Ghost/core/server/services/auth/authorize.js

const errors = require('@tryghost/errors');
const tpl = require('@tryghost/tpl');

const messages = {
    authorizationFailed: 'Authorization failed',
    missingContentMemberOrIntegration: 'Unable to determine the authenticated member or integration. Check the supplied Content API Key and ensure cookies are being passed through if member auth is failing.',
    missingAdminUserOrIntegration: 'Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication.'
};

const authorize = {
    authorizeContentApi(req, res, next) {
        const hasApiKey = req.api_key && req.api_key.id;
        const hasMember = req.member;
        if (hasApiKey) {
            return next();
        }
        if (hasMember) {
            return next();
        }
        return next(new errors.NoPermissionError({
            message: tpl(messages.authorizationFailed),
            context: tpl(messages.missingContentMemberOrIntegration)
        }));
    },

    authorizeAdminApi(req, res, next) {
        const hasUser = req.user && req.user.id;
        const hasApiKey = req.api_key && req.api_key.id;

        if (hasUser || hasApiKey) {
            return next();
        } else {
            return next(new errors.NoPermissionError({
                message: tpl(messages.authorizationFailed),
                context: tpl(messages.missingAdminUserOrIntegration)
            }));
        }
    }
};

module.exports = authorize;
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`const errors = require('@tryghost/errors');`
Replaced i18n.t w/ tpl helper in authorize.js (#13442) refs: #13380 - The i18n package is deprecated. It is being replaced with the tpl package. Co-authored-by: Aleksander Chromik <aleksander.chromik@footballco.com> 2021-10-05 12:34:07 +03:00			`const tpl = require('@tryghost/tpl');`

			`const messages = {`
			`authorizationFailed: 'Authorization failed',`
			`missingContentMemberOrIntegration: 'Unable to determine the authenticated member or integration. Check the supplied Content API Key and ensure cookies are being passed through if member auth is failing.',`
			`missingAdminUserOrIntegration: 'Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication.'`
			`};`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 14:45:59 +03:00
Wired up {GET,POST,DELETE} /session to v2 admin api * Added admin specific auth{enticate,orize} middleware refs #9865 This middleware will be used by the admin api to authenticate and authorize requests * Update v2/admin to use authAdminApi middleware refs #9865 This changes thh auth middleware to use the adminApi authenticate and authorize middlewares underneath, it also renames the middleware to be consistent with the naming of the api. * Removed oauth specific endpoints from /v2/admin refs #9865 These are not to be used in v2/admin * Wired up the session controller to the admin api refs #9865 These endpoints will be used by ghost admin to login, confirm logged in status and logout 2018-10-05 13:45:17 +03:00			`const authorize = {`
♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 13:29:40 +03:00			`authorizeContentApi(req, res, next) {`
			`const hasApiKey = req.api_key && req.api_key.id;`
🚧 Authorized Content API requests with req.member closes #10111 The members labs setting is required to be set for req.member to be considered valid authorization 2018-11-07 13:41:49 +03:00			`const hasMember = req.member;`
♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 13:29:40 +03:00			`if (hasApiKey) {`
			`return next();`
			`}`
Enabled Members for all sites (#12582) no-issue This removes all references to the members labs setting, any code that was run conditionally behind this flag now runs unconditionally. * Removed usage of Members labs flag * Removed tests for Members disabled * Added dynamic keypair generation for when setting is missing 2021-01-28 21:07:45 +03:00			`if (hasMember) {`
🚧 Authorized Content API requests with req.member closes #10111 The members labs setting is required to be set for req.member to be considered valid authorization 2018-11-07 13:41:49 +03:00			`return next();`
			`}`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`return next(new errors.NoPermissionError({`
Replaced i18n.t w/ tpl helper in authorize.js (#13442) refs: #13380 - The i18n package is deprecated. It is being replaced with the tpl package. Co-authored-by: Aleksander Chromik <aleksander.chromik@footballco.com> 2021-10-05 12:34:07 +03:00			`message: tpl(messages.authorizationFailed),`
			`context: tpl(messages.missingContentMemberOrIntegration)`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 19:33:36 +03:00			`}));`
♻ Updated naming for Content API specific middleware no-issue This is because the Content API will eventually be accessed not just from Content API keys. The addition of a Content API specific authorization middleware is because: 1. content api should not authorize based on req.user 2. content api will need separate authorization than admin api 2018-11-07 13:29:40 +03:00			`},`

Switched to use new implementation of authorizeAdminApi refs #9865 - see code comments 2019-01-18 19:41:52 +03:00			`authorizeAdminApi(req, res, next) {`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`const hasUser = req.user && req.user.id;`
			`const hasApiKey = req.api_key && req.api_key.id;`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 19:33:36 +03:00
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`if (hasUser \|\| hasApiKey) {`
			`return next();`
			`} else {`
Refactor common pattern in service files - Use array destructuring - Use @tryghost/errors - Part of the big move towards decoupling, this gives visibility on what's being used where - Biting off manageable chunks / fixing bits of code I'm refactoring for other reasons 2020-04-30 22:26:12 +03:00			`return next(new errors.NoPermissionError({`
Replaced i18n.t w/ tpl helper in authorize.js (#13442) refs: #13380 - The i18n package is deprecated. It is being replaced with the tpl package. Co-authored-by: Aleksander Chromik <aleksander.chromik@footballco.com> 2021-10-05 12:34:07 +03:00			`message: tpl(messages.authorizationFailed),`
			`context: tpl(messages.missingAdminUserOrIntegration)`
Added empty lines and reduces line length in auth authorize no issue - improves readability 2019-01-18 19:33:36 +03:00			`}));`
Added API Key auth middleware to v2 content API (#10005) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer 2018-10-15 12:23:34 +03:00			`}`
			`}`
✨ Ghost OAuth (#7451) issue #7452 Remote oauth2 authentication with Ghost.org. This PR supports: - oauth2 login or local login - authentication on blog setup - authentication on invite - normal authentication - does not contain many, many tests, but we'll improve in the next alpha weeks 2016-09-30 14:45:59 +03:00			`};`

			`module.exports = authorize;`