Ghost/core/server/services/auth/api-key/admin.js

const jwt = require('jsonwebtoken');
const url = require('url');
const models = require('../../../models');
const common = require('../../../lib/common');
const _ = require('lodash');

let JWT_OPTIONS = {
    algorithms: ['HS256'],
    maxAge: '5m'
};

/**
 * Remove 'Ghost' from raw authorization header and extract the JWT token.
 * Eg. Authorization: Ghost ${JWT}
 * @param {string} header
 */
const _extractTokenFromHeader = function extractTokenFromHeader(header) {
    const [scheme, token] = header.split(' ');

    if (/^Ghost$/i.test(scheme)) {
        return token;
    }
};

/**
 * Extract JWT token from admin API URL query
 * Eg. ${ADMIN_API_URL}/?token=${JWT}
 * @param {string} reqUrl
 */
const _extractTokenFromUrl = function extractTokenFromUrl(reqUrl) {
    const {query} = url.parse(reqUrl, true);
    return query.token;
};

const authenticate = (req, res, next) => {
    // CASE: we don't have an Authorization header so allow fallthrough to other
    // auth middleware or final "ensure authenticated" check
    if (!req.headers || !req.headers.authorization) {
        req.api_key = null;
        return next();
    }
    const token = _extractTokenFromHeader(req.headers.authorization);

    if (!token) {
        return next(new common.errors.UnauthorizedError({
            message: common.i18n.t('errors.middleware.auth.incorrectAuthHeaderFormat'),
            code: 'INVALID_AUTH_HEADER'
        }));
    }

    return authenticateWithToken(req, res, next, {token, JWT_OPTIONS});
};

const authenticateWithUrl = (req, res, next) => {
    const token = _extractTokenFromUrl(req.originalUrl);
    if (!token) {
        return next(new common.errors.UnauthorizedError({
            message: common.i18n.t('errors.middleware.auth.invalidTokenWithMessage', {message: 'No token found in URL'}),
            code: 'INVALID_JWT'
        }));
    }
    // CASE: Scheduler publish URLs can have long maxAge but controllerd by expiry and neverBefore
    return authenticateWithToken(req, res, next, {token, JWT_OPTIONS: _.omit(JWT_OPTIONS, 'maxAge')});
};

/**
 * Admin API key authentication flow:
 * 1. extract the JWT token from the `Authorization: Ghost xxxx` header or from URL(for schedules)
 * 2. decode the JWT to extract the api_key id from the "key id" header claim
 * 3. find a matching api_key record
 * 4. verify the JWT (matching secret, matching URL path, not expired)
 * 5. place the api_key object on `req.api_key`
 *
 * There are some specifcs of the JWT that we expect:
 * - the "Key ID" header parameter should be set to the id of the api_key used to sign the token
 *   https://tools.ietf.org/html/rfc7515#section-4.1.4
 * - the "Audience" claim should match the requested API path
 *   https://tools.ietf.org/html/rfc7519#section-4.1.3
 */
const authenticateWithToken = (req, res, next, {token, JWT_OPTIONS}) => {
    const decoded = jwt.decode(token, {complete: true});

    if (!decoded || !decoded.header) {
        return next(new common.errors.BadRequestError({
            message: common.i18n.t('errors.middleware.auth.invalidToken'),
            code: 'INVALID_JWT'
        }));
    }

    const apiKeyId = decoded.header.kid;

    if (!apiKeyId) {
        return next(new common.errors.BadRequestError({
            message: common.i18n.t('errors.middleware.auth.adminApiKidMissing'),
            code: 'MISSING_ADMIN_API_KID'
        }));
    }

    models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => {
        if (!apiKey) {
            return next(new common.errors.UnauthorizedError({
                message: common.i18n.t('errors.middleware.auth.unknownAdminApiKey'),
                code: 'UNKNOWN_ADMIN_API_KEY'
            }));
        }

        if (apiKey.get('type') !== 'admin') {
            return next(new common.errors.UnauthorizedError({
                message: common.i18n.t('errors.middleware.auth.invalidApiKeyType'),
                code: 'INVALID_API_KEY_TYPE'
            }));
        }

