Ghost/core/server/api/middleware.js

var prettyURLs = require('../middleware/pretty-urls'),
    cors = require('../middleware/api/cors'),
    urlRedirects = require('../middleware/url-redirects'),
    auth = require('../auth');

/**
 * Auth Middleware Packages
 *
 * IMPORTANT
 * - cors middleware MUST happen before pretty urls, because otherwise cors header can get lost on redirect
 * - cors middleware MUST happen after authenticateClient, because authenticateClient reads the trusted domains
 * - url redirects MUST happen after cors, otherwise cors header can get lost on redirect
 */

/**
 * Authentication for public endpoints
 */
module.exports.authenticatePublic = [
    auth.authenticate.authenticateClient,
    auth.authenticate.authenticateUser,
    // This is a labs-enabled middleware
    auth.authorize.requiresAuthorizedUserPublicAPI,
    cors,
    urlRedirects,
    prettyURLs
];

/**
 * Authentication for private endpoints
 */
module.exports.authenticatePrivate = [
    auth.authenticate.authenticateClient,
    auth.authenticate.authenticateUser,
    auth.authorize.requiresAuthorizedUser,
    cors,
    urlRedirects,
    prettyURLs
];

/**
 * Authentication for client endpoints
 */
module.exports.authenticateClient = function authenticateClient(client) {
    return [
        auth.authenticate.authenticateClient,
        auth.authenticate.authenticateUser,
        auth.authorize.requiresAuthorizedClient(client),
        cors,
        urlRedirects,
        prettyURLs
    ];
};
API express app routing & middleware improvements (#8883) no issue - Split routes out from the API app 🎨 - Use the same pattern as the blog app - General cleanup/unification across all of the `app.js` files - Split middleware config out from API routes - Logical groupings make it easier to see WTF is going on 😬 2017-08-17 13:52:58 +03:00			`var prettyURLs = require('../middleware/pretty-urls'),`
			`cors = require('../middleware/api/cors'),`
🐛 Fixed public api access on custom domain no issue - if you blog runs on a custom domain, but your admin panel is configured using a different domain -> Ghost losts the origin header - we had this situation once with pretty urls (your request get's redirected from /posts to /posts/, see https://github.com/TryGhost/Ghost/pull/8094) - we've moved all our redirect logic to Ghost and ran into the same situation - i've added proper test to ensure it won't happen again 2017-09-13 20:24:11 +03:00			`urlRedirects = require('../middleware/url-redirects'),`
API express app routing & middleware improvements (#8883) no issue - Split routes out from the API app 🎨 - Use the same pattern as the blog app - General cleanup/unification across all of the `app.js` files - Split middleware config out from API routes - Logical groupings make it easier to see WTF is going on 😬 2017-08-17 13:52:58 +03:00			`auth = require('../auth');`

			`/**`
			`* Auth Middleware Packages`
			`*`
			`* IMPORTANT`
🐛 Fixed public api access on custom domain no issue - if you blog runs on a custom domain, but your admin panel is configured using a different domain -> Ghost losts the origin header - we had this situation once with pretty urls (your request get's redirected from /posts to /posts/, see https://github.com/TryGhost/Ghost/pull/8094) - we've moved all our redirect logic to Ghost and ran into the same situation - i've added proper test to ensure it won't happen again 2017-09-13 20:24:11 +03:00			`* - cors middleware MUST happen before pretty urls, because otherwise cors header can get lost on redirect`
API express app routing & middleware improvements (#8883) no issue - Split routes out from the API app 🎨 - Use the same pattern as the blog app - General cleanup/unification across all of the `app.js` files - Split middleware config out from API routes - Logical groupings make it easier to see WTF is going on 😬 2017-08-17 13:52:58 +03:00			`* - cors middleware MUST happen after authenticateClient, because authenticateClient reads the trusted domains`
🐛 Fixed public api access on custom domain no issue - if you blog runs on a custom domain, but your admin panel is configured using a different domain -> Ghost losts the origin header - we had this situation once with pretty urls (your request get's redirected from /posts to /posts/, see https://github.com/TryGhost/Ghost/pull/8094) - we've moved all our redirect logic to Ghost and ran into the same situation - i've added proper test to ensure it won't happen again 2017-09-13 20:24:11 +03:00			`* - url redirects MUST happen after cors, otherwise cors header can get lost on redirect`
API express app routing & middleware improvements (#8883) no issue - Split routes out from the API app 🎨 - Use the same pattern as the blog app - General cleanup/unification across all of the `app.js` files - Split middleware config out from API routes - Logical groupings make it easier to see WTF is going on 😬 2017-08-17 13:52:58 +03:00			`*/`

