Commit Graph

25 Commits

Author SHA1 Message Date
Kevin Ansfield
68af12cfad Added 2fa happy path to Admin
closes https://linear.app/tryghost/issue/ENG-1617/
closes https://linear.app/tryghost/issue/ENG-1619/

- updated cookie authenticator's `authenticate` method to accept an `{identification, pasword, token}` object
  - if `token` is provided, hit our `PUT /session/verify/` endpoint passing through the token instead of hitting the `POST /session/` endpoint
- added `signin/verify` route
  - displays a 2fa code input field, including required attributes for macOS auto-fill from email/messages to work
  - uses `session.authenticate({token})` when submitted
- updated signin routine to detect token-required state
  - detects a `403` response with a `2FA_TOKEN_REQUIRED` code property when authenticating
  - if detected transitions to the `signin/verify` route
2024-10-21 11:01:40 +01:00
Kevin Ansfield
c646e78fff Made session.user a synchronous property rather than a promise
no issue

Having `session.user` return a promise made dealing with it in components difficult because you always had to remember it returned a promise rather than a model and had to handle the async behaviour. It also meant that you couldn't use any current user properties directly inside getters which made refactors to Glimmer/Octane idioms harder to reason about.

`session.user` was a cached computed property so it really made no sense for it to be a promise - it was loaded on first access and then always returned instantly but with a fulfilled promise rather than the  underlying model.

Refactoring to a synchronous property that is loaded as part of the authentication flows (we load the current user to check that we're logged in - we may as well make use of that!) means one less thing to be aware of/remember and provides a nicer migration process to Glimmer components. As part of the refactor, the auth flows and pre-load of required data across other services was also simplified to make it easier to find and follow.

- refactored app setup and `session.user`
  - added `session.populateUser()` that fetches a user model from the current user endpoint and sets it on `session.user`
  - removed knowledge of app setup from the `cookie` authenticator and moved it into = `session.postAuthPreparation()`, this means we have the same post-authentication setup no matter which authenticator is used so we have more consistent behaviour in tests which don't use the `cookie` authenticator
  - switched `session` service to native class syntax to get the expected `super()` behaviour
  - updated `handleAuthentication()` so it populate's `session.user` and performs post-auth setup before transitioning (handles sign-in after app load)
  - updated `application` route to remove duplicated knowledge of app preload behaviour that now lives in `session.postAuthPreparation()` (handles already-authed app load)
  - removed out-of-date attempt at pre-loading data from setup controller as that's now handled automatically via `session.handleAuthentication`
- updated app code to not treat `session.user` as a promise
  - predominant usage was router `beforeModel` hooks that transitioned users without valid permissions, this sets us up for an easier removal of the `current-user-settings` mixin in the future
2021-07-08 14:54:31 +01:00
Kevin Ansfield
e66bb4feac Removed tour feature
refs 10b48b1d6d
refs 1531712d92

- the tour feature is no longer used so all associated code can be removed
- removes `liquid-tether` dependency as it was only used by the tour throbbers/popovers
2021-03-02 14:29:26 +00:00
Kevin Ansfield
5225a3d30a Added "What's new" indicator and modal to highlight recent updates (#1292)
no issue

- adds `whats-new` service that fetches the changelog from ghost.org and exposes the latest changelog entries
- trigger a background fetch of the changelog from ghost.org when first loading the admin when logged in, or after signing in
- adds a "What's new" menu item next to the user popup menu
- adds an indicator to the user menu button and what's new menu item if there are unseen changelog entries
- closing the changelog modal will update the "last seen date", clearing both indicators
2019-08-23 10:01:27 +01:00
Kevin Ansfield
457a8e2955 🎨 Added auto-login to private site when viewing site preview in admin (#1286)
closes https://github.com/TryGhost/Ghost/issues/10995

