Ghost/core/server/services/auth/session
Fabien O'Carroll a701ee7023
Added support for token session to /ghost (#11709)
no-issue

* Added default for getting origin of request

This function is used to attach the origin of the request to the
session, and later check that requests using the session are coming from
the same origin. This protects us against CSRF attacks as requests in
the browser MUST originate from the same origin on which the user
logged in.

Previously, when we could not determine the origin we would return
null, as a "safety" net.

This updates the function to use a secure and sensible default - which
is the origin of the Ghost-Admin application, and if that's not set -
the origin of the Ghost application.

This will make dealing with magic links simpler as you can not always
guaruntee the existence of these headers when visiting via a hyperlink

* Removed init fns and getters from session service

This simplifies the code here, making it easier to read and maintain

* Moved express-session initialisation to own file

This is complex enough that it deserves its own module

* Added createSessionFromToken to session service

* Wired up the createSessionFromToken middleware
2020-04-06 11:49:14 +02:00
..
express-session.js Added support for token session to /ghost (#11709) 2020-04-06 11:49:14 +02:00
index.js Added support for token session to /ghost (#11709) 2020-04-06 11:49:14 +02:00
middleware.js Refactored session service (#11701) 2020-04-02 16:27:31 +02:00
store.js Refactored session service (#11701) 2020-04-02 16:27:31 +02:00