Ghost/core/server/apps/private-blogging/lib/middleware.js

var fs = require('fs'),
    session = require('cookie-session'),
    crypto = require('crypto'),
    path = require('path'),
    config = require('../../../config'),
    utils = require('../../../utils'),
    i18n = require('../../../i18n'),
    settingsCache = require('../../../settings/cache'),
    privateRoute = '/' + config.get('routeKeywords').private + '/',
    privateBlogging;

function verifySessionHash(salt, hash) {
    if (!salt || !hash) {
        return false;
    }

    var hasher = crypto.createHash('sha256');
    hasher.update(settingsCache.get('password') + salt, 'utf8');
    return hasher.digest('hex') === hash;
}

privateBlogging = {
    checkIsPrivate: function checkIsPrivate(req, res, next) {
        var isPrivateBlog = settingsCache.get('is_private');

        if (!isPrivateBlog) {
            res.isPrivateBlog = false;
            return next();
        }

        res.isPrivateBlog = true;

        return session({
            maxAge: utils.ONE_MONTH_MS,
            signed: false
        })(req, res, next);
    },

    filterPrivateRoutes: function filterPrivateRoutes(req, res, next) {
        if (res.isAdmin || !res.isPrivateBlog || req.url.lastIndexOf(privateRoute, 0) === 0) {
            return next();
        }

        if (req.url.lastIndexOf('/robots.txt', 0) === 0) {
            return fs.readFile(path.resolve(__dirname, '../', 'robots.txt'), function readFile(err, buf) {
                if (err) {
                    return next(err);
                }

                res.writeHead(200, {
                    'Content-Type': 'text/plain',
                    'Content-Length': buf.length,
                    'Cache-Control': 'public, max-age=' + config.get('caching:robotstxt:maxAge')
                });

                res.end(buf);
            });
        }

        privateBlogging.authenticatePrivateSession(req, res, next);
    },

    authenticatePrivateSession: function authenticatePrivateSession(req, res, next) {
        var hash = req.session.token || '',
            salt = req.session.salt || '',
            isVerified = verifySessionHash(salt, hash),
            url;

        if (isVerified) {
            return next();
        } else {
            url = utils.url.urlFor({relativeUrl: privateRoute});
            url += req.url === '/' ? '' : '?r=' + encodeURIComponent(req.url);
            return res.redirect(url);
        }
    },

    // This is here so a call to /private/ after a session is verified will redirect to home;
    isPrivateSessionAuth: function isPrivateSessionAuth(req, res, next) {
        if (!res.isPrivateBlog) {
            return res.redirect(utils.url.urlFor('home', true));
        }

        var hash = req.session.token || '',
            salt = req.session.salt || '',
            isVerified = verifySessionHash(salt, hash);

        if (isVerified) {
            // redirect to home if user is already authenticated
            return res.redirect(utils.url.urlFor('home', true));
        } else {
            return next();
        }
    },

    authenticateProtection: function authenticateProtection(req, res, next) {
        // if errors have been generated from the previous call
        if (res.error) {
            return next();
        }

        var bodyPass = req.body.password,
            pass = settingsCache.get('password'),
            hasher = crypto.createHash('sha256'),
            salt = Date.now().toString(),
            forward = req.query && req.query.r ? req.query.r : '/';

        if (pass === bodyPass) {
            hasher.update(bodyPass + salt, 'utf8');
            req.session.token = hasher.digest('hex');
            req.session.salt = salt;

            return res.redirect(utils.url.urlFor({relativeUrl: decodeURIComponent(forward)}));
        } else {
            res.error = {
                message: i18n.t('errors.middleware.privateblogging.wrongPassword')
            };
            return next();
        }
    }
};

module.exports = privateBlogging;
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`var fs = require('fs'),`
			`session = require('cookie-session'),`
			`crypto = require('crypto'),`
			`path = require('path'),`
			`config = require('../../../config'),`
			`utils = require('../../../utils'),`
			`i18n = require('../../../i18n'),`
			`settingsCache = require('../../../settings/cache'),`
🎨 change how we get and set config refs #6982 - a replace for all config usages - always use config.get or config.set - this a pure replacement, no logic has changed [ci skip] 2016-09-13 18:41:14 +03:00			`privateRoute = '/' + config.get('routeKeywords').private + '/',`
deps: grunt-jscs@2.1.0 no issue - update grunt-jscs dependency - fix deprecated `validateJSDoc` configuration - fix numerous linting errors, including: - use of future-reserved `public` and `private` variable names - use of `[]` instead of dot-notation (especially `express['static']` and `cacheRules['x']`) - extra spaces in `const { run } = Ember` style constructs One issue that did become apparent is that there are conflicting rules that prevent the use of object function shorthand such that both of these: ``` { myFunc() {} } { myFunc () {} } ``` are called out due to either the missing or the extra space before the `(` 2015-10-12 19:54:15 +03:00			`privateBlogging;`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00
			`function verifySessionHash(salt, hash) {`
			`if (!salt \|\| !hash) {`
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`return false;`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`}`

Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`var hasher = crypto.createHash('sha256');`
			`hasher.update(settingsCache.get('password') + salt, 'utf8');`
			`return hasher.digest('hex') === hash;`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`}`

deps: grunt-jscs@2.1.0 no issue - update grunt-jscs dependency - fix deprecated `validateJSDoc` configuration - fix numerous linting errors, including: - use of future-reserved `public` and `private` variable names - use of `[]` instead of dot-notation (especially `express['static']` and `cacheRules['x']`) - extra spaces in `const { run } = Ember` style constructs One issue that did become apparent is that there are conflicting rules that prevent the use of object function shorthand such that both of these: ``` { myFunc() {} } { myFunc () {} } ``` are called out due to either the missing or the extra space before the `(` 2015-10-12 19:54:15 +03:00			`privateBlogging = {`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`checkIsPrivate: function checkIsPrivate(req, res, next) {`
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`var isPrivateBlog = settingsCache.get('is_private');`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`if (!isPrivateBlog) {`
			`res.isPrivateBlog = false;`
			`return next();`
			`}`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`res.isPrivateBlog = true;`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`return session({`
			`maxAge: utils.ONE_MONTH_MS,`
			`signed: false`
			`})(req, res, next);`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`},`

