Ghost/core/server/services/auth/session/index.js

const adapterManager = require('../../adapter-manager');
const createSessionService = require('@tryghost/session-service');
const sessionFromToken = require('@tryghost/mw-session-from-token');
const createSessionMiddleware = require('./middleware');

const expressSession = require('./express-session');

const models = require('../../../models');
const urlUtils = require('../../../../shared/url-utils');
const url = require('url');

function getOriginOfRequest(req) {
    const origin = req.get('origin');
    const referrer = req.get('referrer') || urlUtils.getAdminUrl() || urlUtils.getSiteUrl();

    if (!origin && !referrer || origin === 'null') {
        return null;
    }

    if (origin) {
        return origin;
    }

    const {protocol, host} = url.parse(referrer);
    if (protocol && host) {
        return `${protocol}//${host}`;
    }
    return null;
}

const sessionService = createSessionService({
    getOriginOfRequest,
    getSession: expressSession.getSession,
    findUserById({id}) {
        return models.User.findOne({id});
    }
});

module.exports = createSessionMiddleware({sessionService});

const ssoAdapter = adapterManager.getAdapter('sso');
// Looks funky but this is a "custom" piece of middleware
module.exports.createSessionFromToken = sessionFromToken({
    callNextWithError: false,
    createSession: sessionService.createSessionForUser,
    findUserByLookup: ssoAdapter.getUserForIdentity.bind(ssoAdapter),
    getLookupFromToken: ssoAdapter.getIdentityFromCredentials.bind(ssoAdapter),
    getTokenFromRequest: ssoAdapter.getRequestCredentials.bind(ssoAdapter)
});
Added support for token session to /ghost (#11709) no-issue * Added default for getting origin of request This function is used to attach the origin of the request to the session, and later check that requests using the session are coming from the same origin. This protects us against CSRF attacks as requests in the browser MUST originate from the same origin on which the user logged in. Previously, when we could not determine the origin we would return null, as a "safety" net. This updates the function to use a secure and sensible default - which is the origin of the Ghost-Admin application, and if that's not set - the origin of the Ghost application. This will make dealing with magic links simpler as you can not always guaruntee the existence of these headers when visiting via a hyperlink * Removed init fns and getters from session service This simplifies the code here, making it easier to read and maintain * Moved express-session initialisation to own file This is complex enough that it deserves its own module * Added createSessionFromToken to session service * Wired up the createSessionFromToken middleware 2020-04-06 12:49:14 +03:00			`const adapterManager = require('../../adapter-manager');`
			`const createSessionService = require('@tryghost/session-service');`
			`const sessionFromToken = require('@tryghost/mw-session-from-token');`
			`const createSessionMiddleware = require('./middleware');`

			`const expressSession = require('./express-session');`

Refactored session service (#11701) * Refactored SessionStore to use @tryghost/errors no-issue * Updated tests to test exposed API no-issue This will make refactoring easier, as we only have the "public" contract to maintain * Refactored session functionality to SessionService no-issue This splits the session logic away from the HTTP responding logic, which will allows us to decouple session creation/modification from the API. Eventually this can be used to create sessions based on magiclink style tokens. * Instantiated and exported the new SessionService no-issue * Refactored session middleware to take session service no-issue This removes duplication of code and makes the middleware more explicit that it's just a wrapper around the session service. * Updated to use external @tryghost/session-service no-issue 2020-04-02 17:27:31 +03:00			`const models = require('../../../models');`
Moved core/server/lib/url-utils to core/shared/url-utils (#11856) * moved url-utils from server to shared * updated imports of url-utils 2020-05-28 13:57:02 +03:00			`const urlUtils = require('../../../../shared/url-utils');`
Refactored session service (#11701) * Refactored SessionStore to use @tryghost/errors no-issue * Updated tests to test exposed API no-issue This will make refactoring easier, as we only have the "public" contract to maintain * Refactored session functionality to SessionService no-issue This splits the session logic away from the HTTP responding logic, which will allows us to decouple session creation/modification from the API. Eventually this can be used to create sessions based on magiclink style tokens. * Instantiated and exported the new SessionService no-issue * Refactored session middleware to take session service no-issue This removes duplication of code and makes the middleware more explicit that it's just a wrapper around the session service. * Updated to use external @tryghost/session-service no-issue 2020-04-02 17:27:31 +03:00			`const url = require('url');`

