TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-14 18:52:05 +03:00
Code Issues Projects Releases Wiki Activity
c62d7ba43e
Ghost/core/server/middleware/middleware.js

249 lines
9.1 KiB
JavaScript
Raw Normal View History

Putting back relative redirects issue #1523 - also added some comments to indicate the difference between the two custom middleware files.
2013-11-26 00:31:18 +04:00
// # Custom Middleware
// The following custom middleware functions are all unit testable, and have accompanying unit tests in
// middleware_spec.js
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
Replace underscore with lodash.
2014-02-05 12:40:30 +04:00
var _ = require('lodash'),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
express = require('express'),
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`.
2013-12-04 06:47:39 +04:00
busboy = require('./ghost-busboy'),
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
config = require('../config'),
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
path = require('path'),
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
api = require('../api'),
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
passport = require('passport'),
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
errors = require('../errors'),
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
utils = require('../utils'),
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
expressServer,
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
oauthServer,
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
loginSecurity = [],
forgottenSecurity = [];
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
function isBlackListedFileType(file) {
Remove .txt from blacklist. fixes #1263
2013-10-25 02:55:51 +04:00
var blackListedFileTypes = ['.hbs', '.md', '.json'],
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
ext = path.extname(file);
return _.contains(blackListedFileTypes, ext);
}
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
function cacheServer(server) {
expressServer = server;
}
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
function cacheOauthServer(server) {
oauthServer = server;
}
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
var middleware = {
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// ### Authenticate Middleware
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
// authentication has to be done for /ghost/* routes with
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// exceptions for signin, signout, signup, forgotten, reset only
// api and frontend use different authentication mechanisms atm
authenticate: function (req, res, next) {
Replace the old admin with the ember admin closes #3056 - Remove clientold - Remove clientold tests - Cleanup old admin helpers - Remove old routes from admin and controllers from admin controller - Comment out / remove old and broken tests - Cleanup Gruntfile.js, bower.js, package.json etc Still TODO: - cleanup / add removed tests - do we still need countable?
2014-07-01 03:26:08 +04:00
var path,
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
subPath;
// SubPath is the url path starting after any default subdirectories
// it is stripped of anything after the two levels `/ghost/.*?/` as the reset link has an argument
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
path = req.path.substring(config.paths.subdir.length);
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
/*jslint regexp:true, unparam:true*/
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 13:15:01 +04:00
subPath = path.replace(/^(\/.*?\/.*?\/)(.*)?/, function (match, a) {
/ghost/reset/* should not redirect to signin fixes #2257
2014-02-25 14:20:32 +04:00
return a;
});
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
if (res.isAdmin) {
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
if (subPath.indexOf('/ghost/api/') === 0
Allow user to accept invitation closes #3081 - added route `/ghost/api/v0.1/authentication/invitation` - added accept invitation - added signup with token - removed check() from users api - fixed promise in resetPassword()
2014-07-03 19:06:07 +04:00
&& path.indexOf('/ghost/api/v0.1/authentication/') !== 0) {
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
return passport.authenticate('bearer', { session: false, failWithError: true },
function (err, user, info) {
if (err) {
return next(err); // will generate a 500 error
}
// Generate a JSON response reflecting authentication status
if (! user) {
var msg = {
type: 'error',
message: 'Please Sign In',
status: 'passive'
};
res.status(401);
return res.send(msg);
}
// TODO: figure out, why user & authInfo is lost
req.authInfo = info;
req.user = user;
return next(null, user, info);
}
)(req, res, next);
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
}
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
}
next();
},
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
// ### CacheControl Middleware
// provide sensible cache control headers
cacheControl: function (options) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
/*jslint unparam:true*/
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
var profiles = {
'public': 'public, max-age=0',
'private': 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
},
output;
if (_.isString(options) && profiles.hasOwnProperty(options)) {
output = profiles[options];
}
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
return function cacheControlHeaders(req, res, next) {
if (output) {
res.set({'Cache-Control': output});
}
next();
};
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
},
// ### whenEnabled Middleware
// Selectively use middleware
// From https://github.com/senchalabs/connect/issues/676#issuecomment-9569658
whenEnabled: function (setting, fn) {
return function settingEnabled(req, res, next) {
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
// Set from server/middleware/index.js for now
if (expressServer.enabled(setting)) {
Move middleware functions into middleware module and create associated tests Note: this only moves middleware functions that have associated tests.
