Commit Graph

195 Commits

Author SHA1 Message Date
Fabien O'Carroll
97983baed6 🐛 Fixed CORS for errors from Admin API
refs #10932

Previously we were only applying the cors middleware to the options
preflight request, which meant that if the request errored, the cors
headers would not be applied, resulting in the client being unable to
read response data. This applies the cors middleware to _all_ requests
to the Admin API.
2019-07-22 12:57:41 +08:00
Fabien O'Carroll
2cb41dd8cd 🐛 Fixed CORS for errors from Content API
closes #10932

Previously we were only applying the cors middleware to the options
preflight request, which meant that if the request errored, the cors
headers would not be applied, resulting in the client being unable to
read response data. This applies the cors middleware to _all_ requests
to the Content API.
2019-07-22 12:57:41 +08:00
Fabien O'Carroll
078060abdc
Refactored members service logging and errors (#10919)
* Installed @tryghost/members-ssr@0.2.1

refs https://github.com/TryGhost/Members/issues/38

This updates allows for dynamic access of the membersApi, which will be
used in future when replacing the membersApi instance with a newly
configured one.

* Set the membersApiInstance logger to use common.logging

refs https://github.com/TryGhost/Members/issues/38

Passes the Ghost logger to the members api, so that we can keep an eye
on errors produced by the api.

* Refactored memberService use to always use getter

refs https://github.com/TryGhost/Members/issues/38

This will allow us to switch out the membersApi and the consumers of it
to have the updated reference by going through a getter.

* Installed @tryghost/members-api@0.3.0

refs https://github.com/TryGhost/Members/issues/38

Adds support for setting the logger

* Uninstalled stripe@7.0.0

refs https://github.com/TryGhost/Members/issues/38

The stripe module is now a dep of members-api, as it should be

* Updated members service to reconfigure settings

refs https://github.com/TryGhost/Members/issues/38

Previously we were unable to stop an invalidly configured members api
instance, now that we create a new instance, we can wait for the ready
or error event and only switch it out then.
2019-07-18 15:37:11 +08:00
Fabien O'Carroll
177411045a
Moved members static pages to members api URL (#10887)
* Installed @tryghost/members-api@0.2.0

refs #10886

This will allow us to mount one router rather than having a static and
api router.

* Added members v2 api directory

refs #10886

This brings the members api more inline with how the rest of the apis
work within Ghost.

* Mounted the members api app to the api route

closes #10886

This successfully mounts the api and the static pages to the
/api/v2/members/ URL.

* Installed @tryghost/members-auth-pages@1.0.0

refs #10886

This updates the auth pages to work correctly with the new mount point.

* Changed membersUrl in members.js to use members api

refs #10886

This keeps the membersUrl lined up with the path for the static
members pages.

* Removed old members static mount point

refs #10886

These are no longer used, nor desired.

* Remove superfluous code from members service

refs #10886

This remove the gateway getter which is no longer used, and the fallback
for members not enabled - which is handled within the members app.

* Updated ssoOrigin to use admin url

refs #10886

This ensures that sites running on a separate admin domain have the
correct ssoOrigin, which is used to ensure only the designated auth
pages are used to hit the authentication endpoints.

Since the auth pages are now hosted under the `/ghost` url, they will be
on the admin origin and not the site origin
2019-07-09 19:02:44 +08:00
Hannah Wolfe
6f507b8608 Updated theme activation API to experimental
- allow both uploading and activating themes as experiemental API features
- previously only uploading was allowed, I believe purely due to an oversight
2019-07-01 10:14:03 +01:00
Naz Gargol
abda6e6338
Migrated to use url-utils from Ghost-SDK (#10787)
closes #10773

- The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK
- Added url-utils stubbing utility for test suites
- Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
2019-06-18 15:13:55 +02:00
Rishabh Garg
c03ca79c66
Added Admin API for deleting members (#10673)
no issue

