2018-10-05 13:45:17 +03:00
|
|
|
const passport = require('passport');
|
|
|
|
const authUtils = require('./utils');
|
|
|
|
const models = require('../../models');
|
|
|
|
const common = require('../../lib/common');
|
|
|
|
const session = require('./session');
|
2018-10-15 12:23:34 +03:00
|
|
|
const apiKeyAuth = require('./api-key');
|
2018-11-08 12:57:42 +03:00
|
|
|
const members = require('./members');
|
2015-10-22 16:28:47 +03:00
|
|
|
|
2018-10-05 13:45:17 +03:00
|
|
|
const authenticate = {
|
2015-10-22 16:28:47 +03:00
|
|
|
// ### Authenticate Client Middleware
|
|
|
|
authenticateClient: function authenticateClient(req, res, next) {
|
🐛 Fixed error for password authentication with Bearer Token (#9227)
refs #8613, refs #9228
- if you send a request to /authentication/token with `grant_type:password` and a Bearer token, Ghost was not able to handle this combination
- because it skipped the client authentication, see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/authenticate.js#L13
- and OAuth detects the `grant_type: password` and jumps in the target implementation
- the target implementation for password authentication **again** tried to fetch the client and failed, because it relied on the previous client authentication
- see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/oauth.js#L40 (client.slug is undefined if client authentication is skipped)
- ^ so this is the bug
- we **can** skip client authentication for requests to the API to fetch data for example e.g. GET /posts (including Bearer)
- so when is a client authentication required?
- RFC (https://tools.ietf.org/html/rfc6749#page-38) differentiates between confidential and public clients, Ghost has no implementation for this at the moment
- so in theory, public clients don't have to be authenticated, only if the credentials are included
- to not invent a breaking change, i decided to only make the client authentication required for password authentication
- we could change this in Ghost 2.0
I have removed the extra client request to the database for the password authentication, this is not needed. We already do client password authentication [here](https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/auth-strategies.js#L19);
If a Bearer token is present and you have not send a `grant_type` (which signalises OAuth to do authentication), you can skip the client authentication.
2017-11-09 17:11:29 +03:00
|
|
|
/**
|
|
|
|
* In theory, client authentication is not required for public clients, only for confidential clients.
|
|
|
|
* See e.g. https://tools.ietf.org/html/rfc6749#page-38. Ghost has no differentiation for this at the moment.
|
|
|
|
* See also See https://tools.ietf.org/html/rfc6749#section-2.1.
|
|
|
|
*
|
|
|
|
* Ghost requires client authentication for `grant_type: password`, because we have to ensure that
|
|
|
|
* we tie a client to a new access token. That means `grant_type: refresh_token` does not require
|
|
|
|
* client authentication, because binding a client already happened.
|
|
|
|
*
|
|
|
|
* To sum up:
|
|
|
|
* - password authentication requires client authentication
|
|
|
|
* - refreshing a token does not require client authentication
|
|
|
|
* - public API requires client authentication
|
|
|
|
* - as soon as you send an access token in the header or via query
|
|
|
|
* - we deny public API access
|
|
|
|
* - API access with a Bearer does not require client authentication
|
|
|
|
*/
|
|
|
|
if (authUtils.getBearerAutorizationToken(req) && !authUtils.hasGrantType(req, 'password')) {
|
2015-10-22 16:28:47 +03:00
|
|
|
return next();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (req.query && req.query.client_id) {
|
|
|
|
req.body.client_id = req.query.client_id;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (req.query && req.query.client_secret) {