			`filterPrivateRoutes: function filterPrivateRoutes(req, res, next) {`
move private-blogging functionality into an internal app closes #5914, #6589 - moves all private-blogging related code & tests into /server/apps/private-blogging/ - rework Grunt to run private-blogging tests - modify server apps code to have a place for internal apps 2016-04-11 16:58:41 +03:00			`if (res.isAdmin \|\| !res.isPrivateBlog \|\| req.url.lastIndexOf(privateRoute, 0) === 0) {`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`return next();`
			`}`

🐛 Fixed private blogging leaking post information (#8999) * 🐛 Fixed private blogging leaking post information closes #8990 - a condition in the private blogging app redirected rss && sitemap to 404, which can possibly leak content - remove this condition and ensure we always redirect to /private * lint 😋 2017-09-11 16:09:19 +03:00			`if (req.url.lastIndexOf('/robots.txt', 0) === 0) {`
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`return fs.readFile(path.resolve(__dirname, '../', 'robots.txt'), function readFile(err, buf) {`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`if (err) {`
			`return next(err);`
			`}`
🎨 add cache control configurations into the default config refs #7488 - cache control can be overridden if needed 2017-05-29 23:10:32 +03:00
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`res.writeHead(200, {`
			`'Content-Type': 'text/plain',`
			`'Content-Length': buf.length,`
🎨 add cache control configurations into the default config refs #7488 - cache control can be overridden if needed 2017-05-29 23:10:32 +03:00			`'Cache-Control': 'public, max-age=' + config.get('caching:robotstxt:maxAge')`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`});`
🎨 add cache control configurations into the default config refs #7488 - cache control can be overridden if needed 2017-05-29 23:10:32 +03:00
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`res.end(buf);`
			`});`
			`}`
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00
			`privateBlogging.authenticatePrivateSession(req, res, next);`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`},`

			`authenticatePrivateSession: function authenticatePrivateSession(req, res, next) {`
			`var hash = req.session.token \|\| '',`
			`salt = req.session.salt \|\| '',`
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`isVerified = verifySessionHash(salt, hash),`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`url;`

Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`if (isVerified) {`
			`return next();`
			`} else {`
			`url = utils.url.urlFor({relativeUrl: privateRoute});`
			`url += req.url === '/' ? '' : '?r=' + encodeURIComponent(req.url);`
			`return res.redirect(url);`
			`}`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`},`

			`// This is here so a call to /private/ after a session is verified will redirect to home;`
			`isPrivateSessionAuth: function isPrivateSessionAuth(req, res, next) {`
			`if (!res.isPrivateBlog) {`
:art: source out url utils from ConfigManager (#7347) refs #6982 2016-09-09 13:23:47 +03:00			`return res.redirect(utils.url.urlFor('home', true));`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`}`

			`var hash = req.session.token \|\| '',`
Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`salt = req.session.salt \|\| '',`
			`isVerified = verifySessionHash(salt, hash);`

			`if (isVerified) {`
			`// redirect to home if user is already authenticated`
			`return res.redirect(utils.url.urlFor('home', true));`
			`} else {`
			`return next();`
			`}`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`},`

			`authenticateProtection: function authenticateProtection(req, res, next) {`
			`// if errors have been generated from the previous call`
			`if (res.error) {`
			`return next();`
			`}`

Refactored private blogging app: use settings cache (#9086) no issue - preparation for #9001 - no need to require the settings API, we can simply fetch the data from the settings cache - the settings API uses the settings cache anyway 2017-10-03 14:40:53 +03:00			`var bodyPass = req.body.password,`
			`pass = settingsCache.get('password'),`
			`hasher = crypto.createHash('sha256'),`
			`salt = Date.now().toString(),`
			`forward = req.query && req.query.r ? req.query.r : '/';`

			`if (pass === bodyPass) {`
			`hasher.update(bodyPass + salt, 'utf8');`
			`req.session.token = hasher.digest('hex');`
			`req.session.salt = salt;`

			`return res.redirect(utils.url.urlFor({relativeUrl: decodeURIComponent(forward)}));`
			`} else {`
			`res.error = {`
			`message: i18n.t('errors.middleware.privateblogging.wrongPassword')`
			`};`
			`return next();`
			`}`
Middleware Refactor - Refactor SSL middleware into separate module. - Refactor redirectToSetup to separate module + tests - Refactor serveStaticFile + tests - Refactor authentication middleware + tests - Refactor private blogging middleware refs #5286 2015-07-15 19:01:23 +03:00			`}`
			`};`

deps: grunt-jscs@2.1.0 no issue - update grunt-jscs dependency - fix deprecated `validateJSDoc` configuration - fix numerous linting errors, including: - use of future-reserved `public` and `private` variable names - use of `[]` instead of dot-notation (especially `express['static']` and `cacheRules['x']`) - extra spaces in `const { run } = Ember` style constructs One issue that did become apparent is that there are conflicting rules that prevent the use of object function shorthand such that both of these: ``` { myFunc() {} } { myFunc () {} } ``` are called out due to either the missing or the extra space before the `(` 2015-10-12 19:54:15 +03:00			`module.exports = privateBlogging;`