exports.sslForbiddenOrRedirect = sslForbiddenOrRedirect;
Reference in New Issue Copy Permalink