- when first loading the site preview, if private mode is enabled submit the login form in the background to get the cookie before loading the iframe
- refactors post-authentication preloading to ensure it occurs before post-authentication route hooks are called
- adds `showSuccess` attribute to `<GhTaskButton>` so that when set to `false` it can stay in the running state after "success" to avoid state change flashes whilst waiting for a transition
2019-08-12 09:11:10 +01:00
Fabien O'Carroll
3e5a62309f Use Admin API v2 with session auth (#1046)
refs #9865
- removed all `oauth2` and token-based ESA auth
- added new `cookie` authenticator which handles session creation
- updated the session store to extend from the `ephemeral` in-memory store and to restore by fetching the currently logged in user and using the success/failure state to indicate authentication state
  - ESA automatically calls this `.restore()` method on app boot
  - the `session` service caches the current-user query so there's no unnecessary requests being made for the "logged in" state
- removed the now-unnecessary token refresh and logout routines from the `application` route
- removed the now-unnecessary token refresh routines from the `ajax` service
- removed `access_token` query param from iframe file downloaders
- changed Ember Data adapters and `ghost-paths` to use the `/ghost/api/v2/admin/` namespace
2018-10-05 19:46:33 +01:00
Kevin Ansfield
ae759d39ea Fixed multiple 401s caused by token revocation requests
no issue
- disabled Ember Simple Auth's default token revocation
    - we trigger session invalidation on a 401 which means our token isn't valid so the revoke requests will also fail
- renamed application route's `invalidateSession` to `logout` in order to distinguish it from any ESA methods
    - added the token revocation requests to this action, we can be fairly sure at this point that the current tokens will be valid so the requests will succeed
- added check to `ajax.handleResponse` so that we don't invalidate the session for requests to external services
- removed pointless assertion from the ajax integration test
2018-04-16 17:55:21 +01:00
Kevin Ansfield
a85f5fae35 Switch to eslint-plugin-ghost extending plugin:ghost/ember
no issue
- fix lint errors in lib/gh-koenig
- fix ghost:base eslint errors
- update ember plugin refs, remove ember-suave plugin refs
- remove old jshint refs
- add `lint:js` script
- switch to `eslint-plugin-ghost` extending `plugin:ghost/ember`
2018-01-12 12:17:56 +00:00
Kevin Ansfield
9adbcd1fd0 Match service/controller import to ember-modules-codemod style for consistency
no issue

Automated tools, code generators, and editor integrations are increasingly standardising on the import style used in `ember-modules-codemod`. Our import style differed a little with regards to service/controller injection imports which meant we were starting to see inconsistent naming.
2017-10-30 09:38:01 +00:00
Kevin Ansfield
03c45a445e Removed defunct Ghost OAuth code (#848)
refs https://github.com/TryGhost/Ghost/issues/8958

- Ghost OAuth isn't coming back, time for the code to disappear and simply all the things
- fixes the `Usage of router is deprecated` notices that flood the console/test logs when testing
2017-09-04 21:17:04 +02:00
Kevin Ansfield
983110d931 Switched from ember-cli-shims to new module imports (#779)
no issue

- add eslint-plugin-ember, configure no-old-shims rule
- run `eslint --fix` on `app`, `lib`, `mirage`, and `tests` to move imports to the new module imports
- further cleanup of Ember globals usage
- remove event-dispatcher initializer now that `canDispatchToEventManager` is deprecated
2017-08-22 14:53:26 +07:00
Kevin Ansfield
cb59388c5b 💄🐷 sort-imports eslint rule (#712)
no issue

- adds `eslint-plugin-sort-imports-es6-autofix` dependency
  - implements ESLint's base `sort-imports` rule but has a distinction in that `import {foo} from 'bar';` is considered `multiple` rather than `single`
  - fixes ESLint's autofix behaviour so `eslint --fix` will actually fix the sort order
- updates all unordered import rules by using `eslint --fix`