			`function getOriginOfRequest(req) {`
			`const origin = req.get('origin');`
Added support for token session to /ghost (#11709) no-issue * Added default for getting origin of request This function is used to attach the origin of the request to the session, and later check that requests using the session are coming from the same origin. This protects us against CSRF attacks as requests in the browser MUST originate from the same origin on which the user logged in. Previously, when we could not determine the origin we would return null, as a "safety" net. This updates the function to use a secure and sensible default - which is the origin of the Ghost-Admin application, and if that's not set - the origin of the Ghost application. This will make dealing with magic links simpler as you can not always guaruntee the existence of these headers when visiting via a hyperlink * Removed init fns and getters from session service This simplifies the code here, making it easier to read and maintain * Moved express-session initialisation to own file This is complex enough that it deserves its own module * Added createSessionFromToken to session service * Wired up the createSessionFromToken middleware 2020-04-06 12:49:14 +03:00			`const referrer = req.get('referrer') \|\| urlUtils.getAdminUrl() \|\| urlUtils.getSiteUrl();`
Refactored session service (#11701) * Refactored SessionStore to use @tryghost/errors no-issue * Updated tests to test exposed API no-issue This will make refactoring easier, as we only have the "public" contract to maintain * Refactored session functionality to SessionService no-issue This splits the session logic away from the HTTP responding logic, which will allows us to decouple session creation/modification from the API. Eventually this can be used to create sessions based on magiclink style tokens. * Instantiated and exported the new SessionService no-issue * Refactored session middleware to take session service no-issue This removes duplication of code and makes the middleware more explicit that it's just a wrapper around the session service. * Updated to use external @tryghost/session-service no-issue 2020-04-02 17:27:31 +03:00
Updated all Origin header checks to handle 'null' (#12246) closes #12244 As per RFC 6454 the Origin header MUST be set to the string 'null' when in a "privacy-sensitive" context. We were not handling this string and this was causing errors. This commit updates all checks of the 'Origin' header to treat the value 'null' as if the header was not present. ref: https://tools.ietf.org/html/rfc6454#section-7.3 2020-10-01 11:37:22 +03:00			`if (!origin && !referrer \|\| origin === 'null') {`
Refactored session service (#11701) * Refactored SessionStore to use @tryghost/errors no-issue * Updated tests to test exposed API no-issue This will make refactoring easier, as we only have the "public" contract to maintain * Refactored session functionality to SessionService no-issue This splits the session logic away from the HTTP responding logic, which will allows us to decouple session creation/modification from the API. Eventually this can be used to create sessions based on magiclink style tokens. * Instantiated and exported the new SessionService no-issue * Refactored session middleware to take session service no-issue This removes duplication of code and makes the middleware more explicit that it's just a wrapper around the session service. * Updated to use external @tryghost/session-service no-issue 2020-04-02 17:27:31 +03:00			`return null;`
			`}`

			`if (origin) {`
			`return origin;`
			`}`

			`const {protocol, host} = url.parse(referrer);`
			`if (protocol && host) {`
			return `${protocol}//${host}`;
			`}`
			`return null;`
			`}`

Added support for token session to /ghost (#11709) no-issue * Added default for getting origin of request This function is used to attach the origin of the request to the session, and later check that requests using the session are coming from the same origin. This protects us against CSRF attacks as requests in the browser MUST originate from the same origin on which the user logged in. Previously, when we could not determine the origin we would return null, as a "safety" net. This updates the function to use a secure and sensible default - which is the origin of the Ghost-Admin application, and if that's not set - the origin of the Ghost application. This will make dealing with magic links simpler as you can not always guaruntee the existence of these headers when visiting via a hyperlink * Removed init fns and getters from session service This simplifies the code here, making it easier to read and maintain * Moved express-session initialisation to own file This is complex enough that it deserves its own module * Added createSessionFromToken to session service * Wired up the createSessionFromToken middleware 2020-04-06 12:49:14 +03:00			`const sessionService = createSessionService({`
			`getOriginOfRequest,`
			`getSession: expressSession.getSession,`
			`findUserById({id}) {`
			`return models.User.findOne({id});`
			`}`
			`});`

			`module.exports = createSessionMiddleware({sessionService});`

			`const ssoAdapter = adapterManager.getAdapter('sso');`
			`// Looks funky but this is a "custom" piece of middleware`
			`module.exports.createSessionFromToken = sessionFromToken({`
			`callNextWithError: false,`
			`createSession: sessionService.createSessionForUser,`
Bound SSOAdapter methods to their instance no-issue This allows custom SSO adapters to store instance config and refer to in their methods 2020-11-05 16:07:56 +03:00			`findUserByLookup: ssoAdapter.getUserForIdentity.bind(ssoAdapter),`
			`getLookupFromToken: ssoAdapter.getIdentityFromCredentials.bind(ssoAdapter),`
			`getTokenFromRequest: ssoAdapter.getRequestCredentials.bind(ssoAdapter)`
Added support for token session to /ghost (#11709) no-issue * Added default for getting origin of request This function is used to attach the origin of the request to the session, and later check that requests using the session are coming from the same origin. This protects us against CSRF attacks as requests in the browser MUST originate from the same origin on which the user logged in. Previously, when we could not determine the origin we would return null, as a "safety" net. This updates the function to use a secure and sensible default - which is the origin of the Ghost-Admin application, and if that's not set - the origin of the Ghost application. This will make dealing with magic links simpler as you can not always guaruntee the existence of these headers when visiting via a hyperlink * Removed init fns and getters from session service This simplifies the code here, making it easier to read and maintain * Moved express-session initialisation to own file This is complex enough that it deserves its own module * Added createSessionFromToken to session service * Wired up the createSessionFromToken middleware 2020-04-06 12:49:14 +03:00			`});`