Ghost/core/server/web/api/routes.js
Katharina Irrgang 6e94cedfa2 Ensure cors check happens for /authentication/token route (#9317)
no issue

- otherwise external browser clients run into cors problems
2017-12-15 09:35:48 +00:00

211 lines
8.9 KiB
JavaScript

var express = require('express'),
// This essentially provides the controllers for the routes
api = require('../../api'),
// Middleware
mw = require('./middleware'),
// API specific
auth = require('../../services/auth'),
cors = require('../middleware/api/cors'),
brute = require('../middleware/brute'),
// Handling uploads & imports
tmpdir = require('os').tmpdir,
upload = require('multer')({dest: tmpdir()}),
validation = require('../middleware/validation'),
// Temporary
// @TODO find a more appy way to do this!
labs = require('../middleware/labs');
// @TODO refactor/clean this up - how do we want the routing to work long term?
module.exports = function apiRoutes() {
var apiRouter = express.Router();
// alias delete with del
apiRouter.del = apiRouter.delete;
// ## CORS pre-flight check
apiRouter.options('*', cors);
// ## Configuration
apiRouter.get('/configuration', api.http(api.configuration.read));
apiRouter.get('/configuration/:key', mw.authenticatePrivate, api.http(api.configuration.read));
// ## Posts
apiRouter.get('/posts', mw.authenticatePublic, api.http(api.posts.browse));
apiRouter.post('/posts', mw.authenticatePrivate, api.http(api.posts.add));
apiRouter.get('/posts/:id', mw.authenticatePublic, api.http(api.posts.read));
apiRouter.get('/posts/slug/:slug', mw.authenticatePublic, api.http(api.posts.read));
apiRouter.put('/posts/:id', mw.authenticatePrivate, api.http(api.posts.edit));
apiRouter.del('/posts/:id', mw.authenticatePrivate, api.http(api.posts.destroy));
// ## Schedules
apiRouter.put('/schedules/posts/:id', [
auth.authenticate.authenticateClient,
auth.authenticate.authenticateUser
], api.http(api.schedules.publishPost));
// ## Settings
apiRouter.get('/settings', mw.authenticatePrivate, api.http(api.settings.browse));
apiRouter.get('/settings/:key', mw.authenticatePrivate, api.http(api.settings.read));
apiRouter.put('/settings', mw.authenticatePrivate, api.http(api.settings.edit));
// ## Users
apiRouter.get('/users', mw.authenticatePublic, api.http(api.users.browse));
apiRouter.get('/users/:id', mw.authenticatePublic, api.http(api.users.read));
apiRouter.get('/users/slug/:slug', mw.authenticatePublic, api.http(api.users.read));
// NOTE: We don't expose any email addresses via the public api.
apiRouter.get('/users/email/:email', mw.authenticatePrivate, api.http(api.users.read));
apiRouter.put('/users/password', mw.authenticatePrivate, api.http(api.users.changePassword));
apiRouter.put('/users/owner', mw.authenticatePrivate, api.http(api.users.transferOwnership));
apiRouter.put('/users/:id', mw.authenticatePrivate, api.http(api.users.edit));
apiRouter.del('/users/:id', mw.authenticatePrivate, api.http(api.users.destroy));
// ## Tags
apiRouter.get('/tags', mw.authenticatePublic, api.http(api.tags.browse));
apiRouter.get('/tags/:id', mw.authenticatePublic, api.http(api.tags.read));
apiRouter.get('/tags/slug/:slug', mw.authenticatePublic, api.http(api.tags.read));
apiRouter.post('/tags', mw.authenticatePrivate, api.http(api.tags.add));
apiRouter.put('/tags/:id', mw.authenticatePrivate, api.http(api.tags.edit));
apiRouter.del('/tags/:id', mw.authenticatePrivate, api.http(api.tags.destroy));
// ## Subscribers
apiRouter.get('/subscribers', labs.subscribers, mw.authenticatePrivate, api.http(api.subscribers.browse));
apiRouter.get('/subscribers/csv', labs.subscribers, mw.authenticatePrivate, api.http(api.subscribers.exportCSV));
apiRouter.post('/subscribers/csv',
labs.subscribers,
mw.authenticatePrivate,
upload.single('subscribersfile'),
validation.upload({type: 'subscribers'}),
api.http(api.subscribers.importCSV)
);
apiRouter.get('/subscribers/:id', labs.subscribers, mw.authenticatePrivate, api.http(api.subscribers.read));
apiRouter.get('/subscribers/email/:email', labs.subscribers, mw.authenticatePrivate, api.http(api.subscribers.read));
apiRouter.post('/subscribers', labs.subscribers, mw.authenticatePublic, api.http(api.subscribers.add));
apiRouter.put('/subscribers/:id', labs.subscribers, mw.authenticatePrivate, api.http(api.subscribers.edit));
