Ghost/core/server/services/members/api.js
Fabien O'Carroll a02a43e6fa
Improved Members security and performance (#10511)
no-issue

* Corrected function names for rpc methods

* Updated gateway to store tokens locally

* Fixed lint

* Added hardcoded 30 minute expiry for member tokens

* Added default contentApiAccess config;

* Updated validateAudience method

This is required for security, we need to restrict which domains can access
tokens meant for the content api
2019-02-23 04:47:42 +01:00

136 lines
3.4 KiB
JavaScript

const url = require('url');
const settingsCache = require('../settings/cache');
const config = require('../../config');
const MembersApi = require('../../lib/members');
const models = require('../../models');
const mail = require('../mail');
function createMember({name, email, password}) {
return models.Member.add({
name,
email,
password
}).then((member) => {
return member.toJSON();
});
}
function updateMember(member, newData) {
return models.Member.findOne(member, {
require: true
}).then(({id}) => {
return models.Member.edit(newData, {id});
}).then((member) => {
return member.toJSON();
});
}
function getMember(data, options) {
options = options || {};
return models.Member.findOne(data, options).then((model) => {
if (!model) {
return null;
}
return model.toJSON(options);
});
}
function listMembers(options) {
return models.Member.findPage(options).then((models) => {
return {
members: models.data.map(model => model.toJSON(options)),
meta: models.meta
};
});
}
function validateMember({email, password}) {
return models.Member.findOne({email}, {
require: true
}).then((member) => {
return member.comparePassword(password).then((res) => {
if (!res) {
throw new Error('Password is incorrect');
}
return member;
});
}).then((member) => {
return member.toJSON();
});
}
const publicKey = settingsCache.get('members_public_key');
const privateKey = settingsCache.get('members_private_key');
const sessionSecret = settingsCache.get('members_session_secret');
const passwordResetUrl = config.get('url');
const {protocol, host} = url.parse(config.get('url'));
const siteOrigin = `${protocol}//${host}`;
const issuer = siteOrigin;
const ssoOrigin = siteOrigin;
let mailer;
const membersConfig = config.get('members');
function validateAudience({audience, origin}) {
if (audience === origin) {
return Promise.resolve();
}
if (audience === siteOrigin) {
if (membersConfig.contentApiAccess.includes(origin)) {
return Promise.resolve();
}
}
return Promise.reject();
}
function sendEmail(member, {token}) {
if (!(mailer instanceof mail.GhostMailer)) {
mailer = new mail.GhostMailer();
}
const message = {
to: member.email,
subject: 'Reset password',
html: `
Hi ${member.name},
To reset your password, click the following link and follow the instructions:
${passwordResetUrl}#reset-password?token=${token}
If you didn't request a password change, just ignore this email.
`
};
/* eslint-disable */
// @TODO remove this
console.log(message.html);
/* eslint-enable */
return mailer.send(message).catch((err) => {
return Promise.reject(err);
});
}
const api = MembersApi({
authConfig: {
issuer,
publicKey,
privateKey,
sessionSecret,
ssoOrigin
},
paymentConfig: {
processors: membersConfig.paymentProcessors
},
validateAudience,
createMember,
getMember,
listMembers,
validateMember,
updateMember,
sendEmail
});
module.exports = api;
module.exports.publicKey = publicKey;
module.exports.paymentConfigured = !!membersConfig.paymentProcessors.length;