Ghost/test/regression/api/canary/admin/identities_spec.js

const should = require('should');
const supertest = require('supertest');
const jwt = require('jsonwebtoken');
const jwksClient = require('jwks-rsa');
const testUtils = require('../../../../utils');
const localUtils = require('./utils');
const config = require('../../../../../core/shared/config');

const ghost = testUtils.startGhost;

let request;

const verifyJWKS = (endpoint, token) => {
    return new Promise((resolve, reject) => {
        const client = jwksClient({
            jwksUri: endpoint
        });

        function getKey(header, callback){
            client.getSigningKey(header.kid, (err, key) => {
                let signingKey = key.publicKey || key.rsaPublicKey;
                callback(null, signingKey);
            });
        }

        jwt.verify(token, getKey, {}, (err, decoded) => {
            if (err) {
                reject(err);
            }

            resolve(decoded);
        });
    });
};

describe('Identities API', function () {
    describe('As Owner', function () {
        before(function () {
            return ghost()
                .then(function () {
                    request = supertest.agent(config.get('url'));
                })
                .then(function () {
                    return localUtils.doAuth(request);
                });
        });

        it('Can create JWT token and verify it afterwards with public jwks', function () {
            let identity;

            return request
                .get(localUtils.API.getApiQuery(`identities/`))
                .set('Origin', config.get('url'))
                .expect('Content-Type', /json/)
                .expect('Cache-Control', testUtils.cacheRules.private)
                .expect(200)
                .then((res) => {
                    should.not.exist(res.headers['x-cache-invalidate']);
                    const jsonResponse = res.body;
                    should.exist(jsonResponse);
                    should.exist(jsonResponse.identities);

                    identity = jsonResponse.identities[0];
                })
                .then(() => {
                    return verifyJWKS(`${request.app}/ghost/.well-known/jwks.json`, identity.token);
                })
                .then((decoded) => {
                    decoded.sub.should.equal('jbloggs@example.com');
                });
        });
    });

    describe('As non-Owner', function () {
        before(function () {
            return ghost()
                .then(function (_ghostServer) {
                    request = supertest.agent(config.get('url'));
                })
                .then(function () {
                    return testUtils.createUser({
                        user: testUtils.DataGenerator.forKnex.createUser({email: 'admin+1@ghost.org'}),
                        role: testUtils.DataGenerator.Content.roles[0].name
                    });
                })
                .then(function (admin) {
                    request.user = admin;

                    return localUtils.doAuth(request);
                });
        });

        it('Cannot read', function () {
            return request
                .get(localUtils.API.getApiQuery(`identities/`))
                .set('Origin', config.get('url'))
                .expect('Content-Type', /json/)
                .expect('Cache-Control', testUtils.cacheRules.private)
                .expect(403);
        });
    });
});
Implemented externally verifiable identity tokens no-issue This adds two new endpoints, one at /ghost/.well-known/jwks.json for exposing a public key, and one on the canary api /identities, which allows the Owner user to fetch a JWT. This token can then be used by external services to verify the domain * Added ghost_{public,private}_key settings This key can be used for generating tokens for communicating with external services on behalf of Ghost * Added .well-known directory to /ghost/.well-known We add a jwks.json file to the .well-known directory which exposes a public JWK which can be used to verify the signatures of JWT's created by Ghost This is added to the /ghost/ path so that it can live on the admin domain, rather than the frontend. This is because most of its uses/functions will be in relation to the admin domain. * Improved settings model tests This removes hardcoded positions in favour of testing that a particular event wasn't emitted which is less brittle and more precise about what's being tested * Fixed parent app unit tests for well-known This updates the parent app unit tests to check that the well-known route is mounted. We all change proxyquire to use `noCallThru` which ensures that the ubderlying modules are not required. This stops the initialisation logic in ./well-known erroring in tests https://github.com/thlorenz/proxyquire/issues/215 * Moved jwt signature to a separate 'token' propery This structure corresponds to other resources and allows to exptend with additional properties in future if needed 2020-01-20 14:45:58 +03:00			`const should = require('should');`
			`const supertest = require('supertest');`
			`const jwt = require('jsonwebtoken');`
			`const jwksClient = require('jwks-rsa');`
			`const testUtils = require('../../../../utils');`
			`const localUtils = require('./utils');`
Moved config from server to shared (#11850) * moved `server/config` to `shared/config` * updated config import paths in server to use shared * updated config import paths in frontend to use shared * updated config import paths in test to use shared * updated config import paths in root to use shared * trigger regression tests * of course the rebase broke tests 2020-05-27 20:47:53 +03:00			`const config = require('../../../../../core/shared/config');`
Implemented externally verifiable identity tokens no-issue This adds two new endpoints, one at /ghost/.well-known/jwks.json for exposing a public key, and one on the canary api /identities, which allows the Owner user to fetch a JWT. This token can then be used by external services to verify the domain * Added ghost_{public,private}_key settings This key can be used for generating tokens for communicating with external services on behalf of Ghost * Added .well-known directory to /ghost/.well-known We add a jwks.json file to the .well-known directory which exposes a public JWK which can be used to verify the signatures of JWT's created by Ghost This is added to the /ghost/ path so that it can live on the admin domain, rather than the frontend. This is because most of its uses/functions will be in relation to the admin domain. * Improved settings model tests This removes hardcoded positions in favour of testing that a particular event wasn't emitted which is less brittle and more precise about what's being tested * Fixed parent app unit tests for well-known This updates the parent app unit tests to check that the well-known route is mounted. We all change proxyquire to use `noCallThru` which ensures that the ubderlying modules are not required. This stops the initialisation logic in ./well-known erroring in tests https://github.com/thlorenz/proxyquire/issues/215 * Moved jwt signature to a separate 'token' propery This structure corresponds to other resources and allows to exptend with additional properties in future if needed 2020-01-20 14:45:58 +03:00
			`const ghost = testUtils.startGhost;`