			`/**`
			`* Authentication for public endpoints`
			`*/`
			`module.exports.authenticatePublic = [`
			`auth.authenticate.authenticateClient,`
			`auth.authenticate.authenticateUser,`
			`// This is a labs-enabled middleware`
			`auth.authorize.requiresAuthorizedUserPublicAPI,`
			`cors,`
🐛 Fixed public api access on custom domain no issue - if you blog runs on a custom domain, but your admin panel is configured using a different domain -> Ghost losts the origin header - we had this situation once with pretty urls (your request get's redirected from /posts to /posts/, see https://github.com/TryGhost/Ghost/pull/8094) - we've moved all our redirect logic to Ghost and ran into the same situation - i've added proper test to ensure it won't happen again 2017-09-13 20:24:11 +03:00			`urlRedirects,`
API express app routing & middleware improvements (#8883) no issue - Split routes out from the API app 🎨 - Use the same pattern as the blog app - General cleanup/unification across all of the `app.js` files - Split middleware config out from API routes - Logical groupings make it easier to see WTF is going on 😬 2017-08-17 13:52:58 +03:00			`prettyURLs`
			`];`

			`/**`
			`* Authentication for private endpoints`
			`*/`
			`module.exports.authenticatePrivate = [`
			`auth.authenticate.authenticateClient,`
			`auth.authenticate.authenticateUser,`
			`auth.authorize.requiresAuthorizedUser,`
			`cors,`
🐛 Fixed public api access on custom domain no issue - if you blog runs on a custom domain, but your admin panel is configured using a different domain -> Ghost losts the origin header - we had this situation once with pretty urls (your request get's redirected from /posts to /posts/, see https://github.com/TryGhost/Ghost/pull/8094) - we've moved all our redirect logic to Ghost and ran into the same situation - i've added proper test to ensure it won't happen again 2017-09-13 20:24:11 +03:00			`urlRedirects,`
API express app routing & middleware improvements (#8883) no issue - Split routes out from the API app 🎨 - Use the same pattern as the blog app - General cleanup/unification across all of the `app.js` files - Split middleware config out from API routes - Logical groupings make it easier to see WTF is going on 😬 2017-08-17 13:52:58 +03:00			`prettyURLs`
			`];`
Add ghost-backup client to trigger export (#8911) no issue - adds a ghost-backup client - adds a client authenticated endpoint to export blog for ghost-backup client only - allows some additional overrides during import - allows for an import by file to override locking a user and double hashing the password 2017-08-22 13:15:40 +03:00
			`/**`
			`* Authentication for client endpoints`
			`*/`
			`module.exports.authenticateClient = function authenticateClient(client) {`
			`return [`
			`auth.authenticate.authenticateClient,`
			`auth.authenticate.authenticateUser,`
			`auth.authorize.requiresAuthorizedClient(client),`
			`cors,`
🐛 Fixed public api access on custom domain no issue - if you blog runs on a custom domain, but your admin panel is configured using a different domain -> Ghost losts the origin header - we had this situation once with pretty urls (your request get's redirected from /posts to /posts/, see https://github.com/TryGhost/Ghost/pull/8094) - we've moved all our redirect logic to Ghost and ran into the same situation - i've added proper test to ensure it won't happen again 2017-09-13 20:24:11 +03:00			`urlRedirects,`
Add ghost-backup client to trigger export (#8911) no issue - adds a ghost-backup client - adds a client authenticated endpoint to export blog for ghost-backup client only - allows some additional overrides during import - allows for an import by file to override locking a user and double hashing the password 2017-08-22 13:15:40 +03:00			`prettyURLs`
			`];`
			`};`