- Added new API to delete members
- Added methods to handle e2e member deletion
- Deleting member via Admin leads to
  - Removal of member from payment processor and cancelling all active subscriptions immediately
  - Removal of member information from DB
2019-04-13 10:38:56 +05:30
Rish
20a898a986 Refactored members auth flow with dynamic settings
no issue

- Updated members auth flow UI
- Updated members settings and routing to be dynamic
2019-02-26 15:43:36 +07:00
kirrg001
38e93c19b5 Reverted & Solved apiType differently
no issue

- was unable to revert 9dd7aff9c6, because it contains members changes
- functional calls did not work correctly, because the content and admin ctrl differentiation happend in the web layer
- `isContentAPI` returned true for `api.v2.settings.edit(data, {context: {internal:true{})`
- content & admin API are using different controllers
- we can just tell which ctrl is content API and which is not
- the direction fits for the content & admin API split
2019-02-26 08:33:10 +01:00
kirrg001
46d7a5666e Renamed authors ctrl to authors-public
no issue

- consistency
2019-02-26 08:33:10 +01:00
Hannah Wolfe
bd904cd8e1
Tags endpoint is experimental
- hasn't been tested yet, soooooooon
2019-02-26 12:52:58 +07:00
kirrg001
a1023f0b11 Renamed theme upload file field name
no issue

- consistent with /images/upload/ endpoint
2019-02-25 13:26:03 +01:00
kirrg001
bd7da54ce3 Changed config endpoint for Admin API v2
no issue

- re-designed config endpoint
- timezones.json should live in Ghost-SDK long-term
2019-02-25 13:24:19 +01:00
kirrg001
f9974a91a9 Added public /site endpoint to Admin API v2
no issue
2019-02-25 13:24:19 +01:00
Nazar Gargol
f558b58c89 Combined /images* endpoints into /images/upload
- refs #10438

- /images/upload now accepts all the image uploads and distinguishes their purpuse using new `purpose` form data field
2019-02-25 19:15:16 +07:00
Nazar Gargol
50ea7f0eff Added user friendly error messages to Admin API
refs #10438

- Adds new fields to errors returned from API:  help, code, and id
- Makes `message` more descriptive towards non technical users
2019-02-25 10:40:35 +07:00
Nazar Gargol
9d4b0c09a8 Renamed uploads to images
refs #10438

- As the support of /uploads endpoint has been dropped in Admin API, all related files have to correspond to new naming
2019-02-24 11:18:45 +07:00
kirrg001
487a32832a Reverted access to "actions" for integrations
refs #9865

- see dbd3832967
- we are not aware of any use cases so far
- reverting
2019-02-23 09:37:18 +01:00
Nazar Gargol
187636193b Removed /uploads* endpoints
refs #10438
2019-02-22 18:17:44 +07:00
Katharina Irrgang
0a70226128 Separated pages & posts in Admin API v2 (#10494)
refs #10438, refs #10106

* Renamed existing pages ctrl
* Splitted posts & pages for Admin API v2
* Added pages JSON input schema for Admin API v2
* Removed single author for Content & Admin API v2
  - single author is not documented
  - single author usage is deprecated in v0.1
  - single author usage is removed in API v2
* Splitted posts & postsPublic controller for v2
* Removed requirement to send `status=all` from Admin API v2
* Removed `status` option from pages Content API v2
* Removed `status` options from Users Admin API v2
2019-02-22 10:17:14 +07:00
Fabien O'Carroll
6bdeeaba10
Added apiType property to frame for {Content,Admin} API (#10487)
no-issue

This sets the `apiType` property of the `frame` to 'content' and 'admin'
for the Content & Admin API respectively.
2019-02-13 16:59:10 +01:00
kirrg001
f8a286869a Allowed POST & DELETE webhooks endpoints for integrations
refs #9865

