Commit Graph

122 Commits

Author SHA1 Message Date
Jason Williams
12957b1918 Adjust morgan call to avoid deprecation warning
No Issue
- Change the invocation of the morgan logging package to
  conform to the new function signature introduced in
  morgan 1.2.0.
2014-09-19 16:31:22 +00:00
Fabian Becker
9394fad6aa Have /ghost use its own express instance
closes #1961
- Refactor admin to use its own express instance
- Refactor middlewares to work with /ghost mounted admin express instance
2014-09-19 08:57:13 +00:00
Matt Enlow
a5f4fca7b2 Merge pull request #3992 from halfdan/favicon
Let Ghost serve favicon instead of using dependency
2014-09-18 18:40:22 -06:00
Fabian Becker
f2fcb5b62b Let Ghost serve favicon instead of using dependency
no ref
- Remove static-favicon dependency
- Refactor robots.txt middleware to also serve favicon
- Add ETag
2014-09-18 13:51:41 +02:00
Hannah Wolfe
aad595de7d Updating express to 4.9.2 & related packages
ref #3795

- express updated to 4.9.2
- express 4.9.0 introduced res.sendStatus() to replace res.status().end()
- we no longer need express-session, connect or cookie-parser
- body-parser, busboy, compression, express-hbs, morgan, all bumped to
  latest versions as well - there doesn't seem to be any breaking changes
2014-09-18 11:50:28 +01:00
Harry Wolff
469aaa398c Add jscs task to grunt file and clean up files to adhere to jscs rules.
resolves #1920

- updates all files to conform to style settings.
2014-09-17 21:44:29 -04:00
Hannah Wolfe
b7fdf7d872 Merge pull request #3947 from hswolff/goodbye-config-theme
Removes config.theme and restructures how theme variables are cached
2014-09-15 21:30:44 +01:00
Harry Wolff
66845def85 Moves storage module to use prototypes for inheritance and structure.
addresses #2852

- Moves storage modules to use prototypes and to create prototypes
that inherit from the base storage ctor.

- Makes storage/base conform to an all Promise interface.
2014-09-12 21:41:29 -04:00
Matt Enlow
9c0b203dce Merge pull request #3867 from hswolff/middleware-work
Makes the Ghost application more express middleware friendly.
2014-09-08 13:43:48 -06:00
Harry Wolff
2bb1b14ebd Removes config.theme and restructures how theme variables are cached
resolves #1789

- removes config/theme.js
- moves caching of theme variables to api/settings.js which is where the
rest of the settings cache occurs.  this removes the requirement of having
to push changes to cache, now it simply occurs alongside when settings
are changed.
- updates relevant tests.
2014-09-02 23:15:15 -04:00
Fabian Becker
5ab8c661ec Fix regex from #3898
refs #3898
2014-09-01 15:39:53 +02:00
Fabian Becker
a0b7941439 Restrict uncapitalise middleware for API
no ref
- Do not lowercase anything after /api/v0.1/<resource>/ to protect :key/:slug
2014-09-01 12:38:06 +00:00
Harry Wolff
8bc6a6e633 Makes the Ghost application more express middleware friendly.
refs #827

- Moves ./index to use Ghost in a similar manner to how someone uses
Ghost as an npm module.
- Allows Ghost to be cleanly mounted on another express application
on any arbitrary endpoint, all you need to customize is the mount path.
2014-08-29 17:30:16 -04:00
Hannah Wolfe
25ad4b39fd Uncapitalise middleware should not affect tokens
no issue

- Whilst testing on next, I noticed trying to signup didn't prepopulate email addresses any more, and this is why
2014-08-26 22:30:33 +01:00
Sebastian Gierlinger
cab8254539 Merge pull request #3860 from ErisDS/issue-3857
Redirect uppercase routes to lowercase version
2014-08-26 12:19:52 +02:00
Jason Williams
07ad400ee0 Replace the when promise library with bluebird.
Closes #968
2014-08-23 17:15:40 +00:00
Hannah Wolfe
6a52fc8ace Redirect uppercase routes to lowercase version
fixes #3857

- adds uncapitalise middleware which detects uppercase in req.path and
  redirects to the lowercase equivalent
- change the ghost route to a regex, just so it's consistent with other
  routes in the file
2014-08-23 17:59:58 +01:00
Sebastian Gierlinger
f0da28abb3 Fix broken status code
closes #3779
- added custom error classes for OAuth errors (bug was caused by
oauth2orize error classes)
- added basic tests for `/authentication/token` endpoints
2014-08-20 11:28:55 +02:00
Jason Williams
8fb3cddcf6 Update express and body-parser dependencies.
No Issue
- Upgrade to versions of these packages that use qs >= 1.0.0.
2014-08-11 05:20:31 +00:00
Hannah Wolfe
7d37a829c3 Switch middleware order to result in proper error
fixes #3694

- Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 17:17:07 +01:00
Hannah Wolfe
c95c9b45cb Merge pull request #3621 from sebgie/fix-refresh-token
Fix token refresh
2014-08-06 10:34:20 +01:00
Sebastian Gierlinger
b2e9d21018 Fix token refresh
no issue
- spam prevention causes token refresh to return an error
2014-08-06 11:11:44 +02:00
Hannah Wolfe
e315148cc5 Cleaner spam prevention error messages
closes #3589

- Full error messages appear in stderr
- Clean error messages for user
2014-08-06 10:00:21 +01:00
Sebastian Gierlinger
c62d7ba43e Improve spam prevention
closes #3544
- limit forgotten password requests to five requests per IP per hour
for different email addresses
- limit forgotten password requests to five requests per email address
- limit signin requests to ten failed requests per IP per hour
- removed special treatment for tests
2014-08-05 12:58:58 +02:00
Sebastian Gierlinger
3792598a31 Update spam prevention
closes #3468
- added rate limit to deny more than 5 attempt every hour
- updated spam prevention to be configurable
- added config values spamTimeout, ratePeriod, rateAttempts
- added ratePeriod:1 to config.example.js to prevent functional tests
from hitting the rate limit
- commented spam test, I’ll fix it tomorrow
2014-08-01 00:58:32 +02:00
Sebastian Gierlinger
e1c0c5ce98 Change refresh token expiry
no issue
- acquiring a new access token using a refresh token sets the
expiration time of the refresh token to now + 24 hrs.
- moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to
`core/server/utils`
2014-07-28 15:19:49 +02:00
Sebastian Gierlinger
17589a1afe Merge pull request #2306 from mscdex/update-busboy 2014-07-23 15:52:41 +02:00
Harry Wolff
be37070fb6 This aims to speed up both the ghost application and tests by
migration from usage of config() to just an object of config.

no relevant issue

- Change 'loadConfig' task to 'ensureConfig' to more accurately reflect
what it is actually doing.  Its sole purpose is to make sure a `config.js`
 file exists, and as such the name now reflects that purpose.

- Update config/index.js to export the ghostConfig object directly
so that it can be accessed from other modules

- Update all references of config(). to config.
This was a blind global find all and replace, treat it as such.

- Fixes to tests to support new config access method

- Allow each test to still work when invoked invidually
2014-07-22 22:37:44 -04:00
Hannah Wolfe
487844122d Merge pull request #3312 from ErisDS/issue-2739-2
Wire permmissions for notifications, mail and tags
2014-07-17 18:04:38 +01:00
Hannah Wolfe
cfaa6f058a Wire permmissions for notifications, mail and tags
closes #2739

- wraps the api endpoints for mail, notifications, and tags in a canThis
  check
- add internal context to internal calls
- updates tests
2014-07-17 16:44:09 +01:00
Sebastian Gierlinger
ab456638c1 Fix tests failing because of spam protection
closes #3128 (now really)
- added express variable disableLoginLimiter
- added disableLoginLimiter to all tests that use Ghost as module and
do authentication
- fixed isSetup not working for status other than active
- removed ‚Ensure a User is Registered‘ test as this is covered by the
new setup test
2014-07-17 14:22:32 +02:00
Sebastian Gierlinger
42f461cb6d Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-17 14:22:07 +02:00
Hannah Wolfe
5c1a7a7349 Revert "Restore spam prevention" 2014-07-17 12:11:23 +01:00
Sebastian Gierlinger
e4e027d17b Restored spam prevention
closes #3128
- added spam prevention middleware
- restored tests
2014-07-16 10:00:49 +02:00
Hannah Wolfe
3ff9146d9e Server side cleanup
- remove sessions
- remove all references to csrf
- create a shared base model for the 2 types of token
2014-07-14 21:50:12 +01:00
Sebastian Gierlinger
8c2258dc4c Move setup to API
closes #3136
- moved setup to authentication API
- added `POST /ghost/api/v0.1/authentication/setup` to execute the
setup process
- added `GET /ghost/api/v0.1/authentication/setup` to check if blog is
already set up (needed for #3145)
- removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
Hannah Wolfe
a593cbfb53 Move post slug endpoint & add endpoints for users
closes #3187

- move slug endpoint to post/slug/:slug
- create similar  slug and email endpoint for users
- add/update tests
2014-07-09 16:55:34 +01:00
Sebastian Gierlinger
84cfd529ed Allow user to accept invitation
closes #3081
- added route `/ghost/api/v0.1/authentication/invitation`
- added accept invitation
- added signup with token
- removed check() from users api
- fixed promise in resetPassword()
2014-07-03 17:06:07 +02:00
Sebastian Gierlinger
79a80b67ac Invite user API
closes #3080
- added users.invite() to add user from email with random password
- added `GET /ghost/api/v0.1/users/` to invite users and resend
invitations
- removed one user limit
- added global utils for uid generation
- changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
Hannah Wolfe
f70f99b5cf Replace the old admin with the ember admin
closes #3056

