Ghost/core/server/services/auth/authorize.js

const errors = require('@tryghost/errors');
const i18n = require('../../../shared/i18n');

const authorize = {
    authorizeContentApi(req, res, next) {
        const hasApiKey = req.api_key && req.api_key.id;
        const hasMember = req.member;
        if (hasApiKey) {
            return next();
        }
        if (hasMember) {
            return next();
        }
        return next(new errors.NoPermissionError({
            message: i18n.t('errors.middleware.auth.authorizationFailed'),
            context: i18n.t('errors.middleware.auth.missingContentMemberOrIntegration')
        }));
    },

    authorizeAdminApi(req, res, next) {
        const hasUser = req.user && req.user.id;
        const hasApiKey = req.api_key && req.api_key.id;

        if (hasUser || hasApiKey) {
            return next();
        } else {
            return next(new errors.NoPermissionError({
                message: i18n.t('errors.middleware.auth.authorizationFailed'),
                context: i18n.t('errors.middleware.auth.missingAdminUserOrIntegration')
            }));
        }
    }
};

module.exports = authorize;