Fixed issuer when site and api are diff domains (#10806)

no-issue

The issuer value is used through the members code base as the identifier
for the members api. The existing code did not take into account that
the domain/url for the site could be different than for the admin (and
the apis).
This commit is contained in:
Fabien O'Carroll 2019-06-26 16:02:08 +07:00 committed by GitHub
parent 9d69951c81
commit dd727a44df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 14 deletions

View File

@ -18,11 +18,11 @@ module.exports = {
const {protocol, host} = url.parse(config.get('url'));
const siteOrigin = `${protocol}//${host}`;
UNO_MEMBERINO = jwt({
UNO_MEMBERINO = membersService.getPublicConfig().then(({issuer}) => jwt({
credentialsRequired: false,
requestProperty: 'member',
audience: siteOrigin,
issuer: siteOrigin,
issuer,
algorithm: 'RS512',
secret(req, payload, done) {
membersService.getPublicConfig().then(({publicKey}) => {
@ -42,8 +42,10 @@ module.exports = {
return credentials;
}
});
}));
}
return UNO_MEMBERINO;
return function (req, res, next) {
UNO_MEMBERINO.then(fn => fn(req, res, next)).catch(next);
};
}
};

View File

@ -116,16 +116,8 @@ const siteOrigin = doBlock(() => {
return `${protocol}//${host}`;
});
const getApiUrl = ({version, type}) => {
const {href} = new url.URL(
urlUtils.getApiPath({version, type}),
siteUrl
);
return href;
};
const contentApiUrl = getApiUrl({version: 'v2', type: 'content'});
const membersApiUrl = getApiUrl({version: 'v2', type: 'members'});
const contentApiUrl = urlUtils.urlFor('api', {version: 'v2', type: 'content'}, true);
const membersApiUrl = urlUtils.urlFor('api', {version: 'v2', type: 'members'}, true);
const accessControl = {
[siteOrigin]: {