Ghost/core/server/services/auth/authenticate.js

const passport = require('passport');
const authUtils = require('./utils');
const models = require('../../models');
const common = require('../../lib/common');
const session = require('./session');

const authenticate = {
    // ### Authenticate Client Middleware
    authenticateClient: function authenticateClient(req, res, next) {
        /**
         * In theory, client authentication is not required for public clients, only for confidential clients.
         * See e.g. https://tools.ietf.org/html/rfc6749#page-38. Ghost has no differentiation for this at the moment.
         * See also See https://tools.ietf.org/html/rfc6749#section-2.1.
         *
         * Ghost requires client authentication for `grant_type: password`, because we have to ensure that
         * we tie a client to a new access token. That means `grant_type: refresh_token` does not require
         * client authentication, because binding a client already happened.
         *
         * To sum up:
         *   - password authentication requires client authentication
         *   - refreshing a token does not require client authentication
         *   - public API requires client authentication
         *      - as soon as you send an access token in the header or via query
         *      - we deny public API access
         *   - API access with a Bearer does not require client authentication
         */
        if (authUtils.getBearerAutorizationToken(req) && !authUtils.hasGrantType(req, 'password')) {
            return next();
        }

        if (req.query && req.query.client_id) {
            req.body.client_id = req.query.client_id;
        }

        if (req.query && req.query.client_secret) {
            req.body.client_secret = req.query.client_secret;
        }

        if (!req.body.client_id || !req.body.client_secret) {
            return next(new common.errors.UnauthorizedError({
                message: common.i18n.t('errors.middleware.auth.accessDenied'),
                context: common.i18n.t('errors.middleware.auth.clientCredentialsNotProvided'),
                help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://api.ghost.org/docs/client-authentication'})
            }));
        }

        return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},
            function authenticate(err, client) {
                if (err) {
                    return next(err); // will generate a 500 error
                }

                // req.body needs to be null for GET requests to build options correctly
                delete req.body.client_id;
                delete req.body.client_secret;

                if (!client) {
                    return next(new common.errors.UnauthorizedError({
                        message: common.i18n.t('errors.middleware.auth.accessDenied'),
                        context: common.i18n.t('errors.middleware.auth.clientCredentialsNotValid'),
                        help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://api.ghost.org/docs/client-authentication'})
                    }));
                }

                req.client = client;

                common.events.emit('client.authenticated', client);
                return next(null, client);
            }
        )(req, res, next);
    },

    // ### Authenticate User Middleware
    authenticateUser: function authenticateUser(req, res, next) {
        return passport.authenticate('bearer', {session: false, failWithError: false},
            function authenticate(err, user, info) {
                if (err) {
                    return next(err); // will generate a 500 error
                }

                if (user) {
                    req.authInfo = info;
                    req.user = user;

                    common.events.emit('user.authenticated', user);
                    return next(null, user, info);
                } else if (authUtils.getBearerAutorizationToken(req)) {
                    return next(new common.errors.UnauthorizedError({
                        message: common.i18n.t('errors.middleware.auth.accessDenied')
                    }));
                } else if (req.client) {
                    req.user = {id: models.User.externalUser};
                    return next();
                }

                return next(new common.errors.UnauthorizedError({
                    message: common.i18n.t('errors.middleware.auth.accessDenied')
                }));
            }
        )(req, res, next);
    },

    authenticateAdminAPI: [session.safeGetSession, session.getUser]
};

