mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-11 09:53:32 +03:00
3db102a776
* Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer
54 lines
2.0 KiB
JavaScript
54 lines
2.0 KiB
JavaScript
const labs = require('../labs');
|
|
const session = require('./session');
|
|
const common = require('../../lib/common');
|
|
|
|
const authorize = {
|
|
// Workaround for missing permissions
|
|
// TODO: rework when https://github.com/TryGhost/Ghost/issues/3911 is done
|
|
requiresAuthorizedUser: function requiresAuthorizedUser(req, res, next) {
|
|
if (req.user && req.user.id) {
|
|
return next();
|
|
} else {
|
|
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.middleware.auth.pleaseSignIn')}));
|
|
}
|
|
},
|
|
|
|
// ### Require user depending on public API being activated.
|
|
requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {
|
|
if (labs.isSet('publicAPI') === true) {
|
|
return next();
|
|
} else {
|
|
if (req.user && req.user.id) {
|
|
return next();
|
|
} else {
|
|
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.middleware.auth.pleaseSignIn')}));
|
|
}
|
|
}
|
|
},
|
|
|
|
// Requires the authenticated client to match specific client
|
|
requiresAuthorizedClient: function requiresAuthorizedClient(client) {
|
|
return function doAuthorizedClient(req, res, next) {
|
|
if (client && (!req.client || !req.client.name || req.client.name !== client)) {
|
|
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.permissions.noPermissionToAction')}));
|
|
}
|
|
|
|
return next();
|
|
};
|
|
},
|
|
|
|
authorizeAdminAPI: [session.ensureUser],
|
|
// used by API v2 endpoints
|
|
requiresAuthorizedUserOrApiKey(req, res, next) {
|
|
const hasUser = req.user && req.user.id;
|
|
const hasApiKey = req.api_key && req.api_key.id;
|
|
if (hasUser || hasApiKey) {
|
|
return next();
|
|
} else {
|
|
return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.middleware.auth.pleaseSignInOrAuthenticate')}));
|
|
}
|
|
}
|
|
};
|
|
|
|
module.exports = authorize;
|