mirror of https://github.com/TryGhost/Ghost.git synced 2024-11-28 14:03:48 +03:00

History

Fabien O'Carroll 3db102a776 Added API Key auth middleware to v2 content API (#10005 ) * Added API Key auth middleware to v2 content API refs #9865 - add `auth.authenticate.authenticateContentApiKey` middleware - accepts `?key=` query param, sets `req.api_key` if it's a known Content API key - add `requiresAuthorizedUserOrApiKey` authorization middleware - passes if either `req.user` or `req.api_key` exists - update `authenticatePublic` middleware stack for v2 content routes * Fixed functional content api tests no-issue This fixes the functional content api tests so they use the content api auth. * Fixed context check and removed skip * Updated cors middleware for content api * Removed client_id from frame.context no-issue The v2 api doesn't have a notion of clients as we do not use oauth for it * Fixed tests for posts input serializer		2018-10-15 16:23:34 +07:00
..
shared	Added API Key auth middleware to v2 content API (#10005 )	2018-10-15 16:23:34 +07:00
v0.1	Moved `toJSON` call to api v0.1 controller for ownership transfer	2018-10-12 18:12:16 +02:00
v2	Added API Key auth middleware to v2 content API (#10005 )	2018-10-15 16:23:34 +07:00
index.js	Moved api controllers into api/v0.1 (#9918 )	2018-09-27 16:06:57 +02:00
README.md	Added tiny framework to support multiple API versions (#9933 )	2018-10-05 00:50:45 +02:00

README.md

API Versioning

Ghost supports multiple API versions. Each version lives in a separate folder e.g. api/v0.1, api/v2. Next to the API folders there is a shared folder, which the API versions use.

NOTE: v0.1 is deprecated and we won't touch this folder at all. The v0.1 folder contains the API layer which we have used since Ghost was born.

Stages

Each request goes through the following stages:

validation
input serialisation
permissions
query
output serialisation

The framework we are building pipes a request through these stages depending on the API controller implementation.

Frame

Is a class, which holds all the information for API processing. We pass this instance per reference. The target function can modify the original instance. No need to return the class instance.

Structure

{
  original: Object,
  options: Object,
  data: Object,
  user: Object,
  file: Object,
  files: Array
}

Example

{
  original: {
    include: 'tags'
  },
  options: {
    withRelated: ['tags']
  },
  data: {
    posts: []
  }
}

API Controller

A controller is no longer just a function, it's a set of configurations.

Structure

edit: function || object

edit: {
  headers: object,
  options: Array,
  data: Array,
  validation: object | function,
  permissions: boolean | object | function,
  query: function
}

Examples

edit: {
  headers: {
    cacheInvalidate: true
  },
  options: ['include']
  validation: {
    options: {
      include: {
        required: true,
        values: ['tags']
      }
    }
  },
  permissions: true,
  query(frame) {
    return models.Post.edit(frame.data, frame.options);
  }
}

read: {
  data: ['slug']
  validation: {
    data: {
      slug: {
        values: ['eins']
      }
    }
  },
  permissions: true,
  query(frame) {
    return models.Post.findOne(frame.data, frame.options);
  }
}

edit: {
  validation() {
    // custom validation, skip framework
  },
  permissions: {
    unsafeAttrs: ['author']
  },
  query(frame) {
    return models.Post.edit(frame.data, frame.options);
  }
}