module.exports = authenticate;
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 13:45:17 +03:00			`const passport = require('passport');`
			`const authUtils = require('./utils');`
			`const models = require('../../models');`
			`const common = require('../../lib/common');`
			`const session = require('./session');`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 13:45:17 +03:00			`const authenticate = {`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`// ### Authenticate Client Middleware`
			`authenticateClient: function authenticateClient(req, res, next) {`
🐛 Fixed error for password authentication with Bearer Token (#9227) refs #8613, refs #9228 - if you send a request to /authentication/token with `grant_type:password` and a Bearer token, Ghost was not able to handle this combination - because it skipped the client authentication, see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/authenticate.js#L13 - and OAuth detects the `grant_type: password` and jumps in the target implementation - the target implementation for password authentication again tried to fetch the client and failed, because it relied on the previous client authentication - see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/oauth.js#L40 (client.slug is undefined if client authentication is skipped) - ^ so this is the bug - we can skip client authentication for requests to the API to fetch data for example e.g. GET /posts (including Bearer) - so when is a client authentication required? - RFC (https://tools.ietf.org/html/rfc6749#page-38) differentiates between confidential and public clients, Ghost has no implementation for this at the moment - so in theory, public clients don't have to be authenticated, only if the credentials are included - to not invent a breaking change, i decided to only make the client authentication required for password authentication - we could change this in Ghost 2.0 I have removed the extra client request to the database for the password authentication, this is not needed. We already do client password authentication [here](https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/auth-strategies.js#L19); If a Bearer token is present and you have not send a `grant_type` (which signalises OAuth to do authentication), you can skip the client authentication. 2017-11-09 17:11:29 +03:00			`/**`
			`* In theory, client authentication is not required for public clients, only for confidential clients.`
			`* See e.g. https://tools.ietf.org/html/rfc6749#page-38. Ghost has no differentiation for this at the moment.`
			`* See also See https://tools.ietf.org/html/rfc6749#section-2.1.`
			`*`
			* Ghost requires client authentication for `grant_type: password`, because we have to ensure that
			* we tie a client to a new access token. That means `grant_type: refresh_token` does not require
			`* client authentication, because binding a client already happened.`
			`*`
			`* To sum up:`
			`* - password authentication requires client authentication`
			`* - refreshing a token does not require client authentication`
			`* - public API requires client authentication`
			`* - as soon as you send an access token in the header or via query`
			`* - we deny public API access`
			`* - API access with a Bearer does not require client authentication`
			`*/`
			`if (authUtils.getBearerAutorizationToken(req) && !authUtils.hasGrantType(req, 'password')) {`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`return next();`
			`}`

			`if (req.query && req.query.client_id) {`
			`req.body.client_id = req.query.client_id;`
			`}`

			`if (req.query && req.query.client_secret) {`
			`req.body.client_secret = req.query.client_secret;`
			`}`

			`if (!req.body.client_id \|\| !req.body.client_secret) {`
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file 2017-12-12 00:47:46 +03:00			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.accessDenied'),`
			`context: common.i18n.t('errors.middleware.auth.clientCredentialsNotProvided'),`
Updated docs links refs #9742 - rebase against master updated some docs links again - go over code base again and double check that all docs links are correct - 2.0 will become the latest version on our readme pages 2018-07-24 12:35:33 +03:00			`help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://api.ghost.org/docs/client-authentication'})`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`}));`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`}`

			`return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},`
			`function authenticate(err, client) {`
			`if (err) {`
			`return next(err); // will generate a 500 error`
			`}`

Ensure public api can uses limit parameter No Issue - removes client id and secret after authentication - adds tests to check default limit, all and integer 2015-10-28 21:39:10 +03:00			`// req.body needs to be null for GET requests to build options correctly`
			`delete req.body.client_id;`
			`delete req.body.client_secret;`

add small permission improvements no issue - do not check client type in auth middleware - offer filtering for findAll function in base - add isInternalContext to base model 2016-04-14 18:54:49 +03:00			`if (!client) {`
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file 2017-12-12 00:47:46 +03:00			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.accessDenied'),`
			`context: common.i18n.t('errors.middleware.auth.clientCredentialsNotValid'),`
Updated docs links refs #9742 - rebase against master updated some docs links again - go over code base again and double check that all docs links are correct - 2.0 will become the latest version on our readme pages 2018-07-24 12:35:33 +03:00			`help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://api.ghost.org/docs/client-authentication'})`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`}));`
Improvements to client auth error logging no issue - If client credentials are missing, or not valid, output a clear message in the server console - Still defaults to sending the 'access denied to url' error to the frontend 2015-12-14 18:35:19 +03:00			`}`

