Ghost/core/server/web/well-known.js

const express = require('express');
const settings = require('../services/settings/cache');
const jose = require('node-jose');

const dangerousPrivateKey = settings.get('ghost_private_key');
const keyStore = jose.JWK.createKeyStore();
const keyStoreReady = keyStore.add(dangerousPrivateKey, 'pem');

const getSafePublicJWKS = async () => {
    await keyStoreReady;
    return keyStore.toJSON();
};

module.exports = function setupWellKnownApp() {
    const wellKnownApp = express();

    wellKnownApp.get('/jwks.json', async (req, res) => {
        const jwks = await getSafePublicJWKS();
        res.json(jwks);
    });

    return wellKnownApp;
};
Implemented externally verifiable identity tokens no-issue This adds two new endpoints, one at /ghost/.well-known/jwks.json for exposing a public key, and one on the canary api /identities, which allows the Owner user to fetch a JWT. This token can then be used by external services to verify the domain * Added ghost_{public,private}_key settings This key can be used for generating tokens for communicating with external services on behalf of Ghost * Added .well-known directory to /ghost/.well-known We add a jwks.json file to the .well-known directory which exposes a public JWK which can be used to verify the signatures of JWT's created by Ghost This is added to the /ghost/ path so that it can live on the admin domain, rather than the frontend. This is because most of its uses/functions will be in relation to the admin domain. * Improved settings model tests This removes hardcoded positions in favour of testing that a particular event wasn't emitted which is less brittle and more precise about what's being tested * Fixed parent app unit tests for well-known This updates the parent app unit tests to check that the well-known route is mounted. We all change proxyquire to use `noCallThru` which ensures that the ubderlying modules are not required. This stops the initialisation logic in ./well-known erroring in tests https://github.com/thlorenz/proxyquire/issues/215 * Moved jwt signature to a separate 'token' propery This structure corresponds to other resources and allows to exptend with additional properties in future if needed 2020-01-20 14:45:58 +03:00			`const express = require('express');`
			`const settings = require('../services/settings/cache');`
			`const jose = require('node-jose');`

			`const dangerousPrivateKey = settings.get('ghost_private_key');`
			`const keyStore = jose.JWK.createKeyStore();`
			`const keyStoreReady = keyStore.add(dangerousPrivateKey, 'pem');`

			`const getSafePublicJWKS = async () => {`
			`await keyStoreReady;`
			`return keyStore.toJSON();`
			`};`

			`module.exports = function setupWellKnownApp() {`
			`const wellKnownApp = express();`

			`wellKnownApp.get('/jwks.json', async (req, res) => {`
			`const jwks = await getSafePublicJWKS();`
			`res.json(jwks);`
			`});`

			`return wellKnownApp;`
			`};`