apiRouter.del('/subscribers/:id', labs.subscribers, mw.authenticatePrivate, api.http(api.subscribers.destroy));
apiRouter.del('/subscribers/email/:email', labs.subscribers, mw.authenticatePrivate, api.http(api.subscribers.destroy));
// ## Roles
apiRouter.get('/roles/', mw.authenticatePrivate, api.http(api.roles.browse));
// ## Clients
apiRouter.get('/clients/slug/:slug', api.http(api.clients.read));
// ## Slugs
apiRouter.get('/slugs/:type/:name', mw.authenticatePrivate, api.http(api.slugs.generate));
// ## Themes
apiRouter.get('/themes/', mw.authenticatePrivate, api.http(api.themes.browse));
apiRouter.get('/themes/:name/download',
mw.authenticatePrivate,
api.http(api.themes.download)
);
apiRouter.post('/themes/upload',
mw.authenticatePrivate,
upload.single('theme'),
validation.upload({type: 'themes'}),
api.http(api.themes.upload)
);
apiRouter.put('/themes/:name/activate',
mw.authenticatePrivate,
api.http(api.themes.activate)
);
apiRouter.del('/themes/:name',
mw.authenticatePrivate,
api.http(api.themes.destroy)
);
// ## Notifications
apiRouter.get('/notifications', mw.authenticatePrivate, api.http(api.notifications.browse));
apiRouter.post('/notifications', mw.authenticatePrivate, api.http(api.notifications.add));
apiRouter.del('/notifications/:id', mw.authenticatePrivate, api.http(api.notifications.destroy));
// ## DB
apiRouter.get('/db', mw.authenticatePrivate, api.http(api.db.exportContent));
apiRouter.post('/db',
mw.authenticatePrivate,
upload.single('importfile'),
validation.upload({type: 'db'}),
api.http(api.db.importContent)
);
apiRouter.del('/db', mw.authenticatePrivate, api.http(api.db.deleteAllContent));
// ## Mail
apiRouter.post('/mail', mw.authenticatePrivate, api.http(api.mail.send));
apiRouter.post('/mail/test', mw.authenticatePrivate, api.http(api.mail.sendTest));
// ## Slack
apiRouter.post('/slack/test', mw.authenticatePrivate, api.http(api.slack.sendTest));
// ## Authentication
apiRouter.post('/authentication/passwordreset',
brute.globalReset,
brute.userReset,
api.http(api.authentication.generateResetToken)
);
apiRouter.put('/authentication/passwordreset', brute.globalBlock, api.http(api.authentication.resetPassword));
apiRouter.post('/authentication/invitation', api.http(api.authentication.acceptInvitation));
apiRouter.get('/authentication/invitation', api.http(api.authentication.isInvitation));
apiRouter.post('/authentication/setup', api.http(api.authentication.setup));
apiRouter.put('/authentication/setup', mw.authenticatePrivate, api.http(api.authentication.updateSetup));
apiRouter.get('/authentication/setup', api.http(api.authentication.isSetup));
apiRouter.post('/authentication/token',
mw.authenticateClient(),
brute.globalBlock,
brute.userLogin,
auth.oauth.generateAccessToken
);
apiRouter.post('/authentication/revoke', mw.authenticatePrivate, api.http(api.authentication.revoke));
// ## Uploads
// @TODO: rename endpoint to /images/upload (or similar)
apiRouter.post('/uploads',
mw.authenticatePrivate,
upload.single('uploadimage'),
validation.upload({type: 'images'}),
api.http(api.uploads.add)
);
apiRouter.post('/db/backup', mw.authenticateClient('Ghost Backup'), api.http(api.db.backupContent));
apiRouter.post('/uploads/icon',
mw.authenticatePrivate,
upload.single('uploadimage'),
validation.upload({type: 'icons'}),
validation.blogIcon(),
api.http(api.uploads.add)
);
// ## Invites
apiRouter.get('/invites', mw.authenticatePrivate, api.http(api.invites.browse));
apiRouter.get('/invites/:id', mw.authenticatePrivate, api.http(api.invites.read));
apiRouter.post('/invites', mw.authenticatePrivate, api.http(api.invites.add));
apiRouter.del('/invites/:id', mw.authenticatePrivate, api.http(api.invites.destroy));
// ## Redirects (JSON based)
apiRouter.get('/redirects/json', mw.authenticatePrivate, api.http(api.redirects.download));
apiRouter.post('/redirects/json',
mw.authenticatePrivate,
upload.single('redirects'),
validation.upload({type: 'redirects'}),
api.http(api.redirects.upload)
);
// ## Webhooks (RESTHooks)
apiRouter.post('/webhooks', mw.authenticatePrivate, api.http(api.webhooks.add));
apiRouter.del('/webhooks/:id', mw.authenticatePrivate, api.http(api.webhooks.destroy));
return apiRouter;
};