|
|
|
|
req.body.client_secret = req.query.client_secret;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!req.body.client_id || !req.body.client_secret) {
|
2017-12-12 00:47:46 +03:00
|
|
|
return next(new common.errors.UnauthorizedError({
|
|
|
|
message: common.i18n.t('errors.middleware.auth.accessDenied'),
|
|
|
|
context: common.i18n.t('errors.middleware.auth.clientCredentialsNotProvided'),
|
2018-07-24 12:35:33 +03:00
|
|
|
help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://api.ghost.org/docs/client-authentication'})
|
2016-10-06 15:27:35 +03:00
|
|
|
}));
|
2015-10-22 16:28:47 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
return passport.authenticate(['oauth2-client-password'], {session: false, failWithError: false},
|
|
|
|
function authenticate(err, client) {
|
|
|
|
if (err) {
|
|
|
|
return next(err); // will generate a 500 error
|
|
|
|
}
|
|
|
|
|
2015-10-28 21:39:10 +03:00
|
|
|
// req.body needs to be null for GET requests to build options correctly
|
|
|
|
delete req.body.client_id;
|
|
|
|
delete req.body.client_secret;
|
|
|
|
|
2016-04-14 18:54:49 +03:00
|
|
|
if (!client) {
|
2017-12-12 00:47:46 +03:00
|
|
|
return next(new common.errors.UnauthorizedError({
|
|
|
|
message: common.i18n.t('errors.middleware.auth.accessDenied'),
|
|
|
|
context: common.i18n.t('errors.middleware.auth.clientCredentialsNotValid'),
|
2018-07-24 12:35:33 +03:00
|
|
|
help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://api.ghost.org/docs/client-authentication'})
|
2016-10-06 15:27:35 +03:00
|
|
|
}));
|
2015-12-14 18:35:19 +03:00
|
|
|
}
|
|
|
|
|
2016-03-26 21:26:57 +03:00
|
|
|
req.client = client;
|
2016-03-27 01:28:00 +03:00
|
|
|
|
2017-12-12 00:47:46 +03:00
|
|
|
common.events.emit('client.authenticated', client);
|
2016-03-26 21:26:57 +03:00
|
|
|
return next(null, client);
|
2015-10-22 16:28:47 +03:00
|
|
|
}
|
|
|
|
)(req, res, next);
|
|
|
|
},
|
|
|
|
|
|
|
|
// ### Authenticate User Middleware
|
|
|
|
authenticateUser: function authenticateUser(req, res, next) {
|
|
|
|
return passport.authenticate('bearer', {session: false, failWithError: false},
|
|
|
|
function authenticate(err, user, info) {
|
|
|
|
if (err) {
|
|
|
|
return next(err); // will generate a 500 error
|
|
|
|
}
|
|
|
|
|
|
|
|
if (user) {
|
|
|
|
req.authInfo = info;
|
|
|
|
req.user = user;
|
2016-04-04 05:40:23 +03:00
|
|
|
|
2017-12-12 00:47:46 +03:00
|
|
|
common.events.emit('user.authenticated', user);
|
2015-10-22 16:28:47 +03:00
|
|
|
return next(null, user, info);
|
2017-03-01 13:12:03 +03:00
|
|
|
} else if (authUtils.getBearerAutorizationToken(req)) {
|
2017-12-12 00:47:46 +03:00
|
|
|
return next(new common.errors.UnauthorizedError({
|
|
|
|
message: common.i18n.t('errors.middleware.auth.accessDenied')
|
2016-10-06 15:27:35 +03:00
|
|
|
}));
|
2015-10-22 16:28:47 +03:00
|
|
|
} else if (req.client) {
|
2016-11-09 18:01:07 +03:00
|
|
|
req.user = {id: models.User.externalUser};
|
2015-10-22 16:28:47 +03:00
|
|
|
return next();
|
|
|
|
}
|
|
|
|
|
2017-12-12 00:47:46 +03:00
|
|
|
return next(new common.errors.UnauthorizedError({
|
|
|
|
message: common.i18n.t('errors.middleware.auth.accessDenied')
|
2016-10-06 15:27:35 +03:00
|
|
|
}));
|
2015-10-22 16:28:47 +03:00
|
|
|
}
|
|
|
|
)(req, res, next);
|
2018-10-05 13:45:17 +03:00
|
|
|
},
|
|
|
|
|
2019-01-30 22:17:25 +03:00
|
|
|
authenticateAdminApi: [apiKeyAuth.admin.authenticate, session.authenticate],
|
2019-01-18 19:03:03 +03:00
|
|
|
|
2018-11-08 12:57:42 +03:00
|
|
|
authenticateContentApi: [apiKeyAuth.content.authenticateContentApiKey, members.authenticateMembersToken]
|
2015-10-22 16:28:47 +03:00
|
|
|
};
|
|
|
|
|
2016-09-30 14:45:59 +03:00
|
|
|
module.exports = authenticate;
|