mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-21 09:52:06 +03:00
c5eda57f1e
refs #6589 - add internalAppsPath as a proper config path - middleware/routes will be setup for any internal apps which have the function - this should be refactored into some sort of proper hooks system as part of apps - internal apps get permission to do anything the proxy allows
178 lines
6.0 KiB
JavaScript
178 lines
6.0 KiB
JavaScript
var bodyParser = require('body-parser'),
|
|
config = require('../config'),
|
|
errors = require('../errors'),
|
|
logger = require('morgan'),
|
|
path = require('path'),
|
|
routes = require('../routes'),
|
|
serveStatic = require('express').static,
|
|
slashes = require('connect-slashes'),
|
|
storage = require('../storage'),
|
|
passport = require('passport'),
|
|
utils = require('../utils'),
|
|
sitemapHandler = require('../data/xml/sitemap/handler'),
|
|
multer = require('multer'),
|
|
tmpdir = require('os').tmpdir,
|
|
authStrategies = require('./auth-strategies'),
|
|
auth = require('./auth'),
|
|
cacheControl = require('./cache-control'),
|
|
checkSSL = require('./check-ssl'),
|
|
decideIsAdmin = require('./decide-is-admin'),
|
|
oauth = require('./oauth'),
|
|
redirectToSetup = require('./redirect-to-setup'),
|
|
serveSharedFile = require('./serve-shared-file'),
|
|
spamPrevention = require('./spam-prevention'),
|
|
staticTheme = require('./static-theme'),
|
|
themeHandler = require('./theme-handler'),
|
|
uncapitalise = require('./uncapitalise'),
|
|
cors = require('./cors'),
|
|
|
|
ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
|
|
BearerStrategy = require('passport-http-bearer').Strategy,
|
|
|
|
middleware,
|
|
setupMiddleware;
|
|
|
|
middleware = {
|
|
upload: multer({dest: tmpdir()}),
|
|
cacheControl: cacheControl,
|
|
spamPrevention: spamPrevention,
|
|
oauth: oauth,
|
|
api: {
|
|
authenticateClient: auth.authenticateClient,
|
|
authenticateUser: auth.authenticateUser,
|
|
requiresAuthorizedUser: auth.requiresAuthorizedUser,
|
|
requiresAuthorizedUserPublicAPI: auth.requiresAuthorizedUserPublicAPI,
|
|
errorHandler: errors.handleAPIError,
|
|
cors: cors
|
|
}
|
|
};
|
|
|
|
setupMiddleware = function setupMiddleware(blogApp, adminApp) {
|
|
var logging = config.logging,
|
|
corePath = config.paths.corePath;
|
|
|
|
passport.use(new ClientPasswordStrategy(authStrategies.clientPasswordStrategy));
|
|
passport.use(new BearerStrategy(authStrategies.bearerStrategy));
|
|
|
|
// Initialize OAuth middleware
|
|
oauth.init();
|
|
|
|
// Make sure 'req.secure' is valid for proxied requests
|
|
// (X-Forwarded-Proto header will be checked, if present)
|
|
blogApp.enable('trust proxy');
|
|
|
|
// Logging configuration
|
|
if (logging !== false) {
|
|
if (blogApp.get('env') !== 'development') {
|
|
blogApp.use(logger('combined', logging));
|
|
} else {
|
|
blogApp.use(logger('dev', logging));
|
|
}
|
|
}
|
|
|
|
// Favicon
|
|
blogApp.use(serveSharedFile('favicon.ico', 'image/x-icon', utils.ONE_DAY_S));
|
|
|
|
// Ghost-Url
|
|
blogApp.use(serveSharedFile('shared/ghost-url.js', 'application/javascript', utils.ONE_HOUR_S));
|
|
blogApp.use(serveSharedFile('shared/ghost-url.min.js', 'application/javascript', utils.ONE_HOUR_S));
|
|
|
|
// Static assets
|
|
blogApp.use('/shared', serveStatic(
|
|
path.join(corePath, '/shared'),
|
|
{maxAge: utils.ONE_HOUR_MS, fallthrough: false}
|
|
));
|
|
blogApp.use('/content/images', storage.getStorage().serve());
|
|
blogApp.use('/public', serveStatic(
|
|
path.join(corePath, '/built/public'),
|
|
{maxAge: utils.ONE_YEAR_MS, fallthrough: false}
|
|
));
|
|
|
|
// First determine whether we're serving admin or theme content
|
|
blogApp.use(decideIsAdmin);
|
|
blogApp.use(themeHandler.updateActiveTheme);
|
|
blogApp.use(themeHandler.configHbsForContext);
|
|
|
|
// Admin only config
|
|
blogApp.use('/ghost', serveStatic(
|
|
config.paths.clientAssets,
|
|
{maxAge: utils.ONE_YEAR_MS}
|
|
));
|
|
|
|
// Force SSL
|
|
// NOTE: Importantly this is _after_ the check above for admin-theme static resources,
|
|
// which do not need HTTPS. In fact, if HTTPS is forced on them, then 404 page might
|
|
// not display properly when HTTPS is not available!
