Commit Graph

8767 Commits

Author SHA1 Message Date
Nazar Gargol
6318b65cab Changed context.api_key_id to an object containing key type information
refs #9865

- Changed id passed for api_key to an object to be able to differenciate between admin and content api requests
- Added integration id to frame context
- Small refactoring of frame context initialization
2019-01-24 17:22:58 +00:00
Nazar Gargol
8ba3a91387 Added acceptance suite for Content API key verification 2019-01-24 17:22:58 +00:00
Naz Gargol
a0712d23e8
Shortened admin key length (#10418)
refs #10156

- Updated ApiKey model to use shorter secrets for admin keys
2019-01-24 13:46:33 +00:00
Nazar Gargol
5fbad09a56 Modified Admin API key output format
refs #9865

- Changed key format to {id}:{secret} so API consumer only has to worry about copying a single value during setup
- Updated key expiration time in getValidAdminToken test helper to match server side expiration check
2019-01-23 17:18:50 +00:00
Nazar Gargol
776e23696d Added audience check in Admin API key authentication
refs #9865

- Extracted tests related to Admin API key authenticatoin into separate
acceptance test suite
2019-01-23 15:01:22 +00:00
Katharina Irrgang
7ec9dda30c
Added cron handling for travis (#10412)
no issue
2019-01-22 18:31:07 +01:00
Katharina Irrgang
75fbd272c9
Separated test env into: acceptance, regression and unit tests (#10411)
refs #9178

`yarn test` only runs acceptance and unit tests.
We will setup a cronjob in Travis and run the regression tests once per day.
You can manually run them with `yarn test:regression`

This separation is just a first step into the right direction.
Travis will no longer run for 10-13minutes.
The goal is to run common API use cases and unit tests in Travis and locally by default.

## After this separation we still need to:

- re-work our test utility
- remove some tests
- define which tests are our common API use cases
- rewrite some tests
- make testing easier (starting/stopping Ghost, fixtures and resetting services or event listeners, it's a pain and takes sometimes ages to fix tests)


---

**Acceptance:**
- common/basic API use cases against the current **stable** API

**Unit:**
- all unit tests (no database access)
- proper mocking

**Regression:**
- packages we don't want to run for each PR or commit
- tests which protect Ghost from breaking components and behaviour
- it is wishful that regression tests are using Ghost's API's (frontend, apps, core)

---

**This PR requires an update to our docs.**
2019-01-22 17:54:50 +01:00
Fabien O'Carroll
3af0110bcc
Refactored members for management api (#10408)
no-issue
2019-01-22 15:29:44 +01:00
Katharina Irrgang
5921d9ce4a
Removed unit tests who use the database (#10407)
refs #9178

## Rule

- do not use the database in unit tests
- re-add correct unit tests if you work on something which is not tested properly (we have to bring them back at some point, but without using the database)
2019-01-22 13:36:30 +01:00
Kevin Ansfield
9fc9aefa9c Version bump to 2.12.0 2019-01-22 11:36:17 +00:00
Kevin Ansfield
77a1cabe95 Updated Ghost-Admin to 2.12.0 2019-01-22 11:36:17 +00:00
Kevin Ansfield
5c120068fd Upgrading Casper to 2.9.1 2019-01-22 11:09:05 +00:00
kirrg001
baa8a6a1d4 Bumped moment to version 2.24.0
no issue
2019-01-22 09:12:43 +01:00
kirrg001
c862110cc4 Respected peer dependency for bookshelf
no issue

- need to use knex 0.14.x for now
- Bookshelf already bumped the peer dependency in master, but was not released yet
2019-01-22 09:12:43 +01:00
Rish
e972483f6c Fixed error handling for members reset password
no-issue

- Both input and form error was shown on submitting reset-password form
- Does not submit form anymore in case of validation errors
2019-01-22 11:46:48 +05:30
Katharina Irrgang
585eada1c3
Removed grunt-docker from dev dependencies (#10405)
no issue

- this npm package is very out-of-date
- it shows 5-6 security warnings
- i don't really know why this grunt command exists
- it was added 5 years ago: f84d3d32e5
2019-01-22 06:56:50 +01:00
Katharina Irrgang
4acc375fb6
Bumped knex & bookshelf dependencies (#10404)
refs #9389, refs #9248

- https://github.com/bookshelf/bookshelf/releases/tag/0.14.0
- Bookshelf has fixed it's previous attr handling, see https://github.com/bookshelf/bookshelf/pull/1848
- SQlite3 double slashes was merged into knex and released 👻tgriesser/knex@c746dea
2019-01-21 21:53:11 +01:00
Hannah Wolfe
d70ec449bc Contrib guide: More info on features
- updating to try to set expectations
2019-01-21 17:58:26 +00:00
Katharina Irrgang
d0687da3a3
Bumped major test dependencies (#10403)
refs #9389