- was not sure about allowing to edit webhooks
2019-02-07 23:14:27 +01:00
kirrg001
dbd3832967 Allowed browse actions for integrations
refs #9865
2019-02-06 21:36:09 +01:00
kirrg001
2fd4cbb93b Added v2 actions endpoint
refs #10431

- added v2 endpoint with browse permissions
- context.integration was never accessible in the model layer
  - why? https://github.com/TryGhost/Ghost/issues/10099
2019-02-06 21:36:09 +01:00
Kevin Ansfield
c9d6ffa5ab Allowed GET /configuration/about/ for Admin API v2 with API Key auth
refs https://github.com/TryGhost/Ghost/issues/9865
- needed for Zapier
2019-02-06 14:00:29 +00:00
kirrg001
a45f76c574 Allowed subscribers for admin api v2 with api key authentication
refs #9865

- needed for Zapier
2019-01-31 22:09:14 +01:00
kirrg001
23f705d556 Added /images/ endpoints to Admin API v2
refs #10438

- make /images/ available
- we want to document this endpoint notiation, because it is more specific and fits better, because you can only upload images
- either we drop /uploads/ by the end of the project cycle or we keep both for now
- the Admin API v2 is currently undocumented and allows breaking changes in theory
2019-01-31 13:22:49 +01:00
kirrg001
0a4645ab09 Fixed key_authentication_spec.js
no issue

- pretty-urls only redirects GET requests currently
2019-01-31 12:24:09 +01:00
kirrg001
eafbaaeba5 Added v2 theme controller
refs #10060
2019-01-30 19:45:02 +01:00
kirrg001
7d05cbba1d Added notImplemented middleware for integrations
refs #9865
2019-01-30 14:15:12 +01:00
Rishabh Garg
8fd4b3f09f
Added new admin API for members (#10435)
no issue

- Added read and browse admin API for members
2019-01-30 17:06:09 +05:30
notanengineercom
631716053a 🐛 Fixed files staying in temp directory after upload is done
closes #10174

- Introduced upload middleware that cleans up temporary files stored by mutler after the request is finished
- Removed redundant fs.remove calls as this work is now handled in newly introduced middleware
2019-01-30 09:24:29 +00:00
Fabien O'Carroll
1c56221d80 Added API Key auth middleware to v2 Admin API (#10006)
refs #9865

- Added `auth.authenticate.authenticateAdminApiKey` middleware
  - accepts signed JWT in an `Authorization: Ghost [token]` header
  - sets `req.api_key` if the token is valid
- Updated `authenticatePrivate` middleware stack for v2 admin routes
2019-01-18 12:45:06 +00:00
Fabien O'Carroll
9837df0b6f
Added brute protection to content api (#10362)
* Revert "Removed brute force middleware form content api (#10353)"

This reverts commit 63c8c310fb.

* Updated content api spam prevention to use memory store

* Used TooManyRequestsError instead of InternalServer
2019-01-14 14:11:48 +01:00
Fabien O'Carroll
63c8c310fb
Removed brute force middleware form content api (#10353)
* Removed brute force middleware form content api

no-issue

This is just temporary

* Skipped brute test for content api
2019-01-09 11:38:03 +01:00
Kevin Ansfield
3a923c597f Remove API readme file
no issue
- it has no useful information and the content is out of date
- API docs live at https://docs.ghost.org/api/
2019-01-08 10:05:05 +00:00
Fabien O'Carroll
5cecf0cd61
Added brute protection to content api (#10343)
* Added spam config for content api key

no-issue

* Created contentApiKey spam prevention method

* Added contentApiKey brute middleware

no-issue

This middleware attaches a listener for when the request has completed,
if the request ends with a successful response code, we reset any spam
prevention data for that ip.

