Ghost/core/server/api/canary/identities.js

const settings = require('../../../shared/settings-cache');
const urlUtils = require('../../../shared/url-utils');
const jwt = require('jsonwebtoken');
const jose = require('node-jose');
const issuer = urlUtils.urlFor('admin', true);

const dangerousPrivateKey = settings.get('ghost_private_key');
const keyStore = jose.JWK.createKeyStore();
const keyStoreReady = keyStore.add(dangerousPrivateKey, 'pem');

const getKeyID = async () => {
    const key = await keyStoreReady;
    return key.kid;
};

const sign = async (claims, options) => {
    const kid = await getKeyID();
    return jwt.sign(claims, dangerousPrivateKey, Object.assign({
        issuer,
        expiresIn: '5m',
        algorithm: 'RS256',
        keyid: kid
    }, options));
};

module.exports = {
    docName: 'identities',
    permissions: true,
    read: {
        permissions: true,
        async query(frame) {
            const token = await sign({sub: frame.user.get('email')});
            return {token};
        }
    }
};