🐛 Fixed public api access on custom domain

no issue - if you blog runs on a custom domain, but your admin panel is configured using a different domain -> Ghost losts the origin header - we had this situation once with pretty urls (your request get's redirected from /posts to /posts/, see https://github.com/TryGhost/Ghost/pull/8094) - we've moved all our redirect logic to Ghost and ran into the same situation - i've added proper test to ensure it won't happen again
2024-11-28 22:43:30 +03:00 · 2017-09-13 19:24:11 +02:00 · 2017-09-13 19:24:11 +02:00 · 79959d9581
commit 79959d9581
parent 85f8498bd6
3 changed files with 32 additions and 6 deletions
--- a/core/server/api/app.js
+++ b/core/server/api/app.js
@ -13,7 +13,6 @@ var debug = require('ghost-ignition').debug('api'),
    // Shared
    bodyParser = require('body-parser'), // global, shared
    cacheControl = require('../middleware/cache-control'), // global, shared
    urlRedirects = require('../middleware/url-redirects'),
    maintenance = require('../middleware/maintenance'), // global, shared
    errorHandler = require('../middleware/error-handler'); // global, shared
@ -37,10 +36,6 @@ module.exports = function setupApiApp() {
    // send 503 json response in case of maintenance
    apiApp.use(maintenance);
    // Force SSL if required
    // must happen AFTER asset loading and BEFORE routing
    apiApp.use(urlRedirects);
    // Check version matches for API requests, depends on res.locals.safeVersion being set
    // Therefore must come after themeHandler.ghostLocals, for now
    apiApp.use(versionMatch);
--- a/core/server/api/middleware.js
+++ b/core/server/api/middleware.js
@ -1,13 +1,15 @@
 var prettyURLs = require('../middleware/pretty-urls'),
    cors = require('../middleware/api/cors'),
    urlRedirects = require('../middleware/url-redirects'),
    auth = require('../auth');
 /**
 * Auth Middleware Packages
 *
 * IMPORTANT
- * - cors middleware MUST happen before pretty urls, because otherwise cors header can get lost
+ * - cors middleware MUST happen before pretty urls, because otherwise cors header can get lost on redirect
 * - cors middleware MUST happen after authenticateClient, because authenticateClient reads the trusted domains
 * - url redirects MUST happen after cors, otherwise cors header can get lost on redirect
 */
 /**
@ -19,6 +21,7 @@ module.exports.authenticatePublic = [
    // This is a labs-enabled middleware
    auth.authorize.requiresAuthorizedUserPublicAPI,
    cors,
    urlRedirects,
    prettyURLs
 ];
@ -30,6 +33,7 @@ module.exports.authenticatePrivate = [
    auth.authenticate.authenticateUser,
    auth.authorize.requiresAuthorizedUser,
    cors,
    urlRedirects,
    prettyURLs
 ];
@ -42,6 +46,7 @@ module.exports.authenticateClient = function authenticateClient(client) {
        auth.authenticate.authenticateUser,
        auth.authorize.requiresAuthorizedClient(client),
        cors,
        urlRedirects,
        prettyURLs
    ];
 };
--- a/core/test/functional/routes/api/public_api_spec.js
+++ b/core/test/functional/routes/api/public_api_spec.js
@ -1,6 +1,7 @@
 var should = require('should'),
    supertest = require('supertest'),
    testUtils = require('../../../utils'),
    configUtils = require('../../../utils/configUtils'),
    _ = require('lodash'),
    config = require('../../../../../core/server/config'),
    ghost = testUtils.startGhost,
@ -29,6 +30,10 @@ describe('Public API', function () {
            });
    });
    afterEach(function () {
        configUtils.restore();
    });
    it('browse posts', function (done) {
        request.get(testUtils.API.getApiQuery('posts/?client_id=ghost-admin&client_secret=not_available'))
            .set('Origin', testUtils.API.getURL())
@ -83,6 +88,27 @@ describe('Public API', function () {
            });
    });
    it('ensure origin header on redirect is not getting lost', function (done) {
        // NOTE: force a redirect to the admin url
        configUtils.set('admin:url', 'http://localhost:9999');
        request.get(testUtils.API.getApiQuery('posts?client_id=ghost-test&client_secret=not_available'))
            .set('Origin', 'https://example.com')
            .expect('Cache-Control', testUtils.cacheRules.private)
            .expect(301)
            .end(function (err, res) {
                if (err) {
                    return done(err);
                }
                res.headers.vary.should.eql('Origin, Accept, Accept-Encoding');
                res.headers.location.should.eql('http://localhost:9999/ghost/api/v0.1/posts/?client_id=ghost-test&client_secret=not_available');
                should.exist(res.headers['access-control-allow-origin']);
                should.not.exist(res.headers['x-cache-invalidate']);
                done();
            });
    });
    it('browse posts, ignores staticPages', function (done) {
        request.get(testUtils.API.getApiQuery('posts/?client_id=ghost-admin&client_secret=not_available&staticPages=true'))
            .set('Origin', testUtils.API.getURL())