Added publicAdminApi middleware stack

refs #11083 - the `/api/v2/admin/site/` endpoint is "public" and as such was not using the `authAdminApi` middleware stack so it did not act like other API endpoints with protocol or trailing-slash redirects - adds `publicAdminApi` middleware array and uses it for the `/site/` endpoint in both v2 and canary API versions
TryGhost · Sep 10, 2019 · 58b9aea · 58b9aea
1 parent 7dc38e2
commit 58b9aea
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 2 deletions.
diff --git a/core/server/web/api/canary/admin/middleware.js b/core/server/web/api/canary/admin/middleware.js
@@ -56,3 +56,13 @@ module.exports.authAdminApi = [
     shared.middlewares.prettyUrls,
     notImplemented
 ];
+
+/**
+ * Middleware for public admin endpoints
+ */
+module.exports.publicAdminApi = [
+    shared.middlewares.api.cors,
+    shared.middlewares.urlRedirects.adminRedirect,
+    shared.middlewares.prettyUrls,
+    notImplemented
+];
diff --git a/core/server/web/api/canary/admin/routes.js b/core/server/web/api/canary/admin/routes.js
@@ -19,7 +19,7 @@ module.exports = function apiRoutes() {
     const http = apiCanary.http;
 
     // ## Public
-    router.get('/site', http(apiCanary.site.read));
+    router.get('/site', mw.publicAdminApi, http(apiCanary.site.read));
 
     // ## Configuration
     router.get('/config', mw.authAdminApi, http(apiCanary.config.read));

diff --git a/core/server/web/api/v2/admin/middleware.js b/core/server/web/api/v2/admin/middleware.js
@@ -55,3 +55,14 @@ module.exports.authAdminApi = [
     shared.middlewares.prettyUrls,
     notImplemented
 ];
+
+/**
+ * Middleware for public admin endpoints
+ */
+module.exports.publicAdminApi = [
+    shared.middlewares.api.cors,
+    shared.middlewares.urlRedirects.adminRedirect,
+    shared.middlewares.prettyUrls,
+    notImplemented
+];
+
diff --git a/core/server/web/api/v2/admin/routes.js b/core/server/web/api/v2/admin/routes.js
@@ -19,7 +19,7 @@ module.exports = function apiRoutes() {
     const http = apiv2.http;
 
     // ## Public
-    router.get('/site', http(apiv2.site.read));
+    router.get('/site', mw.publicAdminApi, http(apiv2.site.read));
 
     // ## Configuration
     router.get('/config', mw.authAdminApi, http(apiv2.config.read));