Ghost/core/server/services/auth/api-key/admin.js
naz 8ddf83f3c5
Fixed "no-shadow" linting error in server modules (#12287)
refs 143921948d

- Continuation of changes started in referenced commit
2020-10-20 12:02:56 +13:00

156 lines
5.4 KiB
JavaScript

const jwt = require('jsonwebtoken');
const url = require('url');
const models = require('../../../models');
const errors = require('@tryghost/errors');
const {i18n} = require('../../../lib/common');
const _ = require('lodash');
let JWT_OPTIONS_DEFAULTS = {
algorithms: ['HS256'],
maxAge: '5m'
};
/**
* Remove 'Ghost' from raw authorization header and extract the JWT token.
* Eg. Authorization: Ghost ${JWT}
* @param {string} header
*/
const _extractTokenFromHeader = function extractTokenFromHeader(header) {
const [scheme, token] = header.split(' ');
if (/^Ghost$/i.test(scheme)) {
return token;
}
};
/**
* Extract JWT token from admin API URL query
* Eg. ${ADMIN_API_URL}/?token=${JWT}
* @param {string} reqUrl
*/
const _extractTokenFromUrl = function extractTokenFromUrl(reqUrl) {
const {query} = url.parse(reqUrl, true);
return query.token;
};
const authenticate = (req, res, next) => {
// CASE: we don't have an Authorization header so allow fallthrough to other
// auth middleware or final "ensure authenticated" check
if (!req.headers || !req.headers.authorization) {
req.api_key = null;
return next();
}
const token = _extractTokenFromHeader(req.headers.authorization);
if (!token) {
return next(new errors.UnauthorizedError({
message: i18n.t('errors.middleware.auth.incorrectAuthHeaderFormat'),
code: 'INVALID_AUTH_HEADER'
}));
}
return authenticateWithToken(req, res, next, {token, JWT_OPTIONS: JWT_OPTIONS_DEFAULTS});
};
const authenticateWithUrl = (req, res, next) => {
const token = _extractTokenFromUrl(req.originalUrl);
if (!token) {
return next(new errors.UnauthorizedError({
message: i18n.t('errors.middleware.auth.invalidTokenWithMessage', {message: 'No token found in URL'}),
code: 'INVALID_JWT'
}));
}
// CASE: Scheduler publish URLs can have long maxAge but controllerd by expiry and neverBefore
return authenticateWithToken(req, res, next, {token, JWT_OPTIONS: _.omit(JWT_OPTIONS_DEFAULTS, 'maxAge')});
};
/**
* Admin API key authentication flow:
* 1. extract the JWT token from the `Authorization: Ghost xxxx` header or from URL(for schedules)
* 2. decode the JWT to extract the api_key id from the "key id" header claim
* 3. find a matching api_key record
* 4. verify the JWT (matching secret, matching URL path, not expired)
* 5. place the api_key object on `req.api_key`
*
* There are some specifcs of the JWT that we expect:
* - the "Key ID" header parameter should be set to the id of the api_key used to sign the token
* https://tools.ietf.org/html/rfc7515#section-4.1.4
* - the "Audience" claim should match the requested API path
* https://tools.ietf.org/html/rfc7519#section-4.1.3
*/
const authenticateWithToken = (req, res, next, {token, JWT_OPTIONS}) => {
const decoded = jwt.decode(token, {complete: true});
if (!decoded || !decoded.header) {
return next(new errors.BadRequestError({
message: i18n.t('errors.middleware.auth.invalidToken'),
code: 'INVALID_JWT'
}));
}
const apiKeyId = decoded.header.kid;
if (!apiKeyId) {
return next(new errors.BadRequestError({
message: i18n.t('errors.middleware.auth.adminApiKidMissing'),
code: 'MISSING_ADMIN_API_KID'
}));
}
models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => {
if (!apiKey) {
return next(new errors.UnauthorizedError({
message: i18n.t('errors.middleware.auth.unknownAdminApiKey'),
code: 'UNKNOWN_ADMIN_API_KEY'
}));
}
if (apiKey.get('type') !== 'admin') {
return next(new errors.UnauthorizedError({
message: i18n.t('errors.middleware.auth.invalidApiKeyType'),
code: 'INVALID_API_KEY_TYPE'
}));
}
// Decoding from hex and transforming into bytes is here to
// keep comparison of the bytes that are stored in the secret.
// Useful context:
// https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138
const secret = Buffer.from(apiKey.get('secret'), 'hex');
const {pathname} = url.parse(req.originalUrl);
const [hasMatch, version = 'v2', api = 'admin'] = pathname.match(/ghost\/api\/([^/]+)\/([^/]+)\/(.+)*/); // eslint-disable-line no-unused-vars
// ensure the token was meant for this api version
const options = Object.assign({
audience: new RegExp(`\/?${version}\/${api}\/?$`) // eslint-disable-line no-useless-escape
}, JWT_OPTIONS);
try {
jwt.verify(token, secret, options);
} catch (err) {
if (err.name === 'TokenExpiredError' || err.name === 'JsonWebTokenError') {
return next(new errors.UnauthorizedError({
message: i18n.t('errors.middleware.auth.invalidTokenWithMessage', {message: err.message}),
code: 'INVALID_JWT',
err
}));
}
// unknown error
return next(new errors.InternalServerError({err}));
}
// authenticated OK, store the api key on the request for later checks and logging
req.api_key = apiKey;
next();
}).catch((err) => {
next(new errors.InternalServerError({err}));
});
};
module.exports = {
authenticate,
authenticateWithUrl
};