        // Decoding from hex and transforming into bytes is here to
        // keep comparison of the bytes that are stored in the secret.
        // Useful context:
        // https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138
        const secret = Buffer.from(apiKey.get('secret'), 'hex');

        const {pathname} = url.parse(req.originalUrl);
        const [hasMatch, version = 'v2', api = 'admin'] = pathname.match(/ghost\/api\/([^/]+)\/([^/]+)\/(.+)*/); // eslint-disable-line no-unused-vars

        // ensure the token was meant for this api version
        const options = Object.assign({
            audience: new RegExp(`\/?${version}\/${api}\/?$`) // eslint-disable-line no-useless-escape
        }, JWT_OPTIONS);

        try {
            jwt.verify(token, secret, options);
        } catch (err) {
            if (err.name === 'TokenExpiredError' || err.name === 'JsonWebTokenError') {
                return next(new common.errors.UnauthorizedError({
                    message: common.i18n.t('errors.middleware.auth.invalidTokenWithMessage', {message: err.message}),
                    code: 'INVALID_JWT',
                    err
                }));
            }

            // unknown error
            return next(new common.errors.InternalServerError({err}));
        }

        // authenticated OK, store the api key on the request for later checks and logging
        req.api_key = apiKey;
        next();
    }).catch((err) => {
        next(new common.errors.InternalServerError({err}));
    });
};

module.exports = {
    authenticate,
    authenticateWithUrl
};
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`const jwt = require('jsonwebtoken');`
Updated token verification to use dynamic audience check no issue Admin key token verification was using hardcoded audience check with v2 admin endpoint, this updates it to check against api version and api type of the request url 2019-08-09 17:13:41 +03:00			`const url = require('url');`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`const models = require('../../../models');`
			`const common = require('../../../lib/common');`
🏗 Migrated scheduler to work with v2 API (#11142) * Updated scheduler to use v2 API by default * Updated scheduling for post/page resource types * Extended base method to take options param with token and jwt options * Updated token expiration to 6 hours after publish/blog start time to allow retries 2019-09-23 19:12:53 +03:00			`const _ = require('lodash');`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00
🏗 Migrated scheduler to work with v2 API (#11142) * Updated scheduler to use v2 API by default * Updated scheduling for post/page resource types * Extended base method to take options param with token and jwt options * Updated token expiration to 6 hours after publish/blog start time to allow retries 2019-09-23 19:12:53 +03:00			`let JWT_OPTIONS = {`
			`algorithms: ['HS256'],`
			`maxAge: '5m'`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`};`

			`/**`
			`* Remove 'Ghost' from raw authorization header and extract the JWT token.`
			`* Eg. Authorization: Ghost ${JWT}`
			`* @param {string} header`
			`*/`
			`const _extractTokenFromHeader = function extractTokenFromHeader(header) {`
			`const [scheme, token] = header.split(' ');`

			`if (/^Ghost$/i.test(scheme)) {`
			`return token;`
			`}`
			`};`

			`/**`
🏗 Migrated scheduler to work with v2 API (#11142) * Updated scheduler to use v2 API by default * Updated scheduling for post/page resource types * Extended base method to take options param with token and jwt options * Updated token expiration to 6 hours after publish/blog start time to allow retries 2019-09-23 19:12:53 +03:00			`* Extract JWT token from admin API URL query`
			`* Eg. ${ADMIN_API_URL}/?token=${JWT}`
			`* @param {string} reqUrl`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`*/`
🏗 Migrated scheduler to work with v2 API (#11142) * Updated scheduler to use v2 API by default * Updated scheduling for post/page resource types * Extended base method to take options param with token and jwt options * Updated token expiration to 6 hours after publish/blog start time to allow retries 2019-09-23 19:12:53 +03:00			`const _extractTokenFromUrl = function extractTokenFromUrl(reqUrl) {`
			`const {query} = url.parse(reqUrl, true);`
			`return query.token;`
			`};`