* Added contentApiKey brute middleware to the content api

* Multipled maxWait by 24, to 24 hours
2019-01-07 20:03:46 +07:00
Naz Gargol
4177548a84
Migrated redirects controller to API v2 (#10053)
refs #9866

- Migrated redirect routes to use new redirect controller
2019-01-07 11:32:53 +00:00
Hannah Wolfe
5d977f23d4 Added Settings endpoint to V2 Content API
refs #10318

- This settings endpoint returns the commonly used, public information from our settings.
- The values are whitelisted each with a custom name for returning from the endpoint
2019-01-04 12:17:32 +00:00
Naz Gargol
d3f3b3dc20
Added plugin based author and public tag models in API v2 (#10284)
refs #10124

- Author model returns only users that have published non-page posts
- Added a public controller for tags (should be extracted to separate Content API controller https://github.com/TryGhost/Ghost/issues/10106)
- Made resource configuration dynamic based on current theme engine
- This needs a follow-up PR with fixes to the problems described in the PR
2019-01-03 20:30:35 +01:00
Naz Gargol
aa8e75914d
Migrated db controller to API v2 (#10051)
refs #9866

- Migrated db import/export routes to use new db controller
2018-12-17 14:45:09 +01:00
Fabien O'Carroll
48923ac327
Wired members service up to api and app (#10262)
* Updated auth service members middleware

refs #10213

* Wired up members api router to the ghost api endpoints

refs #10213

* Created members app for the static pages

refs #10213

* Wired up the members app

refs #10213
2018-12-11 15:18:07 +07:00
Fabien O'Carroll
dcfaecfe92
🐛 Added CORS support to the v2 Content API (#10257)
no-issue

When trying to use /api/v2/content from a different domain, the requests
were failing with CORS errors. This doesn't use the shared cors middleware,
because it should be open to all hosts, and not locked down via our
whitelist or trusted domains.
2018-12-11 11:44:12 +07:00
Rishabh Garg
bf295a96a8
Added configuration controller to v2 API (#10056)
refs #10060
2018-12-04 09:27:36 +05:30
Rish
033ddf1b43 🐛 Fixed site changed webhook not triggered for scheduled posts
closes #10226

- Middleware emits site-changed event used to trigger webhook, was configured to v2 admin api only.
- Change allows all versions of api to emit event in case of cache invalidation
2018-12-04 09:39:41 +07:00
Fabien O'Carroll
ed77192457 Renamed API -> Api for v2 auth logic (#10142)
closes #10120
2018-12-03 18:08:57 +01:00
anaplian
c539d39875 🐛 Fixed missing 404 for unknown API routes (#10070)
closes #10020

* Append trailing slash to version path
2018-11-26 16:35:38 +07:00
Fabien O'Carroll
8046f4d437
🐛 Fix last seen for users (#10141)
* Added updateLastSeen method to user model

refs #10138

* Refactor codebase to use user.updateLastSeen

refs #10138

This is to ensure all updates go via the same method, meaning any
specific logic can be handled in one place, it also helps with grepping
the codebase to find where this occurs

* Created updateUserLastSeen middleware for v2 admin

refs #10138

This is intended to be used with the v2 admin api and _possibly_ the
content api, to give us an accruate report on thelast time a user access
a ghost instance.

* Wired updateUserLastSeen up to v2 Admin API

closes #10138

* Fixed broken test for v2 admin api

no-issue

This test was broken because it was incorrectly testing for a method to
be called exactly once - this was irrelevant to the functionality being
tested for.

* Updated user check method to set status to active

no-issue

* Debounced the updateUserLastSeen middlware an hour

no-issue

* Resolved some PR comments
2018-11-13 18:27:10 +07:00
Fabien O'Carroll
2e922808e8 ♻ Updated naming for Content API specific middleware
no-issue

This is because the Content API will eventually be accessed not just
from Content API keys. The addition of a Content API specific
authorization middleware is because:
1. content api should not authorize based on req.user
2. content api will need separate authorization than admin api
2018-11-08 13:34:29 +07:00
Katharina Irrgang
ff6bf5f318 Renamed /users to /authors for Content API V2 (#10096)
refs #10061

