Ghost/core/server/services/auth/api-key/content.js

const models = require('../../../models');
const errors = require('@tryghost/errors');
const limitService = require('../../../services/limits');
const {i18n} = require('../../../lib/common');

const authenticateContentApiKey = async function authenticateContentApiKey(req, res, next) {
    // allow fallthrough to other auth methods or final ensureAuthenticated check
    if (!req.query || !req.query.key) {
        return next();
    }

    if (req.query.key.constructor === Array) {
        return next(new errors.BadRequestError({
            message: i18n.t('errors.middleware.auth.invalidRequest'),
            code: 'INVALID_REQUEST'
        }));
    }

    let key = req.query.key;

    try {
        const apiKey = await models.ApiKey.findOne({secret: key}, {withRelated: ['integration']});

        if (!apiKey) {
            return next(new errors.UnauthorizedError({
                message: i18n.t('errors.middleware.auth.unknownContentApiKey'),
                code: 'UNKNOWN_CONTENT_API_KEY'
            }));
        }

        if (apiKey.get('type') !== 'content') {
            return next(new errors.UnauthorizedError({
                message: i18n.t('errors.middleware.auth.invalidApiKeyType'),
                code: 'INVALID_API_KEY_TYPE'
            }));
        }

        // CASE: blocking all non-internal: "custom" and "builtin" integration requests when the limit is reached
        if (limitService.isLimited('customIntegrations')
            && (apiKey.relations.integration && !['internal'].includes(apiKey.relations.integration.get('type')))) {
            // NOTE: using "checkWouldGoOverLimit" instead of "checkIsOverLimit" here because flag limits don't have
            //       a concept of measuring if the limit has been surpassed
            await limitService.errorIfWouldGoOverLimit('customIntegrations');
        }

        // authenticated OK, store the api key on the request for later checks and logging
        req.api_key = apiKey;

        next();
    } catch (err) {
        if (err instanceof errors.HostLimitError) {
            next(err);
        } else {
            next(new errors.InternalServerError({err}));
        }
    }
};

module.exports = {
    authenticateContentApiKey
};
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`const models = require('../../../models');`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`const errors = require('@tryghost/errors');`
Blocked requests from integrations when integration limit is in place https://github.com/TryGhost/Team/issues/599 - When custom integration limit is enabled all requests from existing integrations should not be accepted. With the exception of internal integrations like backup and scheduler 2021-04-09 15:45:26 +03:00			`const limitService = require('../../../services/limits');`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`const {i18n} = require('../../../lib/common');`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00
Refactored api key auth to use async/await syntax https://github.com/TryGhost/Team/issues/599 - Before introducing limit checks into this codebase rewrote the code to use async/await for more clarity and less nesting 2021-04-07 07:52:26 +03:00			`const authenticateContentApiKey = async function authenticateContentApiKey(req, res, next) {`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`// allow fallthrough to other auth methods or final ensureAuthenticated check`
			`if (!req.query \|\| !req.query.key) {`
			`return next();`
			`}`

🐛Fixed generic 500 for bad key param in content API (#10977) refs #10948 - Throws 400 when using multiple key query-values instead of a 500 error 2019-08-12 14:56:09 +03:00			`if (req.query.key.constructor === Array) {`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`return next(new errors.BadRequestError({`
			`message: i18n.t('errors.middleware.auth.invalidRequest'),`
🐛Fixed generic 500 for bad key param in content API (#10977) refs #10948 - Throws 400 when using multiple key query-values instead of a 500 error 2019-08-12 14:56:09 +03:00			`code: 'INVALID_REQUEST'`
			`}));`
			`}`

Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`let key = req.query.key;`

Refactored api key auth to use async/await syntax https://github.com/TryGhost/Team/issues/599 - Before introducing limit checks into this codebase rewrote the code to use async/await for more clarity and less nesting 2021-04-07 07:52:26 +03:00			`try {`
Blocked requests from integrations when integration limit is in place https://github.com/TryGhost/Team/issues/599 - When custom integration limit is enabled all requests from existing integrations should not be accepted. With the exception of internal integrations like backup and scheduler 2021-04-09 15:45:26 +03:00			`const apiKey = await models.ApiKey.findOne({secret: key}, {withRelated: ['integration']});`
Refactored api key auth to use async/await syntax https://github.com/TryGhost/Team/issues/599 - Before introducing limit checks into this codebase rewrote the code to use async/await for more clarity and less nesting 2021-04-07 07:52:26 +03:00
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`if (!apiKey) {`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`return next(new errors.UnauthorizedError({`
			`message: i18n.t('errors.middleware.auth.unknownContentApiKey'),`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`code: 'UNKNOWN_CONTENT_API_KEY'`
			`}));`
			`}`

			`if (apiKey.get('type') !== 'content') {`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`return next(new errors.UnauthorizedError({`
			`message: i18n.t('errors.middleware.auth.invalidApiKeyType'),`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`code: 'INVALID_API_KEY_TYPE'`
			`}));`
			`}`

Blocked requests from integrations when integration limit is in place https://github.com/TryGhost/Team/issues/599 - When custom integration limit is enabled all requests from existing integrations should not be accepted. With the exception of internal integrations like backup and scheduler 2021-04-09 15:45:26 +03:00			`// CASE: blocking all non-internal: "custom" and "builtin" integration requests when the limit is reached`
			`if (limitService.isLimited('customIntegrations')`
			`&& (apiKey.relations.integration && !['internal'].includes(apiKey.relations.integration.get('type')))) {`
			`// NOTE: using "checkWouldGoOverLimit" instead of "checkIsOverLimit" here because flag limits don't have`
			`// a concept of measuring if the limit has been surpassed`
			`await limitService.errorIfWouldGoOverLimit('customIntegrations');`
			`}`

Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`// authenticated OK, store the api key on the request for later checks and logging`
			`req.api_key = apiKey;`
Refactored api key auth to use async/await syntax https://github.com/TryGhost/Team/issues/599 - Before introducing limit checks into this codebase rewrote the code to use async/await for more clarity and less nesting 2021-04-07 07:52:26 +03:00
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`next();`
Refactored api key auth to use async/await syntax https://github.com/TryGhost/Team/issues/599 - Before introducing limit checks into this codebase rewrote the code to use async/await for more clarity and less nesting 2021-04-07 07:52:26 +03:00			`} catch (err) {`
Blocked requests from integrations when integration limit is in place https://github.com/TryGhost/Team/issues/599 - When custom integration limit is enabled all requests from existing integrations should not be accepted. With the exception of internal integrations like backup and scheduler 2021-04-09 15:45:26 +03:00			`if (err instanceof errors.HostLimitError) {`
			`next(err);`
			`} else {`
			`next(new errors.InternalServerError({err}));`
			`}`
Refactored api key auth to use async/await syntax https://github.com/TryGhost/Team/issues/599 - Before introducing limit checks into this codebase rewrote the code to use async/await for more clarity and less nesting 2021-04-07 07:52:26 +03:00			`}`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`};`

			`module.exports = {`
			`authenticateContentApiKey`
			`};`