2013-11-05 09:41:36 +04:00
fn(req, res, next);
} else {
next();
}
};
},
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
staticTheme: function () {
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
return function blackListStatic(req, res, next) {
if (isBlackListedFileType(req.url)) {
return next();
}
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
return middleware.forwardToExpressStatic(req, res, next);
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
};
},
// to allow unit testing
Create the config module, initially used to standardise getting paths and absolute URLs. Easy to extend for other configurations we may need.
2013-11-20 17:58:52 +04:00
forwardToExpressStatic: function (req, res, next) {
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
api.settings.read({context: {internal: true}, key: 'activeTheme'}).then(function (response) {
Settings API Primary Document refactor Closes #2606 - Refactor settings api responses to { settings: [ ] } format - Update all code using api.settings to handle new response format - Update test stubs to return new format - Update client site settings model to parse new format into one object of key/value pairs - Refactor to include all setting values - Remove unused settingsCollection method - Update settingsCache to store all attributes - Update settingsResult to send all attributes - Remove unnecessary when() wraps - Reject if editing a setting that doesn't exist - Reject earlier if setting key is empty - Update tests with new error messages - Use setting.add instead of edit that was incorrectly adding - Update importer to properly import activePlugins and installedPlugins - Update expected setting result fields - Fix a weird situation where hasOwnProperty didn't exist :shrug:
2014-04-28 03:28:50 +04:00
var activeTheme = response.settings[0];
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
express['static'](path.join(config.paths.themePath, activeTheme.value), {maxAge: utils.ONE_YEAR_MS})(req, res, next);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
});
Remove cookie from Frontend closes #1437 closes #1472 - changed cookie to path:'/ghost' - added conditional CSRF middleware - added redirects for signup, signin, signout to /ghost/sign*/
2013-11-26 13:38:54 +04:00
},
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
// ### Spam prevention Middleware
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
// limit signin requests to ten failed requests per IP per hour
spamSigninPrevention: function (req, res, next) {
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
var currentTime = process.hrtime()[0],
remoteAddress = req.connection.remoteAddress,
Update spam prevention closes #3468 - added rate limit to deny more than 5 attempt every hour - updated spam prevention to be configurable - added config values spamTimeout, ratePeriod, rateAttempts - added ratePeriod:1 to config.example.js to prevent functional tests from hitting the rate limit - commented spam test, I’ll fix it tomorrow
2014-08-01 02:58:32 +04:00
deniedRateLimit = '',
ipCount = '',
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
rateSigninPeriod = config.rateSigninPeriod || 3600,
rateSigninAttempts = config.rateSigninAttempts || 10;
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
if (req.body.username) {
loginSecurity.push({ip: remoteAddress, time: currentTime, email: req.body.username});
} else {
return next(new errors.BadRequestError('No username.'));
}
// filter entries that are older than rateSigninPeriod
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
loginSecurity = _.filter(loginSecurity, function (logTime) {
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
return (logTime.time + rateSigninPeriod > currentTime);
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
});
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
// check number of tries per IP address
Update spam prevention closes #3468 - added rate limit to deny more than 5 attempt every hour - updated spam prevention to be configurable - added config values spamTimeout, ratePeriod, rateAttempts - added ratePeriod:1 to config.example.js to prevent functional tests from hitting the rate limit - commented spam test, I’ll fix it tomorrow
2014-08-01 02:58:32 +04:00
ipCount = _.chain(loginSecurity).countBy('ip').value();
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
deniedRateLimit = (ipCount[remoteAddress] > rateSigninAttempts);
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
if (deniedRateLimit) {
return next(new errors.UnauthorizedError('Only ' + rateSigninAttempts + ' tries per IP address every ' + rateSigninPeriod + ' seconds.'));
}
next();
},
// ### Spam prevention Middleware
// limit forgotten password requests to five requests per IP per hour for different email addresses
// limit forgotten password requests to five requests per email address