- Made /authors endpoint available in Content API V2
2018-11-07 15:29:37 +01:00
Rishabh Garg
3b8621e19c Added slack controller to v2 API (#10086)
refs #10060

- Added slack controller to v2 admin API
- Added new API test for slack API controller
2018-11-06 23:20:43 +01:00
kirrg001
65f6f64f91 Removed configuration endpoint from Content API V2
no issue

- we are not aware of a use case for this endpoint currently
2018-11-05 18:49:46 +01:00
Rishabh Garg
94b3735c6e Added oembed controller to v2 api (#10057)
refs #9866

- Added oembed controller to v2 API
2018-11-02 09:32:26 +01:00
Kevin Ansfield
71f0c08a34
Added edit webhook route to v2 Admin API (#10033)
no issue
- webhooks UI requires the ability to edit webhooks
- added `edit` permission for `webhook`
- added `edit` method to v2 webhook controller
- added `PUT /webhooks/:id` route to v2 Admin API routes
2018-10-19 18:35:55 +01:00
Rishabh Garg
8ad951d7f3
Added new site.changed event and webhook trigger service (#10019)
refs #9942

* Added new middleware to trigger events

* Refactored webhooks service
- added new trigger service, moved listen service to its own file
- started listening to new site.changed event
- cleaned up trigger service to work with new webhook fields
- cleaned up tests
- removed redundant trigger method in v0.1 controller
2018-10-19 00:01:30 +05:30
kirrg001
cbf2817e39 Added missing read pages endpoint
refs #9866

- the endpoints were missing
- the site app needs pages.read for v2
2018-10-18 19:41:07 +02:00
Fabien O'Carroll
17feb14e4a Added HTTP BREAD for integrations resource (#9985)
refs #9865

* Added generic messaging for resource not found
* Ensured integration model uses transaction for writes
* Created POST /integrations endpoint
* Created GET /integrations/:id endpoint
* Created GET /integrations endpoint
* Created PUT /integrations/:id endpoint
* Created DELETE /integrations/:id endpoint
2018-10-18 14:03:56 +01:00
Fabien O'Carroll
ae71f2deca Added spam prevention for v2 sessions (#10030)
no-issue

- Added spam prevention to POST /session
  - This blocks repeated requests the the /session endpoint preventing brute
force password attacks
- Updated session controller to reset brute middleware
  - This updates the session controller to reset the brute force protection
on a successful login. This is required so that a user is not locked out
forever :o!!
2018-10-18 09:58:29 +01:00
Fabien O'Carroll
561c4b208d
Removed OPTIONS cors middleware from content api (#10013)
no-issue

The content API only supports GET requests so has no need for cors
middleware on OPTIONS. This also removes the router.del helper as it's
not used
2018-10-15 18:47:31 +07:00
Fabien O'Carroll
943e1c872c
Removed POST /subscribers from v2 content api (#10010)
no-issue

The content api is for serving read-only content only. This route does
not belong here.
2018-10-15 16:28:23 +07:00
Fabien O'Carroll
3db102a776
Added API Key auth middleware to v2 content API (#10005)
* Added API Key auth middleware to v2 content API

refs #9865

- add `auth.authenticate.authenticateContentApiKey` middleware
  - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key
- add `requiresAuthorizedUserOrApiKey` authorization middleware
  - passes if either `req.user` or `req.api_key` exists
- update `authenticatePublic` middleware stack for v2 content routes

* Fixed functional content api tests

no-issue

This fixes the functional content api tests so they use the content api
auth.