|
|
blogApp.use(checkSSL);
|
|
adminApp.set('views', config.paths.adminViews);
|
|
|
|
// Theme only config
|
|
blogApp.use(staticTheme());
|
|
|
|
// setup middleware for internal apps
|
|
// @TODO: refactor this to be a proper app middleware hook for internal & external apps
|
|
config.internalApps.forEach(function (appName) {
|
|
var app = require(path.join(config.paths.internalAppPath, appName));
|
|
if (app.hasOwnProperty('setupMiddleware')) {
|
|
app.setupMiddleware(blogApp);
|
|
}
|
|
});
|
|
|
|
// Serve sitemap.xsl file
|
|
blogApp.use(serveSharedFile('sitemap.xsl', 'text/xsl', utils.ONE_DAY_S));
|
|
|
|
// Serve robots.txt if not found in theme
|
|
blogApp.use(serveSharedFile('robots.txt', 'text/plain', utils.ONE_HOUR_S));
|
|
|
|
// site map
|
|
sitemapHandler(blogApp);
|
|
|
|
// Add in all trailing slashes
|
|
blogApp.use(slashes(true, {
|
|
headers: {
|
|
'Cache-Control': 'public, max-age=' + utils.ONE_YEAR_S
|
|
}
|
|
}));
|
|
blogApp.use(uncapitalise);
|
|
|
|
// Body parsing
|
|
blogApp.use(bodyParser.json({limit: '1mb'}));
|
|
blogApp.use(bodyParser.urlencoded({extended: true, limit: '1mb'}));
|
|
|
|
blogApp.use(passport.initialize());
|
|
|
|
// ### Caching
|
|
// Blog frontend is cacheable
|
|
blogApp.use(cacheControl('public'));
|
|
// Admin shouldn't be cached
|
|
adminApp.use(cacheControl('private'));
|
|
// API shouldn't be cached
|
|
blogApp.use(routes.apiBaseUri, cacheControl('private'));
|
|
|
|
// local data
|
|
blogApp.use(themeHandler.ghostLocals);
|
|
|
|
// ### Routing
|
|
// Set up API routes
|
|
blogApp.use(routes.apiBaseUri, routes.api(middleware));
|
|
|
|
// Mount admin express app to /ghost and set up routes
|
|
adminApp.use(redirectToSetup);
|
|
adminApp.use(routes.admin());
|
|
blogApp.use('/ghost', adminApp);
|
|
|
|
// Set up Frontend routes (including private blogging routes)
|
|
blogApp.use(routes.frontend());
|
|
|
|
// ### Error handling
|
|
// 404 Handler
|
|
blogApp.use(errors.error404);
|
|
|
|
// 500 Handler
|
|
blogApp.use(errors.error500);
|
|
};
|
|
|
|
module.exports = setupMiddleware;
|
|
// Export middleware functions directly
|
|
module.exports.middleware = middleware;
|