Renamed authenticateAdminApiKey to authenticate for admin api key auth refs #9865 - the outer authentication layer wants a consistent interface of each authentication package - admin.authenticate - session.authenticate - furthermore, there is no need to put the full feature into the exposed function name 2019-01-18 19:30:07 +03:00			`const authenticate = (req, res, next) => {`
Added easy way to enable admin api key authentication refs #9865 - small refactoring to make both session and admin api key handling similar - admin api key authentication is still disabled, but easy to enable - added proof test how to authenticate using admin api keys 2019-01-18 19:03:03 +03:00			`// CASE: we don't have an Authorization header so allow fallthrough to other`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`// auth middleware or final "ensure authenticated" check`
			`if (!req.headers \|\| !req.headers.authorization) {`
Added easy way to enable admin api key authentication refs #9865 - small refactoring to make both session and admin api key handling similar - admin api key authentication is still disabled, but easy to enable - added proof test how to authenticate using admin api keys 2019-01-18 19:03:03 +03:00			`req.api_key = null;`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`return next();`
			`}`
			`const token = _extractTokenFromHeader(req.headers.authorization);`

			`if (!token) {`
			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.incorrectAuthHeaderFormat'),`
			`code: 'INVALID_AUTH_HEADER'`
			`}));`
			`}`

🏗 Migrated scheduler to work with v2 API (#11142) * Updated scheduler to use v2 API by default * Updated scheduling for post/page resource types * Extended base method to take options param with token and jwt options * Updated token expiration to 6 hours after publish/blog start time to allow retries 2019-09-23 19:12:53 +03:00			`return authenticateWithToken(req, res, next, {token, JWT_OPTIONS});`
			`};`

			`const authenticateWithUrl = (req, res, next) => {`
			`const token = _extractTokenFromUrl(req.originalUrl);`
			`if (!token) {`
			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.invalidTokenWithMessage', {message: 'No token found in URL'}),`
			`code: 'INVALID_JWT'`
			`}));`
			`}`
			`// CASE: Scheduler publish URLs can have long maxAge but controllerd by expiry and neverBefore`
			`return authenticateWithToken(req, res, next, {token, JWT_OPTIONS: _.omit(JWT_OPTIONS, 'maxAge')});`
			`};`

			`/**`
			`* Admin API key authentication flow:`
			* 1. extract the JWT token from the `Authorization: Ghost xxxx` header or from URL(for schedules)
			`* 2. decode the JWT to extract the api_key id from the "key id" header claim`
			`* 3. find a matching api_key record`
			`* 4. verify the JWT (matching secret, matching URL path, not expired)`
			* 5. place the api_key object on `req.api_key`
			`*`
			`* There are some specifcs of the JWT that we expect:`
			`* - the "Key ID" header parameter should be set to the id of the api_key used to sign the token`
			`* https://tools.ietf.org/html/rfc7515#section-4.1.4`
			`* - the "Audience" claim should match the requested API path`
			`* https://tools.ietf.org/html/rfc7519#section-4.1.3`
			`*/`
			`const authenticateWithToken = (req, res, next, {token, JWT_OPTIONS}) => {`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`const decoded = jwt.decode(token, {complete: true});`

			`if (!decoded \|\| !decoded.header) {`
			`return next(new common.errors.BadRequestError({`
			`message: common.i18n.t('errors.middleware.auth.invalidToken'),`
			`code: 'INVALID_JWT'`
			`}));`
			`}`