- Remove clientold
- Remove clientold tests
- Cleanup old admin helpers
- Remove old routes from admin and controllers from admin controller
- Comment out / remove old and broken tests
- Cleanup Gruntfile.js, bower.js, package.json etc

Still TODO:

- cleanup / add removed tests
- do we still need countable?
2014-07-01 08:33:17 +01:00
Sebastian Gierlinger
c8e8da4780 oAuth
closes #2759
closes #3027

- added oauth2orize library for server side oAuth handling
- added ember-simple-auth library for admin oAuth handling
- added tables for client, accesstoken and refreshtoken
- implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant
- updated api tests with oAuth
- removed session, authentication is now token based

Known issues:
- Restore spam prevention #3128
- Signin after Signup #3125
- Signin validation #3125

**Attention**
- oldClient doesn't work with this PR anymore, session authentication
was
removed
2014-06-30 14:58:10 +02:00
Fabian Becker
72156c7f89 New setup screen for blog installation.
fixes #3072
- Change router to handle /ember/setup/
- Adjust doSignup to also handle setup
- Adjust tests and add new where necessary
- Add setup controller, setup validation, setup route
- Adjust casper emberSetup to handle new setup
2014-06-26 15:31:44 +02:00
Sebastian Gierlinger
1db0431e4d User API changes
closes #2822
- added destroy user method
- added remove user permission
- added API end point for get reset token
- added API end point for reset password
- added API end point for change password
2014-06-20 11:15:01 +02:00
Fabian Becker
2bff35bcc2 Complete moveover to new Notification API format
fixes #2775
- Fix all occurences of notifications.add to use proper API format
2014-06-16 08:07:29 +00:00
Harry Wolff
5d028b72fb Upgrade to Express 4.0
no related issue

- Updates package.json packages, adding express middleware packages
 that have been broken into their own modules

- Updates controllers/frontend.js to use the new Layer object that Express 4.0
 has.  Requires some monkey-patching as the Layer object isn't explicitly
 surfaced, however it should be safe to do.

- Moved the setup of routes into middleware/index.js because they need to
 be added as a middleware function before the 404 and 500 handlers. This is
 no longer possible with the old app.use(app.router) as that has been removed.

- Cleaned up middleware/index.js to make it compatible with Express 4.0.

- Simplified the way themes are activated and enabled when they are activated.
 The new handling is simpler, yet should still cover all the use cases that
 previously existed.

- The entire flow of activating a theme through middleware should be a little
 more centralized, letting it be easier to read and maintain.

- Moved every routes/*.js file to use an individual express.Router() instance.
2014-06-08 17:41:25 -04:00
Hannah Wolfe
9e8e1fa37d Ember redirect to signup
closes #2779

- adds temporary code to redirect the ember admin to signup if a user doesn't exist.
- done serverside as this makes most sense?
2014-06-03 19:21:45 +01:00
Jacob Gable
5abeadf80d Ember Data with Posts
Ref #2699

- Introduce ember data dependency
- Add loadInitializers and refactor most initializers into one combined
- Add Post ember data model
- Refactor generateSlug to use title of post and ghostPaths
- Refactor post controller to not reference model.property everywhere
- Use RESTAdapter for posts, users and tags
- Setup author and tag relations in Post model
- Fix broken API calls by adding CSRF header
- Add initiaizer for csrf value
- Use actual User model for current user initializer
- Add action for setting featured post, test with actual api call
- Fix the sending of UUID's up to the server
- Refactor current-user to use ember-data store
- If a user is preloaded in the application, use pushPayload to put it
in the store
- Do a lookup on the store to get an actual User model for injection
- Fix posts/post controllerName in route/new.js
- Alter signup process to push user into ember data store
2014-05-29 07:42:51 -05:00
Jacob Gable
006aedfb84 Implement signup in Ember
Closes #2410

- Add signup action that posts to signup endpoint
- Fix nav bar showing on signup page
- Fix image link when a user hasn't set their image yet
- Redirect to the ember/signin page if requesting an ember page
2014-05-23 12:17:28 -05:00
Steve
5f7182b7a2 Make cache max-age on theme assets one year.
closes #2790
- Added one year in ms var.
- refs: #2447
2014-05-22 07:55:38 -07:00
Hannah Wolfe
c02ebb0dcf Refactor API arguments
closes #2610, refs #2697

- cleanup API index.js, and add docs
- all API methods take consistent arguments: object & options
- browse, read, destroy take options, edit and add take object and options
- the context is passed as part of options, meaning no more .call
  everywhere
- destroy expects an object, rather than an id all the way down to the model layer
- route params such as :id, :slug, and :key are passed as an option & used
  to perform reads, updates and deletes where possible - settings / themes
  may need work here still
- HTTP posts api can find a post by slug
- Add API utils for checkData
2014-05-15 10:41:05 +01:00