* Fixed context check and removed skip

* Updated cors middleware for content api

* Removed client_id from frame.context

no-issue

The v2 api doesn't have a notion of clients as we do not use oauth for it

* Fixed tests for posts input serializer
2018-10-15 16:23:34 +07:00
Nazar Gargol
76f4a4bb03
Enforced non-page posts only to be returned by /posts endpoint from Content API (#10002)
refs #9866

- Added logic ensuring page filter is always set to false in posts endpoint for Content API
- Added functional tests to pages and posts
- Added absolute_url logic in pages controller
2018-10-13 00:48:49 +02:00
Katharina Irrgang
981ad28283
Changed tags content api to v2 (#10004)
refs #9866
2018-10-13 00:11:48 +02:00
Katharina Irrgang
c907237540
Changed users content api to v2 (#10003)
refs #9866
2018-10-13 00:11:16 +02:00
Katharina Irrgang
4aaff31890
Added users ctrl to v2 (#10001)
refs #9866
2018-10-12 23:27:30 +02:00
Katharina Irrgang
1ee4d53bfe
Added tags ctrl to v2 (#10000)
refs #9866
2018-10-12 23:10:43 +02:00
Nazar Gargol
310526b6c5 Added upload controller to v1 (#9997)
refs #9866
2018-10-12 22:41:39 +02:00
Nazar Gargol
cfea6375ab Added subscribers controller to v2
refs #9866
2018-10-12 22:27:37 +02:00
kirrg001
adc5b18fb7 Added invites ctrl to v2
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
1472035137 Added mail ctrl to v2
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
9f2d68a027 Added notifications ctrl to v2
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
b899a6fec8 Added settings ctrl to v2
refs #9866
2018-10-12 21:13:20 +02:00
kirrg001
a153400164 Added posts controller to v2
refs #9866
2018-10-12 19:21:43 +02:00
Rish
0a834d4223 Added webhooks controller to API v2
refs #9866

- Added new webhooks controller to v2 API
- Added webhooks tests to v2 API
2018-10-12 18:42:23 +05:30
Rishabh Garg
5683204371
Added v2 controller for slugs (#9978)
- Added slugs controller to v2 API
- Added slugs tests to v2 API
- Updated generic validation error message in shared validator to return validation error with sub-message
2018-10-12 17:55:20 +05:30
Fabien O'Carroll
2da74a614b
Removed clients endpoint from v2 content api (#9998)
refs #9865

The client resource is a v0.1 specific thing, we have no use for it on
the v2 content api
2018-10-12 18:18:00 +07:00
Nazar Gargol
eb0bc3068c Migrated roles controller to API v2
refs #9866

- Added new controller to v2 API
- Added roles tests to v2 API
2018-10-10 16:48:22 +02:00
Fabien O'Carroll
9be9531ef8
Wired up {GET,POST,DELETE} /session to v2 admin api
* Added admin specific auth{enticate,orize} middleware

refs #9865

This middleware will be used by the admin api to authenticate and
authorize requests

* Update v2/admin to use authAdminApi middleware

refs #9865

This changes thh auth middleware to use the adminApi authenticate and
authorize middlewares underneath, it also renames the middleware to be
consistent with the naming of the api.

* Removed oauth specific endpoints from /v2/admin

refs #9865

These are not to be used in v2/admin

* Wired up the session controller to the admin api

refs #9865

These endpoints will be used by ghost admin to login, confirm logged in status and logout
2018-10-05 17:45:17 +07:00
Katharina Irrgang
959912eca3
Added tiny framework to support multiple API versions (#9933)
refs #9326, refs #9866

**ATTENTION: This is the first iteration. Bugs are expected.**

Main Goals: 

- add support for multiple API versions.
- do not touch v0.1 implementation
- do not break v0.1

## Problems with the existing v0.1 implementation

1. It tried to be generic and helpful, but it was a mixture of generic and explicit logic living in basically two files: utils.js and index.js.

2. Supporting multiple api versions means, you want to have as less as possible code per API version. With v0.1 it is impossible to reduce the API controller implementation. 

----

This commit adds three things:

1. The tiny framework with well-defined API stages.
2. An example implementation of serving static pages via /pages for the content v2 API.
3. Unit tests to prove that the API framework works in general.