Relax origin checking in auth middleware Refs #6642 - Do not send CORS headers on an invalid "origin" header, but otherwise allow the response to proceed normally. This enforces CORS for the browser but does not blow up non-CORS requests. 2016-03-26 21:26:57 +03:00			`req.client = client;`
Add middleware for handling CORS Refs #6644 - deps: cors@2.7.1; Add express cors package. - Adds new middleware for proper CORS support. - Handles CORS pre-flight checks. - Separates request authentication/authorization from CORS. 2016-03-27 01:28:00 +03:00
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file 2017-12-12 00:47:46 +03:00			`common.events.emit('client.authenticated', client);`
Relax origin checking in auth middleware Refs #6642 - Do not send CORS headers on an invalid "origin" header, but otherwise allow the response to proceed normally. This enforces CORS for the browser but does not blow up non-CORS requests. 2016-03-26 21:26:57 +03:00			`return next(null, client);`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`}`
			`)(req, res, next);`
			`},`

			`// ### Authenticate User Middleware`
			`authenticateUser: function authenticateUser(req, res, next) {`
			`return passport.authenticate('bearer', {session: false, failWithError: false},`
			`function authenticate(err, user, info) {`
			`if (err) {`
			`return next(err); // will generate a 500 error`
			`}`

			`if (user) {`
			`req.authInfo = info;`
			`req.user = user;`
Add user and client authentication events no issue - slowly rolling out events across the app 2016-04-04 05:40:23 +03:00
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file 2017-12-12 00:47:46 +03:00			`common.events.emit('user.authenticated', user);`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`return next(null, user, info);`
🐛 🎨 old accesstokens are not cleaned up (#8065) closes #8035 - create auth/utils - use authUtils.createTokens for all cases - decrease the expiry of the old access token before creating a new one 2017-03-01 13:12:03 +03:00			`} else if (authUtils.getBearerAutorizationToken(req)) {`
Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file 2017-12-12 00:47:46 +03:00			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.accessDenied')`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`}));`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`} else if (req.client) {`
🎨 tidy up static id (owner, internal, external) usages (#7675) refs #7494, refs #7495 This PR is an extracted clean up feature of #7495. We are using everywhere static id checks (userId === 0 or userId === 1). This PR moves the static values into the Base model. This makes it 1. way more readable and 2. we can change the id's in a central place. I changed the most important occurrences - no tests are touched (yet!). The background is: when changing from auto increment id (number) to ObjectId's (string) we still need to support id 1 and 0, because Ghost relies on these two static id's. I would like to support using both: 0/1 as string and 0/1 as number. 1 === owner/internal 0 === external Another important change: User Model does not longer define the contextUser method, because i couldn't find a reason? I looked in Git history, see https://github.com/TryGhost/Ghost/commit/6e482751601b8d23b3a06aec890b79c92eaf4af2 2016-11-09 18:01:07 +03:00			`req.user = {id: models.User.externalUser};`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`return next();`
			`}`

Import lib/common only refs #9178 - avoid importing 4 modules (logging, errors, events and i18n) - simply require common in each file 2017-12-12 00:47:46 +03:00			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.accessDenied')`
✨ Error creation (#7477) refs #7116, refs #2001 - Changes the way Ghost errors are implemented to benefit from proper inheritance - Moves all error definitions into a single file - Changes the error constructor to take an options object, rather than needing the arguments to be passed in the correct order. - Provides a wrapper so that any errors that haven't already been converted to GhostErrors get converted before they are displayed. Summary of changes: * 🐛 set NODE_ENV in config handler * ✨ add GhostError implementation (core/server/errors.js) - register all errors in one file - inheritance from GhostError - option pattern * 🔥 remove all error files * ✨ wrap all errors into GhostError in case of HTTP * 🎨 adaptions - option pattern for errors - use GhostError when needed * 🎨 revert debug deletion and add TODO for error id's 2016-10-06 15:27:35 +03:00			`}));`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`}`
			`)(req, res, next);`
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 13:45:17 +03:00			`},`

			`authenticateAdminAPI: [session.safeGetSession, session.getUser]`
Public API refs #4180 closes #4181 - added client and user authentication - added authenticatePublic/authenticatePrivate as workaround for missing permissions - added domain validation - added CORS header for valid clients - merged authenticate.js and client-auth.js into auth.js - removed middleware/api-error-handlers.js - removed authentication middleware - added and updated tests 2015-10-22 16:28:47 +03:00			`};`

✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 14:45:59 +03:00			`module.exports = authenticate;`