			`let request;`

			`const verifyJWKS = (endpoint, token) => {`
			`return new Promise((resolve, reject) => {`
			`const client = jwksClient({`
			`jwksUri: endpoint`
			`});`

			`function getKey(header, callback){`
			`client.getSigningKey(header.kid, (err, key) => {`
			`let signingKey = key.publicKey \|\| key.rsaPublicKey;`
			`callback(null, signingKey);`
			`});`
			`}`

			`jwt.verify(token, getKey, {}, (err, decoded) => {`
			`if (err) {`
			`reject(err);`
			`}`

			`resolve(decoded);`
			`});`
			`});`
			`};`

			`describe('Identities API', function () {`
			`describe('As Owner', function () {`
			`before(function () {`
			`return ghost()`
			`.then(function () {`
			`request = supertest.agent(config.get('url'));`
			`})`
			`.then(function () {`
			`return localUtils.doAuth(request);`
			`});`
			`});`

			`it('Can create JWT token and verify it afterwards with public jwks', function () {`
			`let identity;`

			`return request`
			.get(localUtils.API.getApiQuery(`identities/`))
			`.set('Origin', config.get('url'))`
			`.expect('Content-Type', /json/)`
			`.expect('Cache-Control', testUtils.cacheRules.private)`
			`.expect(200)`
			`.then((res) => {`
			`should.not.exist(res.headers['x-cache-invalidate']);`
			`const jsonResponse = res.body;`
			`should.exist(jsonResponse);`
			`should.exist(jsonResponse.identities);`

			`identity = jsonResponse.identities[0];`
			`})`
			`.then(() => {`
			return verifyJWKS(`${request.app}/ghost/.well-known/jwks.json`, identity.token);
			`})`
			`.then((decoded) => {`
			`decoded.sub.should.equal('jbloggs@example.com');`
			`});`
			`});`
			`});`

			`describe('As non-Owner', function () {`
			`before(function () {`
			`return ghost()`
			`.then(function (_ghostServer) {`
			`request = supertest.agent(config.get('url'));`
			`})`
			`.then(function () {`
			`return testUtils.createUser({`
			`user: testUtils.DataGenerator.forKnex.createUser({email: 'admin+1@ghost.org'}),`
			`role: testUtils.DataGenerator.Content.roles[0].name`
			`});`
			`})`
			`.then(function (admin) {`
			`request.user = admin;`

			`return localUtils.doAuth(request);`
			`});`
			`});`

			`it('Cannot read', function () {`
			`return request`
			.get(localUtils.API.getApiQuery(`identities/`))
			`.set('Origin', config.get('url'))`
			`.expect('Content-Type', /json/)`
			`.expect('Cache-Control', testUtils.cacheRules.private)`
			`.expect(403);`
			`});`
			`});`
			`});`