With the increased number of `import` statements since Ember+ecosystem started moving towards es6 modules I've found it frustrating at times trying to search through randomly ordered import statements. Recently I've been sorting imports manually when I've added new code or touched old code so I thought I'd add an ESLint rule to codify it.
2017-05-29 20:50:03 +02:00
Kevin Ansfield
a6e3f704e5 🐛 fix oauth2-ghost authenticator error handling
no issue
- updates `oauth2-ghost` authenticator to reflect the fact that `makeRequest` now returns a ember-ajax and matches the `oauth2` authenticator behaviour
- handle `UnauthorizedError` errors in application route's error handler to avoid tests breaking from unhandled exceptions
2017-03-13 13:00:48 +01:00
Kevin Ansfield
e74e2e039e Update code to match eslint rules
no issue
- switch `jscs` and `jshint` inline config to `eslint` config
- fix eslint errors, predominantly in tests where the config now the main app config more closely
2016-11-14 13:26:00 +00:00
Kevin Ansfield
91dfd0cbf7 switch from jshint/jscs to eslint
no issue
- drop `jshint`, `jscs`, and `ember-suave` dependencies
- remove `grunt` related linting dependencies and tasks
- remove linting build from Travis so that linting can be performed as part of the normal test suite (refs TryGhost/Ghost#7427)
- add `ember-cli-eslint` and `eslint-plugin-ember-suave` dependencies
- configure `eslint` to match our previous coding style
- update config to run eslint tests as part of the normal test run
- add `npm run lint` command to only run linter tests
2016-11-14 13:25:36 +00:00
Kevin Ansfield
527fa181c7 remove custom token endpoint when using Ghost OAuth (#335)
issue TryGhost/Ghost#7562
- removes the custom endpoint so that we always use `/authentication/token`
- adds missing `grant_type` attribute to our auth data so that the server can switch appropriately
2016-10-17 12:50:00 +02:00
Kevin Ansfield
ef0c7a2bf3 deps: ember@2.8.2 2016-10-07 17:32:30 +01:00
Kevin Ansfield
a258e3d881 Ghost.org OAuth support (#278)
issue TryGhost/Ghost#7452, requires TryGhost/Ghost#7451
- use a `ghostOAuth` config flag to switch between the old-style per-install auth and centralized OAuth auth based on config provided by the server
- add OAuth flows for:
  - setup
  - sign-in
  - sign-up
  - re-authenticate
- add custom `oauth-ghost` authenticator to support our custom data structure
- add test helpers to stub successful/failed oauth authentication
- hide change password form if using OAuth (temporary - a way to change password via oauth provider will be added later)
2016-09-30 13:43:40 +02:00
Vijay Kandy
b7dcda8f61 authentication fix for intermittent internet connection (#131)
closes TryGhost/Ghost#6868

- token is refreshed when internet connectivity is established provided the session is still active
- Added navigator.online handler which listens for browser's online status.
- _refreshAccessTokens() is explicitly called when browser becomes online
2016-07-20 22:52:15 -06:00
Austin Burdine
f53c7dfc88 convert ember imports to ember-cli-shim imports where possible (#95) 2016-06-30 11:21:47 +01:00
Austin Burdine
3154dfe988 cleanup usage of Ember.inject 2016-01-19 07:03:27 -06:00
Kevin Ansfield
2f4f6db133 Use es6 across client and add ember-suave to enforce rules
no issue
- add ember-suave dependency
- upgrade grunt-jscs dependency
- add a new .jscsrc for the client's tests directory that extends from client's base .jscsrc
- separate client tests in Gruntfile jscs task so they pick up the test's .jscsrc
- standardize es6 usage across client
2015-11-30 10:41:01 +00:00
Austin Burdine
511d5d9b4c deps: ember-simple-auth@1.0.0
closes #5951
- update to esa 1.0
2015-10-18 13:17:02 -05:00
Sebastian Gierlinger
71215847c8 Add dynamic client_id/client_secret
no issue
- added ghost-admin client_id to admin
- added ghost-admin client_secret to admin
- added client.read() api endpoint
- added random generation of client_secret to migration
- removed addClientSecret method
- updated tests
2015-09-02 16:39:34 +01:00
Kevin Ansfield
6989843b19 Fix auth token refresh failing on app-boot with expired access_token
issue #5751
- moves `makeRequest` override of simple-auth's OAuth authenticator into our own custom authenticator (previously our override was not taking effect until after ember-simple-auth's initial authentication routines, hence why it was working for post-login token refreshes but failing on app-boot)
2015-08-28 16:00:34 +01:00