- eslint@5.12.1, eslint-plugin-ghost@0.1.0, grunt-contrib-clean@2.0.0, grunt-contrib-uglify@4.0.0, grunt-eslint@21.0.0, grunt-mocha-cli@4.0.0, grunt-shell@3.0.1, mocha@5.2
.0, nock@10.0.6, rewire@4.0.1

All of them dropped Node v4. I was not able to find any other big breaking changes, which affect us right now.
2019-01-21 18:28:44 +01:00
Katharina Irrgang
fb044e6d88
Bumped sinon from 4.4.6 to 7.3.2 (#10400)
refs #9389

- https://github.com/sinonjs/sinon/blob/master/CHANGELOG.md

Breaking changes for Ghost:

- no need to create a sandbox anymore, each file get's it's own sandbox
- just require sinon and use this sandbox
- you can still create separate sandboxes with .createSandbox
- reset single stubs: use .resetHistory instead of .reset

This is a global replace for any sandbox creation.

---

From https://sinonjs.org/releases/v7.2.3/sandbox/

> Default sandbox
> Since sinon@5.0.0, the sinon object is a default sandbox. Unless you have a very advanced setup or need a special configuration, you probably want to just use that one.
2019-01-21 17:53:44 +01:00
Hannah Wolfe
d24229fc16 Github support bot: dynamic author name 2019-01-21 16:44:13 +00:00
Hannah Wolfe
c64676766c Trying out github support bot
- Support bot will respond to any issues we label with "support"
2019-01-21 16:40:48 +00:00
kirrg001
c20ff9afb8 Bumped superagent from 3.8.3 to 4.1.0
refs #9389

- https://github.com/visionmedia/superagent/blob/master/History.md#400-2018-11-17
- breaking changes don't really affect us
  - .end(…) returns undefined instead of the request. If you need the request object after calling .end() (and you probably don't), save it in a variable and call request.end(…). Consider not using .end() at all, and migrating to promises by calling .then() instead.
  - this could be changed, but it's not required
2019-01-21 15:19:07 +01:00
kirrg001
742aef77f2 Bumped html-to-text from 3.3.0 to 4.0.0
refs #9389

- https://github.com/werk85/node-html-to-text/blob/master/CHANGELOG.md#version-400
- breaking change does not affect us
2019-01-21 15:02:52 +01:00
kirrg001
1705e8575f Bumped csv-parser from 1.12.1 to 2.1.0
refs #9389

- breaking change does not affect use
- https://github.com/mafintosh/csv-parser/releases/tag/v2.0.0
2019-01-21 14:40:30 +01:00
kirrg001
eedf0dae02 Bumped chalk from version 1.1.3 to 2.4.2
refs #9389

- i was not able to find a breaking change, which affects us
- https://github.com/chalk/chalk/releases/tag/v2.0.0
2019-01-21 14:31:26 +01:00
Nazar Gargol
c3e22b6ab9 🐛 Fixed forced page filter not being respected in Content API
closes https://github.com/TryGhost/Ghost/issues/10395, https://github.com/TryGhost/Ghost/issues/10390

- The grouping was introduced due to a flasy conjunction of last filter in 'or' group with enforced page filter, due to this the rest of filters in the 'or' group were bypassed
- Additional grouping added here increases the possiblity of https://github.com/NexesJS/NQL-Lang/issues/7 bug happening
2019-01-21 13:26:45 +00:00
kirrg001
8174a5cce7 Bumped archiver from version 1.3.0 to 3.0.0
refs #9389

- i wasn't able to find a breaking change which affect us
- https://github.com/archiverjs/node-archiver/blob/master/CHANGELOG.md
- we use it for downloading themes. this feature still works
2019-01-21 14:16:00 +01:00
kirrg001
7681199135 Bumped analytics-node from version 2.4.1 to 3.3.0
refs #9389

- breaking changes do not affect us
- https://github.com/segmentio/analytics-node/releases/tag/v3.0.0
2019-01-21 13:36:46 +01:00
kirrg001
f17d134759 Bumped dependencies
no issue
2019-01-21 13:33:20 +01:00
Katharina Irrgang
3df763009e
Added quick fix to handle integration upserts for x_by columns (#10295)
refs #10286