## API Stages

- validation
- input serialization
- permissions
- query
- output serialization

Each request should go through these stages. It is possible to disable stages, but it's not recommended.

The code for each stage will either live in a shared folder or in the API version itself. It depends how API specific the validation or serialization is. Depends on the use case.

We should add a specific API validator or serializer if the use case is API format specific.
We should put everything else to shared.

The goal is to add as much as possible into the shared API layer to reduce the logic per API version.

---

Serializers and validators can be added:

- for each request
- for specific controllers
- for specific actions

---

There is room for improvements/extensions:

1. Remove http header configuration from the API controller, because the API controller should not know about http - decouple.

2. Put permissions helpers into shared. I've just extracted and capsulated the permissions helpers into a single file for now. It had no priority. The focus was on the framework itself.

etc.

---

You can find more information about it in the API README.md (api/README.md)

- e.g. find more information about the structure
- e.g. example controllers

The docs are not perfect. We will improve the docs in the next two weeks.

---

Upcoming tasks:

- prepare test env to test multiple API versions
- copy over the controllers from v0.1 to v2
- adapt the v2 express app to use the v2 controllers
2018-10-05 00:50:45 +02:00
kirrg001
434a0435fd Optimised web/ debug logs
no issue

- optimised only for web/ folder, because it has used very general namespaces
- the debug namespace must be specific, otherwise i run `DEBUG=ghost:api:*` and i get web debug logs and api folder debug logs
- we can come up with a new namespace system, but for now it must be explicit enough
2018-10-04 17:43:08 +02:00
kirrg001
079b41e608 Added body parser to web/api/v2 express app
refs #9866

- req.body is undefined if we don't use the body parser
- the content API only offers "fetch" endpoints, but if a component/module in Ghost relies on req.body being present, it can crash
- e.g. the authentication service checks for the existence of client_id + client_secret in req.query or req.body
- we could theoretically change it from `if (!req.body.client_id` to `if (req.body && !req.body.client_id)`, but that makes the code very hard to read + maintain
- we will use the body parser for the content API now
- req.body will be {}
2018-10-03 00:47:03 +02:00
Rishabh Garg
39485d17c0 Added new endpoint to upload square profile images with dimension validation (#9862)
refs #8576

- adds new API endpoint `/uploads/profile-image` for uploading profile images
- new validation which fails with error message if uploaded image is not square
- Renamed getImageSizeFromFilePath to getImageSizeFromStoragePath, because it's more explicit
- Add new getImageSizeFromPath method, which is used in the new dimensions middleware
- Ensure we use the sharp middleware to auto-resize the uploaded profile pictures
- Ensure the new route get's added to v2

While this makes sure all future profile images uploaded are square, this doesn’t affect any existing non-square profile image. Needs more thought on how to handle existing non-square profile images for the purpose of making theming easier in future.
2018-09-24 21:42:58 +02:00
Katharina Irrgang
213474835b Refactored how we require shared middlewares from web/ (#9893)
refs #9866

- use package notation
- get rid of x requires for middlewares
- improved readability
- do not refactor web/api/v0.1
2018-09-21 16:17:11 +05:30
Rishabh Garg
fcd275f6c0 Refactored web/middleware and web/utils to web/shared (#9892)
refs #9866

- Moved web/middleware to web/shared/middlewares
- Moved util file to web/shared/utils
2018-09-20 20:04:34 +02:00
Nazar Gargol
006c83fbe4 ES6 migration: server/web/ (#9886)
refs #9589
2018-09-20 15:03:33 +02:00
Nazar Gargol
7e17c56feb Removed res.isAdmin usages from v2 express app (#9884)
refs #9866

- Removed `res.isAdmin` flag in v2 express app
- Did not touch v0.1 express app
- Separated url redirect middleware for admin and content API
2018-09-20 13:58:45 +02:00
Nazar Gargol
57271127f4 Added v2 api endpoints (#9874)
refs #9866

