Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added support for token session to /ghost (#11709)
no-issue * Added default for getting origin of request This function is used to attach the origin of the request to the session, and later check that requests using the session are coming from the same origin. This protects us against CSRF attacks as requests in the browser MUST originate from the same origin on which the user logged in. Previously, when we could not determine the origin we would return null, as a "safety" net. This updates the function to use a secure and sensible default - which is the origin of the Ghost-Admin application, and if that's not set - the origin of the Ghost application. This will make dealing with magic links simpler as you can not always guaruntee the existence of these headers when visiting via a hyperlink * Removed init fns and getters from session service This simplifies the code here, making it easier to read and maintain * Moved express-session initialisation to own file This is complex enough that it deserves its own module * Added createSessionFromToken to session service * Wired up the createSessionFromToken middleware
- Loading branch information
Showing
9 changed files
with
78 additions
and
125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
const session = require('express-session'); | ||
const constants = require('../../../lib/constants'); | ||
const config = require('../../../config'); | ||
const settingsCache = require('../../settings/cache'); | ||
const models = require('../../../models'); | ||
const urlUtils = require('../../../lib/url-utils'); | ||
|
||
const SessionStore = require('./store'); | ||
|
||
const expressSessionMiddleware = session({ | ||
store: new SessionStore(models.Session), | ||
secret: settingsCache.get('session_secret'), | ||
resave: false, | ||
saveUninitialized: false, | ||
name: 'ghost-admin-api-session', | ||
cookie: { | ||
maxAge: constants.SIX_MONTH_MS, | ||
httpOnly: true, | ||
path: urlUtils.getSubdir() + '/ghost', | ||
sameSite: 'lax', | ||
secure: urlUtils.isSSL(config.get('url')) | ||
} | ||
}); | ||
|
||
exports.getSession = async function getSession(req, res) { | ||
if (req.session) { | ||
return req.session; | ||
} | ||
return new Promise((resolve, reject) => { | ||
expressSessionMiddleware(req, res, function (err) { | ||
if (err) { | ||
return reject(err); | ||
} | ||
resolve(req.session); | ||
}); | ||
}); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters