Skip to content
Permalink
Browse files

Server side cleanup

- remove sessions
- remove all references to csrf
- create a shared base model for the 2 types of token
  • Loading branch information...
ErisDS committed Jul 14, 2014
1 parent 4c6b324 commit 3ff9146d9eb3a50b34419ea964d352bbf9e195b1

This file was deleted.

@@ -4,7 +4,7 @@ var _ = require('lodash'),
config = require('../../config'),
utils = require('../utils'),

excludedTables = ['sessions'],
excludedTables = [],
exporter;

exporter = function () {
@@ -25,6 +25,8 @@ var api = require('../api'),
authStrategies = require('./authStrategies'),

expressServer,
setupMiddleware,

ONE_HOUR_S = 60 * 60,
ONE_YEAR_S = 365 * 24 * ONE_HOUR_S,
ONE_HOUR_MS = ONE_HOUR_S * 1000,
@@ -221,7 +223,7 @@ function robots() {
};
}

module.exports = function (server) {
setupMiddleware = function (server) {
var logging = config().logging,
subdir = config().paths.subdir,
corePath = config().paths.corePath,
@@ -319,6 +321,7 @@ module.exports = function (server) {
expressServer.use(errors.error500);
};

module.exports = setupMiddleware;
// Export middleware functions directly
module.exports.middleware = middleware;
// Expose middleware functions in this file as well
@@ -3,7 +3,6 @@
// middleware_spec.js

var _ = require('lodash'),
csrf = require('csurf'),
express = require('express'),
busboy = require('./ghost-busboy'),
config = require('../config'),
@@ -78,16 +77,6 @@ var middleware = {
next();
},

// Check if we're logged in, and if so, redirect people back to dashboard
// Login and signup forms in particular
redirectToDashboard: function (req, res, next) {
if (req.user && req.user.id) {
return res.redirect(config().paths.subdir + '/ghost/');
}

next();
},

// While we're here, let's clean up on aisle 5
// That being ghost.notifications, and let's remove the passives from there
// plus the local messages, as they have already been added at this point
@@ -160,15 +149,6 @@ var middleware = {
});
},

conditionalCSRF: function (req, res, next) {
// CSRF is needed for admin only
if (res.isAdmin) {
csrf()(req, res, next);
return;
}
next();
},

// work around to handle missing client_secret
// oauth2orize needs it, but untrusted clients don't have it
addClientSecret: function (req, res, next) {
@@ -1,44 +1,11 @@
var ghostBookshelf = require('./base'),
var ghostBookshelf = require('./base'),
Basetoken = require('./basetoken'),

Accesstoken,
Accesstokens;

Accesstoken = ghostBookshelf.Model.extend({

tableName: 'accesstokens',

user: function () {
return this.belongsTo('User');
},

client: function () {
return this.belongsTo('Client');
},

// override for base function since we don't have
// a created_by field for sessions
creating: function (newObj, attr, options) {
/*jshint unused:false*/
},

// override for base function since we don't have
// a updated_by field for sessions
saving: function (newObj, attr, options) {
/*jshint unused:false*/
// Remove any properties which don't belong on the model
this.attributes = this.pick(this.permittedAttributes());
}

}, {
destroyAllExpired: function (options) {
options = this.filterOptions(options, 'destroyAll');
return ghostBookshelf.Collection.forge([], {model: this})
.query('where', 'expires', '<', Date.now())
.fetch()
.then(function (collection) {
collection.invokeThen('destroy', options);
});
}
Accesstoken = Basetoken.extend({
tableName: 'accesstokens'
});

Accesstokens = ghostBookshelf.Collection.extend({
@@ -1,11 +1,16 @@
var ghostBookshelf = require('./base'),

Session,
Sessions;
Basetoken;

Session = ghostBookshelf.Model.extend({
Basetoken = ghostBookshelf.Model.extend({

tableName: 'sessions',
user: function () {
return this.belongsTo('User');
},

client: function () {
return this.belongsTo('Client');
},

// override for base function since we don't have
// a created_by field for sessions
@@ -22,20 +27,15 @@ Session = ghostBookshelf.Model.extend({
}

}, {
destroyAll: function (options) {
destroyAllExpired: function (options) {
options = this.filterOptions(options, 'destroyAll');
return ghostBookshelf.Collection.forge([], {model: this}).fetch()
return ghostBookshelf.Collection.forge([], {model: this})
.query('where', 'expires', '<', Date.now())
.fetch()
.then(function (collection) {
collection.invokeThen('destroy', options);
});
}
});

