Ghost/core/server/services/auth/authorize.js

const labs = require('../labs');
const errors = require('@tryghost/errors');
const {i18n} = require('../../lib/common');

const authorize = {
    authorizeContentApi(req, res, next) {
        const hasApiKey = req.api_key && req.api_key.id;
        const hasMember = req.member;
        if (hasApiKey) {
            return next();
        }
        if (labs.isSet('members') && hasMember) {
            return next();
        }
        return next(new errors.NoPermissionError({
            message: i18n.t('errors.middleware.auth.authorizationFailed'),
            context: i18n.t('errors.middleware.auth.missingContentMemberOrIntegration')
        }));
    },

    authorizeAdminApi(req, res, next) {
        const hasUser = req.user && req.user.id;
        const hasApiKey = req.api_key && req.api_key.id;

        if (hasUser || hasApiKey) {
            return next();
        } else {
            return next(new errors.NoPermissionError({
                message: i18n.t('errors.middleware.auth.authorizationFailed'),
                context: i18n.t('errors.middleware.auth.missingAdminUserOrIntegration')
            }));
        }
    }
};

module.exports = authorize;
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 13:45:17 +03:00			`const labs = require('../labs');`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`const errors = require('@tryghost/errors');`
			`const {i18n} = require('../../lib/common');`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 14:45:59 +03:00
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 13:45:17 +03:00			`const authorize = {`
♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 13:29:40 +03:00			`authorizeContentApi(req, res, next) {`
			`const hasApiKey = req.api_key && req.api_key.id;`
🚧 Authorized Content API requests with req.member closes #10111 The members labs setting is required to be set for req.member to be considered valid authorization 2018-11-07 13:41:49 +03:00			`const hasMember = req.member;`
♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 13:29:40 +03:00			`if (hasApiKey) {`
			`return next();`
			`}`
🚧 Authorized Content API requests with req.member closes #10111 The members labs setting is required to be set for req.member to be considered valid authorization 2018-11-07 13:41:49 +03:00			`if (labs.isSet('members') && hasMember) {`
			`return next();`
			`}`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`return next(new errors.NoPermissionError({`
			`message: i18n.t('errors.middleware.auth.authorizationFailed'),`
			`context: i18n.t('errors.middleware.auth.missingContentMemberOrIntegration')`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 19:33:36 +03:00			`}));`
♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 13:29:40 +03:00			`},`

Switched to use new implementation of authorizeAdminApi refs #9865 - see code comments 2019-01-18 19:41:52 +03:00			`authorizeAdminApi(req, res, next) {`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`const hasUser = req.user && req.user.id;`
			`const hasApiKey = req.api_key && req.api_key.id;`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 19:33:36 +03:00
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`if (hasUser \|\| hasApiKey) {`
			`return next();`
			`} else {`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`return next(new errors.NoPermissionError({`
			`message: i18n.t('errors.middleware.auth.authorizationFailed'),`
			`context: i18n.t('errors.middleware.auth.missingAdminUserOrIntegration')`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 19:33:36 +03:00			`}));`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`}`
			`}`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 14:45:59 +03:00			`};`

			`module.exports = authorize;`