- this is just a hotfix for v0.1
- we keep the x_by fields for now and deprecate them
- as soon as an integration updates/inserts a resource, we just store the owner ID
- we currently work on a new concept for v2
- v2 no longer exposes or uses x_by, see https://github.com/TryGhost/Ghost/pull/10294
- we need to iterate on this change, because we currently use the naming `context.api_key_id` in the auth/API layer
2019-01-21 12:41:45 +01:00
Dexter Leng
da71b61bcf 🐛Deleted associated roles_users rows when user is destroyed (#10243)
closes #8843
2019-01-21 12:36:13 +01:00
Katharina Irrgang
a927aecc3f
🐛 Fixed prev_next helper when using Content API v2 (#10397)
closes #10389
2019-01-21 11:48:18 +01:00
Fabien O'Carroll
6f87f2af93 Fixed img_url to work with protocol relative urls
closes #10391

- We use "relative protocol" urls for gravatar images, which were
  incorrectly getting treated as relative path urls.

- Refactored getBlogUrl calls into const
2019-01-21 11:41:23 +01:00
kirrg001
26d0f48561 Renamed getValidAdminKey to getValidAdminToken for admin api v2 test area
no issue
2019-01-18 19:11:51 +01:00
kirrg001
1126997244 Added easy way to enable admin api key authentication
refs #9865

- small refactoring to make both session and admin api key handling similar
- admin api key authentication is still disabled, but easy to enable
- added proof test how to authenticate using admin api keys
2019-01-18 18:57:58 +01:00
kirrg001
4f7783939d Fixed lint
no issue
2019-01-18 18:03:15 +01:00
kirrg001
e90148e7c3 Switched to use new implementation of authorizeAdminApi
refs #9865

- see code comments
2019-01-18 17:54:08 +01:00
kirrg001
de7ba3cd85 Corrected content api test key
no issue

- we reduced the key length
2019-01-18 17:54:08 +01:00
kirrg001
fbe2829b93 Added test helper for admin api v2: getValidAdminKey
no issue
2019-01-18 17:54:08 +01:00
kirrg001
f82bb07534 Added empty lines and reduces line length in auth authorize
no issue

- improves readability
2019-01-18 17:54:08 +01:00
kirrg001
3f758c6a0a Protected against empty admin api key
refs #9865
2019-01-18 17:54:04 +01:00
kirrg001
1b5b95e198 Renamed authenticateAdminApiKey to authenticate for admin api key auth
refs #9865

- the outer authentication layer wants a consistent interface of each authentication package
  - admin.authenticate
  - session.authenticate

- furthermore, there is no need to put the full feature into the exposed function name
2019-01-18 17:30:07 +01:00
kirrg001
462865981e Updated admin api key authentication to expect api key id in payload
refs #9865

- see https://github.com/TryGhost/Ghost/blob/2.11.1/core/server/lib/members/index.js#L52
- consistency
2019-01-18 17:22:19 +01:00
Fabien O'Carroll
1c56221d80 Added API Key auth middleware to v2 Admin API (#10006)
refs #9865

- Added `auth.authenticate.authenticateAdminApiKey` middleware
  - accepts signed JWT in an `Authorization: Ghost [token]` header
  - sets `req.api_key` if the token is valid
- Updated `authenticatePrivate` middleware stack for v2 admin routes
2019-01-18 12:45:06 +00:00
Fabien O'Carroll
809a167a55 Updated permissible methods for hasApiKeyPermissions (#9970)
refs #9865

This updates all current permissible methods to use the new function
signature which includes the hasApiKeyPermissions parameter. It also
makes sure that the hasApiKeyPermissions argument is taken into account
whenever checking before returning a resolved promise.

To be continued. This is just a tiny part of the big picture. None of these changes are fully committed to stay as they are.
2019-01-18 13:39:53 +01:00
kirrg001
873d63dc5d Fixed unit test: services/permissions/parse-context_spec.js
no issue
2019-01-18 13:16:28 +01:00
kirrg001
2c7c72cd9f Fixed travis
no issue

- caused by fc73cd71bb
- breaks the content API access
2019-01-18 13:05:39 +01:00
Fabien O'Carroll
fc73cd71bb Updated permissions service to handle api keys (#9967)
refs #9865

- Enabled the permissions module to lookup permissions based on an api_key id.
- Updated the "can this" part of the permissions service to load permissions for any api key in the context, and correctly use that to determine whether an action is permissible. It also updates the permissible interface that models can implement to pass in the hasApiKeyPermissions param.
2019-01-18 11:17:11 +00:00
Fabien O'Carroll
42a1313bff
Removed members internal app (#10379)
no-issue

* Mounted members static router directly to parentApp

* Removed members internal app
2019-01-17 12:03:40 +01:00