Updated Admin API key auth to require `kid` in header (#10538) * Required kid be a header claim as according to spec https://tools.ietf.org/html/rfc7515#section-4.1.4 (JWT is an extension of JWS) * Updated error message for missing kid * Fixed admin-api key unit tests * Fixed regression and acceptance tests 2019-02-26 07:03:47 +03:00			`const apiKeyId = decoded.header.kid;`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00
Protected against empty admin api key refs #9865 2019-01-18 19:32:41 +03:00			`if (!apiKeyId) {`
			`return next(new common.errors.BadRequestError({`
Updated Admin API key auth to require `kid` in header (#10538) * Required kid be a header claim as according to spec https://tools.ietf.org/html/rfc7515#section-4.1.4 (JWT is an extension of JWS) * Updated error message for missing kid * Fixed admin-api key unit tests * Fixed regression and acceptance tests 2019-02-26 07:03:47 +03:00			`message: common.i18n.t('errors.middleware.auth.adminApiKidMissing'),`
			`code: 'MISSING_ADMIN_API_KID'`
Protected against empty admin api key refs #9865 2019-01-18 19:32:41 +03:00			`}));`
			`}`

Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => {`
			`if (!apiKey) {`
			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.unknownAdminApiKey'),`
			`code: 'UNKNOWN_ADMIN_API_KEY'`
			`}));`
			`}`

			`if (apiKey.get('type') !== 'admin') {`
			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.invalidApiKeyType'),`
			`code: 'INVALID_API_KEY_TYPE'`
			`}));`
			`}`

Added a note on secret transformation before token verification refs #9865 - Added some clarificatoin around why secret used for token verification has to be transformed binary decoded from hex 2019-02-01 17:04:25 +03:00			`// Decoding from hex and transforming into bytes is here to`
			`// keep comparison of the bytes that are stored in the secret.`
			`// Useful context:`
			`// https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`const secret = Buffer.from(apiKey.get('secret'), 'hex');`
Updated admin api key authentication to expect api key id in payload refs #9865 - see https://github.com/TryGhost/Ghost/blob/2.11.1/core/server/lib/members/index.js#L52 - consistency 2019-01-18 19:22:19 +03:00
Updated token verification to use dynamic audience check no issue Admin key token verification was using hardcoded audience check with v2 admin endpoint, this updates it to check against api version and api type of the request url 2019-08-09 17:13:41 +03:00			`const {pathname} = url.parse(req.originalUrl);`
			`const [hasMatch, version = 'v2', api = 'admin'] = pathname.match(/ghost\/api\/([^/]+)\/([^/]+)\/(.+)*/); // eslint-disable-line no-unused-vars`

			`// ensure the token was meant for this api version`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`const options = Object.assign({`
Updated token verification to use dynamic audience check no issue Admin key token verification was using hardcoded audience check with v2 admin endpoint, this updates it to check against api version and api type of the request url 2019-08-09 17:13:41 +03:00			audience: new RegExp(`\/?${version}\/${api}\/?$`) // eslint-disable-line no-useless-escape
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`}, JWT_OPTIONS);`

			`try {`
			`jwt.verify(token, secret, options);`
			`} catch (err) {`
			`if (err.name === 'TokenExpiredError' \|\| err.name === 'JsonWebTokenError') {`
			`return next(new common.errors.UnauthorizedError({`
			`message: common.i18n.t('errors.middleware.auth.invalidTokenWithMessage', {message: err.message}),`
			`code: 'INVALID_JWT',`
			`err`
			`}));`
			`}`

			`// unknown error`
			`return next(new common.errors.InternalServerError({err}));`
			`}`

			`// authenticated OK, store the api key on the request for later checks and logging`
			`req.api_key = apiKey;`
			`next();`
			`}).catch((err) => {`
			`next(new common.errors.InternalServerError({err}));`
			`});`
			`};`

			`module.exports = {`
🏗 Migrated scheduler to work with v2 API (#11142) * Updated scheduler to use v2 API by default * Updated scheduling for post/page resource types * Extended base method to take options param with token and jwt options * Updated token expiration to 6 hours after publish/blog start time to allow retries 2019-09-23 19:12:53 +03:00			`authenticate,`
			`authenticateWithUrl`
Added API Key auth middleware to v2 Admin API (#10006) refs #9865 - Added `auth.authenticate.authenticateAdminApiKey` middleware - accepts signed JWT in an `Authorization: Ghost [token]` header - sets `req.api_key` if the token is valid - Updated `authenticatePrivate` middleware stack for v2 admin routes 2019-01-18 15:45:06 +03:00			`};`