Ghost/core/server/middleware/index.js
Hannah Wolfe c5eda57f1e Minor internal apps improvements
refs #6589

- add internalAppsPath as a proper config path
- middleware/routes will be setup for any internal apps which have the function
- this should be refactored into some sort of proper hooks system as part of apps
- internal apps get permission to do anything the proxy allows
2016-04-14 19:05:48 +01:00

178 lines
6.0 KiB
JavaScript

var bodyParser = require('body-parser'),
config = require('../config'),
errors = require('../errors'),
logger = require('morgan'),
path = require('path'),
routes = require('../routes'),
serveStatic = require('express').static,
slashes = require('connect-slashes'),
storage = require('../storage'),
passport = require('passport'),
utils = require('../utils'),
sitemapHandler = require('../data/xml/sitemap/handler'),
multer = require('multer'),
tmpdir = require('os').tmpdir,
authStrategies = require('./auth-strategies'),
auth = require('./auth'),
cacheControl = require('./cache-control'),
checkSSL = require('./check-ssl'),
decideIsAdmin = require('./decide-is-admin'),
oauth = require('./oauth'),
redirectToSetup = require('./redirect-to-setup'),
serveSharedFile = require('./serve-shared-file'),
spamPrevention = require('./spam-prevention'),
staticTheme = require('./static-theme'),
themeHandler = require('./theme-handler'),
uncapitalise = require('./uncapitalise'),
cors = require('./cors'),
ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
BearerStrategy = require('passport-http-bearer').Strategy,
middleware,
setupMiddleware;
middleware = {
upload: multer({dest: tmpdir()}),
cacheControl: cacheControl,
spamPrevention: spamPrevention,
oauth: oauth,
api: {
authenticateClient: auth.authenticateClient,
authenticateUser: auth.authenticateUser,
requiresAuthorizedUser: auth.requiresAuthorizedUser,
requiresAuthorizedUserPublicAPI: auth.requiresAuthorizedUserPublicAPI,
errorHandler: errors.handleAPIError,
cors: cors
}
};
setupMiddleware = function setupMiddleware(blogApp, adminApp) {
var logging = config.logging,
corePath = config.paths.corePath;
passport.use(new ClientPasswordStrategy(authStrategies.clientPasswordStrategy));
passport.use(new BearerStrategy(authStrategies.bearerStrategy));
// Initialize OAuth middleware
oauth.init();
// Make sure 'req.secure' is valid for proxied requests
// (X-Forwarded-Proto header will be checked, if present)
blogApp.enable('trust proxy');
// Logging configuration
if (logging !== false) {
if (blogApp.get('env') !== 'development') {
blogApp.use(logger('combined', logging));
} else {
blogApp.use(logger('dev', logging));
}
}
// Favicon
blogApp.use(serveSharedFile('favicon.ico', 'image/x-icon', utils.ONE_DAY_S));
// Ghost-Url
blogApp.use(serveSharedFile('shared/ghost-url.js', 'application/javascript', utils.ONE_HOUR_S));
blogApp.use(serveSharedFile('shared/ghost-url.min.js', 'application/javascript', utils.ONE_HOUR_S));
// Static assets
blogApp.use('/shared', serveStatic(
path.join(corePath, '/shared'),
{maxAge: utils.ONE_HOUR_MS, fallthrough: false}
));
blogApp.use('/content/images', storage.getStorage().serve());
blogApp.use('/public', serveStatic(
path.join(corePath, '/built/public'),
{maxAge: utils.ONE_YEAR_MS, fallthrough: false}
));
// First determine whether we're serving admin or theme content
blogApp.use(decideIsAdmin);
blogApp.use(themeHandler.updateActiveTheme);
blogApp.use(themeHandler.configHbsForContext);
// Admin only config
blogApp.use('/ghost', serveStatic(
config.paths.clientAssets,
{maxAge: utils.ONE_YEAR_MS}
));
// Force SSL
// NOTE: Importantly this is _after_ the check above for admin-theme static resources,
// which do not need HTTPS. In fact, if HTTPS is forced on them, then 404 page might
// not display properly when HTTPS is not available!
blogApp.use(checkSSL);
adminApp.set('views', config.paths.adminViews);
// Theme only config
blogApp.use(staticTheme());
// setup middleware for internal apps
// @TODO: refactor this to be a proper app middleware hook for internal & external apps
config.internalApps.forEach(function (appName) {
var app = require(path.join(config.paths.internalAppPath, appName));
if (app.hasOwnProperty('setupMiddleware')) {
app.setupMiddleware(blogApp);
}
});
// Serve sitemap.xsl file
blogApp.use(serveSharedFile('sitemap.xsl', 'text/xsl', utils.ONE_DAY_S));
// Serve robots.txt if not found in theme
blogApp.use(serveSharedFile('robots.txt', 'text/plain', utils.ONE_HOUR_S));
// site map
sitemapHandler(blogApp);
// Add in all trailing slashes
blogApp.use(slashes(true, {
headers: {
'Cache-Control': 'public, max-age=' + utils.ONE_YEAR_S
}
}));
blogApp.use(uncapitalise);
// Body parsing
blogApp.use(bodyParser.json({limit: '1mb'}));
blogApp.use(bodyParser.urlencoded({extended: true, limit: '1mb'}));
blogApp.use(passport.initialize());
// ### Caching
// Blog frontend is cacheable
blogApp.use(cacheControl('public'));
// Admin shouldn't be cached
adminApp.use(cacheControl('private'));
// API shouldn't be cached
blogApp.use(routes.apiBaseUri, cacheControl('private'));
// local data
blogApp.use(themeHandler.ghostLocals);
// ### Routing
// Set up API routes
blogApp.use(routes.apiBaseUri, routes.api(middleware));
// Mount admin express app to /ghost and set up routes
adminApp.use(redirectToSetup);
adminApp.use(routes.admin());
blogApp.use('/ghost', adminApp);
// Set up Frontend routes (including private blogging routes)
blogApp.use(routes.frontend());
// ### Error handling
// 404 Handler
blogApp.use(errors.error404);
// 500 Handler
blogApp.use(errors.error500);
};
module.exports = setupMiddleware;
// Export middleware functions directly
module.exports.middleware = middleware;