spamForgottenPrevention: function (req, res, next) {
var currentTime = process.hrtime()[0],
remoteAddress = req.connection.remoteAddress,
rateForgottenPeriod = config.rateForgottenPeriod || 3600,
rateForgottenAttempts = config.rateForgottenAttempts || 5,
email = req.body.passwordreset[0].email,
ipCount = '',
deniedRateLimit = '',
deniedEmailRateLimit = '',
index = _.findIndex(forgottenSecurity, function (logTime) {
return (logTime.ip === remoteAddress && logTime.email === email);
});
if (email) {
if (index !== -1) {
forgottenSecurity[index].count = forgottenSecurity[index].count + 1;
Update spam prevention closes #3468 - added rate limit to deny more than 5 attempt every hour - updated spam prevention to be configurable - added config values spamTimeout, ratePeriod, rateAttempts - added ratePeriod:1 to config.example.js to prevent functional tests from hitting the rate limit - commented spam test, I’ll fix it tomorrow
2014-08-01 02:58:32 +04:00
} else {
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
forgottenSecurity.push({ip: remoteAddress, time: currentTime, email: email, count: 0});
Update spam prevention closes #3468 - added rate limit to deny more than 5 attempt every hour - updated spam prevention to be configurable - added config values spamTimeout, ratePeriod, rateAttempts - added ratePeriod:1 to config.example.js to prevent functional tests from hitting the rate limit - commented spam test, I’ll fix it tomorrow
2014-08-01 02:58:32 +04:00
}
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
} else {
return next(new errors.BadRequestError('No email.'));
}
// filter entries that are older than rateForgottenPeriod
forgottenSecurity = _.filter(forgottenSecurity, function (logTime) {
return (logTime.time + rateForgottenPeriod > currentTime);
});
// check number of tries with different email addresses per IP
ipCount = _.chain(forgottenSecurity).countBy('ip').value();
deniedRateLimit = (ipCount[remoteAddress] > rateForgottenAttempts);
if (index !== -1) {
deniedEmailRateLimit = (forgottenSecurity[index].count > rateForgottenAttempts);
}
if (deniedEmailRateLimit) {
return next(new errors.UnauthorizedError('Only ' + rateForgottenAttempts + ' forgotten password attempts per email every ' + rateForgottenPeriod + ' seconds.'));
}
if (deniedRateLimit) {
return next(new errors.UnauthorizedError('Only ' + rateForgottenAttempts + ' tries per IP address every ' + rateForgottenPeriod + ' seconds.'));
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
}
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
next();
},
resetSpamCounter: function (email) {
loginSecurity = _.filter(loginSecurity, function (logTime) {
return (logTime.email !== email);
});
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
},
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
// work around to handle missing client_secret
// oauth2orize needs it, but untrusted clients don't have it
addClientSecret: function (req, res, next) {
if (!req.body.client_secret) {
req.body.client_secret = 'not_available';
}
next();
},
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
// ### Authenticate Client Middleware
// authenticate client that is asking for an access token
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
authenticateClient: function (req, res, next) {
return passport.authenticate(['oauth2-client-password'], { session: false })(req, res, next);
},
Restored spam prevention closes #3128 - added spam prevention middleware - restored tests
2014-07-17 16:22:07 +04:00
// ### Generate access token Middleware
// register the oauth2orize middleware for password and refresh token grants
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
generateAccessToken: function (req, res, next) {
return oauthServer.token()(req, res, next);
},
Switch from multipart to busboy Fixes #1227 - Removed deprecated `multipart` references. - Setup `busboy` to pass along file streams and do a naive parse of form values. - Updated logic in file storage and db import to handle file streams instead of the temporary files created by `multipart`.
2013-12-04 06:47:39 +04:00
busboy: busboy
Lock down theme static directory to not serve templates, markdown and text files. closes #942 - insert custom middleware to check for blacklisted files - redirect to express.static if file accepted - if not valid return next() to do nothing - currently black listing .hbs, .txt, .md and .json - debatable which is best, black list or white list, either one will probably need tweaks but erred on side of letting a theme serve unknown types
2013-10-05 14:17:08 +04:00
};
module.exports = middleware;
Make cache max-age on theme assets one year. closes #2790 - Added one year in ms var. - refs: #2447
2014-05-22 07:56:25 +04:00
module.exports.cacheServer = cacheServer;
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
module.exports.cacheOauthServer = cacheOauthServer;
Reference in New Issue Copy Permalink