- Registered Content API under /ghost/api/v2/content/
- Registered Admin API under /ghost/api/v2/admin/
- Moved API v0.1 implementation to web/api/v0.1
- Created web/api/v2 for the new api endpoints
- Started with reducing the implementation for the new Content API (the Content api does not serve admin api endpoints, that's why it was reducible)
- Covered parent-app module with basic test checking correct applications/routes are being mounted
- Added a readme file, which contains a warning using v2, because it's under active development!
- This PR does only make the new endpoints available, we have not:
  - optimised the web folder (e.g. res.isAdmin)
  - started with different API controllers
  - reason: we want to do more preparation tasks before we copy the api controllers
2018-09-18 15:59:06 +02:00
Fabien O'Carroll
c9b8ddde4b 🎨Added absolute_url flag to public api (#9833)
closes #9832

The API _should_ be returning absolute URLs for everything, 3rd party applications require absolute urls to read and display ghost data correctly. Currently they have to concat the blog url and the resource url, which is very uncomfortable.

Changing the public api like this would be considered a breaking change however so we've opted to put it behind a query parameter named `absolute_urls`.
2018-08-31 11:02:39 +01:00
Nazar Gargol
0faf89b5ab Added ability to resize and compress images on upload (#9837)
refs #4453

* On by default

* Added config to disable resizing

* Added basic image optimization processing

* Added dep: sharp (optional dep)

* Added resize middleware

* Take care of rotation based on EXIF information

* Removed all meta data from optimised image

* Added handling if sharp could not get installed

* Do not read ext twice - optimisation

* Do not call sharp if config is disabled

* Do not remove the original image which was uploaded (store 2 images)

* Support of `req.files` for internal logic

* Disabled cache to enable file removal on Windows
2018-08-30 17:30:36 +01:00
kirrg001
c40454f23c Added ability to upload/reload routes.yaml
refs #9744

- added two new endpoints to upload/download routes.yaml
- reload site express app on successful/valid upload
- reload url service on sucessfuly upload
- force clear cache of pages
- ensure we keep a backup of the routes.yaml file
- this feature was mostly tested manually
- @TODO: i have to write unit tests - will do later
- @TODO: do a memory test to ensure we haven't introduced any memory leaks with this feature
2018-08-16 12:13:24 +02:00
Lars Nolden
8295f5f967 ES6 migration: server/web (#9729)
refs #9589
2018-07-12 15:35:35 +02:00
Kevin Ansfield
ca20f3a6b0 Added /oembed API endpoint
refs https://github.com/TryGhost/Ghost/issues/9623
- add `oembed-parser` module for checking provider availability for a url and fetching data from the provider
  - require it in the `overrides.js` file before the general Promise override so that the `promise-wrt` sub-dependency doesn't attempt to extend the Bluebird promise implementation
- add `/oembed` authenticated endpoint
  - takes `?url=` query parameter to match against known providers
  - adds safeguard against oembed-parser's providers list not recognising http+https and www+non-www
  - responds with `ValidationError` if no provider is found
  - responds with oembed response from matched provider's oembed endpoint if match is found
2018-06-12 16:18:01 +01:00
Katharina Irrgang
6e94cedfa2 Ensure cors check happens for /authentication/token route (#9317)
no issue

- otherwise external browser clients run into cors problems
2017-12-15 09:35:48 +00:00
Katharina Irrgang
192ebb1739
Moved labs, auth, permissions, settings, mail, themes to services (#9339)
refs #9178

- move tests as well
2017-12-14 03:01:23 +01:00
Katharina Irrgang
7bcccc71dc
Moved apps into web folder (#9308)
refs #9178

- move express apps to one place (called `web`)
- requires https://github.com/TryGhost/Ghost-Admin/pull/923
- any further improvements are not part of this PR
- this PR just moves the files and ensures the paths are up-to-date
2017-12-06 17:37:54 +01:00