mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-03 08:25:06 +03:00

Turn your audience into a business. Publishing, memberships, subscriptions and newsletters.

blogging cms ember ghost hacktoberfest headless-cms jamstack javascript journalism nodejs publishing web-application

Go to file

Katharina Irrgang f22a2784f7 🐛 Fixed error for password authentication with Bearer Token (#9227 ) refs #8613, refs #9228 - if you send a request to /authentication/token with `grant_type:password` and a Bearer token, Ghost was not able to handle this combination - because it skipped the client authentication, see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/authenticate.js#L13 - and OAuth detects the `grant_type: password` and jumps in the target implementation - the target implementation for password authentication again tried to fetch the client and failed, because it relied on the previous client authentication - see https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/oauth.js#L40 (client.slug is undefined if client authentication is skipped) - ^ so this is the bug - we can skip client authentication for requests to the API to fetch data for example e.g. GET /posts (including Bearer) - so when is a client authentication required? - RFC (https://tools.ietf.org/html/rfc6749#page-38) differentiates between confidential and public clients, Ghost has no implementation for this at the moment - so in theory, public clients don't have to be authenticated, only if the credentials are included - to not invent a breaking change, i decided to only make the client authentication required for password authentication - we could change this in Ghost 2.0 I have removed the extra client request to the database for the password authentication, this is not needed. We already do client password authentication [here](https://github.com/TryGhost/Ghost/blob/1.17.0/core/server/auth/auth-strategies.js#L19); If a Bearer token is present and you have not send a `grant_type` (which signalises OAuth to do authentication), you can skip the client authentication.		2017-11-09 14:11:29 +00:00
.github	PRs don't need to squash commits anymore	2017-10-19 12:51:40 +01:00
content	Upgrading Casper to 2.1.6	2017-10-26 19:09:37 +07:00
core	🐛 Fixed error for password authentication with Bearer Token (#9227 )	2017-11-09 14:11:29 +00:00
.editorconfig	Various post-repo-split cleanup (#6910 )	2016-07-12 11:55:46 -06:00
.eslintrc.json	ESlint rule: no-multiple-empty-lines	2017-11-06 10:12:18 +00:00
.gitignore	Support for Node v8 (#9183 )	2017-10-26 11:37:58 +01:00
.gitmodules	Add Admin-Client as submodule at `core/client`	2016-05-19 14:20:18 +01:00
.npmignore	Added package-lock.json to npmignore (#9193 )	2017-10-31 17:29:46 +01:00
.travis.yml	Fixed comment about node version changes (#9223 )	2017-11-08 00:27:47 +01:00
Gruntfile.js	Switch to Eslint (#9197 )	2017-11-01 13:44:54 +00:00
index.js	Used ghost-ignition.debug, removed debug dep (#8881 )	2017-08-15 18:29:27 +07:00
LICENSE	2017 (#7819 )	2017-01-04 10:05:57 +00:00
MigratorConfig.js	🎨 optimise requires for MigratorConfig (#8088 )	2017-03-02 16:02:23 +00:00
package.json	Version bump to 1.17.0	2017-11-07 13:41:35 +00:00
PRIVACY.md	Update config location and docs url in PRIVACY (#8817 )	2017-08-01 19:21:38 -04:00
README.md	Remove wishlist links (#8981 )	2017-09-07 09:04:33 +02:00
SECURITY.md	Update SECURITY.md	2016-01-13 18:22:09 +02:00
yarn.lock	Switch to Eslint (#9197 )	2017-11-01 13:44:54 +00:00

README.md

The project is maintained by a non-profit organisation called the Ghost Foundation, along with an amazing group of independent contributors. We're trying to make publishing software that changes the shape of online journalism.

NOTE: If you’re stuck, can’t get something working or need some help, please head on over and join our Slack community rather than opening an issue.

Hosting a live Ghost site

The easiest way to deploy Ghost is with our official Ghost(Pro) managed service. You can have a fresh instance up and running in a couple of clicks with a worldwide CDN, backups, security and maintenance all done for you.

Not only will it save you hours of maintenance per month, but all revenue goes to the Ghost Foundation, which funds the maintenance and further development of Ghost itself. So you’ll be supporting open source software and getting a great service at the same time! Talk about win/win. 🏆

Self-Hosters

Other options are also available if you prefer playing around with servers by yourself, of course. The freedom of choice is in your hands.

Self-hosting Guide

Theme Developers

If you are developing a Ghost theme for your own site or creating themes for others to use we recommend installing Ghost on your own local machine. Luckily we have a brand new Ghost CLI to make this really easy 😄

Contributors & Advanced Developers

For anyone wishing to contribute to Ghost or to hack/customise core files we recommend following our development setup guides:

Staying Up to Date

When a new version of Ghost comes out, you'll want to look over these upgrade instructions for what to do next.

You can talk to other Ghost users and developers in our public Slack team (it's pretty awesome).

New releases are announced on the dev blog. You can subscribe by email or follow @TryGhost_Dev on Twitter, if you prefer your updates bite-sized and facetious. 🎷🐢

Copyright & License

Copyright (c) 2013-2017 Ghost Foundation - Released under the MIT license. Ghost and the Ghost Logo are trademarks of Ghost Foundation Ltd. Please see our trademark policy for info on acceptable usage.

README.md Unescape Escape