Sessions = ghostBookshelf.Collection.extend({
model: Session
});

module.exports = {
Session: ghostBookshelf.model('Session', Session),
Sessions: ghostBookshelf.collection('Sessions', Sessions)
};
module.exports = Basetoken;
@@ -11,7 +11,6 @@ models = {
Settings: require('./settings').Settings,
Tag: require('./tag').Tag,
Base: require('./base'),
Session: require('./session').Session,
App: require('./app').App,
AppField: require('./appField').AppField,
AppSetting: require('./appSetting').AppSetting,
@@ -1,44 +1,11 @@
var ghostBookshelf = require('./base'),
var ghostBookshelf = require('./base'),
Basetoken = require('./basetoken'),

Refreshtoken,
Refreshtokens;

Refreshtoken = ghostBookshelf.Model.extend({

tableName: 'refreshtokens',

user: function () {
return this.belongsTo('User');
},

client: function () {
return this.belongsTo('Client');
},

// override for base function since we don't have
// a created_by field for sessions
creating: function (newObj, attr, options) {
/*jshint unused:false*/
},

// override for base function since we don't have
// a updated_by field for sessions
saving: function (newObj, attr, options) {
/*jshint unused:false*/
// Remove any properties which don't belong on the model
this.attributes = this.pick(this.permittedAttributes());
}

}, {
destroyAllExpired: function (options) {
options = this.filterOptions(options, 'destroyAll');
return ghostBookshelf.Collection.forge([], {model: this})
.query('where', 'expires', '<', Date.now())
.fetch()
.then(function (collection) {
collection.invokeThen('destroy', options);
});
}
Refreshtoken = Basetoken.extend({
tableName: 'refreshtokens'
});

Refreshtokens = ghostBookshelf.Collection.extend({
@@ -12,22 +12,12 @@ adminRoutes = function (middleware) {
subdir = config().paths.subdir;

// ### Admin routes
router.get('^/logout/', function redirect(req, res) {
router.get(/^\/(logout|signout)\/$/, function redirect(req, res) {
/*jslint unparam:true*/
res.set({'Cache-Control': 'public, max-age=' + ONE_YEAR_S});
res.redirect(301, subdir + '/ghost/signout/');
});
router.get('^/signout/', function redirect(req, res) {
/*jslint unparam:true*/
res.set({'Cache-Control': 'public, max-age=' + ONE_YEAR_S});
res.redirect(301, subdir + '/ghost/signout/');
});
router.get('^/signin/', function redirect(req, res) {
/*jslint unparam:true*/
res.set({'Cache-Control': 'public, max-age=' + ONE_YEAR_S});
res.redirect(301, subdir + '/ghost/signin/');
});
router.get('^/signup/', function redirect(req, res) {
router.get(/^\/signup\/$/, function redirect(req, res) {
/*jslint unparam:true*/
res.set({'Cache-Control': 'public, max-age=' + ONE_YEAR_S});
res.redirect(301, subdir + '/ghost/signup/');
@@ -36,7 +26,7 @@ adminRoutes = function (middleware) {
router.post('/ghost/upload/', middleware.busboy, admin.upload);

// redirect to /ghost and let that do the authentication to prevent redirects to /ghost//admin etc.
router.get(/^\/((ghost-admin|admin|wp-admin|dashboard|signin)\/?)$/, function (req, res) {
router.get(/^\/((ghost-admin|admin|wp-admin|dashboard|signin|login)\/?)$/, function (req, res) {
/*jslint unparam:true*/
res.redirect(subdir + '/ghost/');
});
@@ -1,3 +1,6 @@
var utils,
getRandomInt;

/**
* Return a random int, used by `utils.uid()`
*
@@ -6,11 +9,11 @@
* @return {Number}
* @api private
*/
function getRandomInt(min, max) {
getRandomInt = function (min, max) {
return Math.floor(Math.random() * (max - min + 1)) + min;
}
};

var utils = {
utils = {
/**
* Return a unique identifier with the given `len`.
*
@@ -4,7 +4,6 @@
<head>
<meta http-equiv="Content-Type" content="text/html" charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<meta name="csrf-param" content="{{csrfToken}}" />

<title>Ghost Admin</title>

0 comments on commit 3ff9146

Please sign in to comment.
You can’t perform that action at this time.