TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-22 02:11:44 +03:00
Code Issues Projects Releases Wiki Activity
c70c49258e
Ghost/core/server/services/auth/api-key/content.js

45 lines
1.4 KiB
JavaScript
Raw Normal View History

Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer
2018-10-15 12:23:34 +03:00
const models = require('../../../models');
const common = require('../../../lib/common');
const authenticateContentApiKey = function authenticateContentApiKey(req, res, next) {
// allow fallthrough to other auth methods or final ensureAuthenticated check
if (!req.query || !req.query.key) {
return next();
}
🐛Fixed generic 500 for bad key param in content API (#10977) refs #10948 - Throws 400 when using multiple key query-values instead of a 500 error
2019-08-12 14:56:09 +03:00
if (req.query.key.constructor === Array) {
return next(new common.errors.BadRequestError({
message: common.i18n.t('errors.middleware.auth.invalidRequest'),
code: 'INVALID_REQUEST'
}));
}
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer
2018-10-15 12:23:34 +03:00
let key = req.query.key;
models.ApiKey.findOne({secret: key}).then((apiKey) => {
if (!apiKey) {
return next(new common.errors.UnauthorizedError({
message: common.i18n.t('errors.middleware.auth.unknownContentApiKey'),
code: 'UNKNOWN_CONTENT_API_KEY'
}));
}
if (apiKey.get('type') !== 'content') {
return next(new common.errors.UnauthorizedError({
message: common.i18n.t('errors.middleware.auth.invalidApiKeyType'),
code: 'INVALID_API_KEY_TYPE'
}));
}
// authenticated OK, store the api key on the request for later checks and logging
req.api_key = apiKey;
next();
}).catch((err) => {
next(new common.errors.InternalServerError({err}));
});
};
module.exports = {
authenticateContentApiKey
};
Reference in New Issue Copy Permalink