-
-
Notifications
You must be signed in to change notification settings - Fork 10.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session based auth #9867
Session based auth #9867
Conversation
package.json
Outdated
@@ -1,6 +1,6 @@ | |||
{ | |||
"name": "ghost", | |||
"version": "2.1.1", | |||
"version": "2.2.0", |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
}, | ||
|
||
authorizeAdminAPI: [function (req, res, next) { | ||
next(); |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
req.user = user; | ||
next(); | ||
}).catch(() => { | ||
next(new UnauthorizedError('No user found')); |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
.gitignore
Outdated
@@ -76,3 +76,5 @@ CHANGELOG.md | |||
|
|||
# Coverage reports | |||
coverage.html | |||
|
|||
cookies.txt |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
core/server/web/api/routes.js
Outdated
@@ -168,6 +168,12 @@ module.exports = function apiRoutes() { | |||
apiRouter.put('/authentication/setup', mw.authenticatePrivate, api.http(api.authentication.updateSetup)); | |||
apiRouter.get('/authentication/setup', api.http(api.authentication.isSetup)); | |||
|
|||
apiRouter.post('/session', auth.session.getSession, auth.session.createSession); |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
delete-session.sh
Outdated
@@ -0,0 +1,3 @@ | |||
#!/bin/sh |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
get-session.sh
Outdated
@@ -0,0 +1,5 @@ | |||
#!/bin/sh |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
post-session.sh
Outdated
@@ -0,0 +1,5 @@ | |||
#!/bin/sh |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
Added comments to files that are only there for allowing CI tests to pass or for local testing to happen. They'll be deleted before squashing when this gets merged |
debed2f
to
5520d36
Compare
5520d36
to
4774872
Compare
@allouis Is this PR revieable? 🤔 Doesn't use the WIP keyword. |
4774872
to
f17ccbe
Compare
@kirrg001 Yup. Future changes will happen in separate PR's |
3f977a5
to
b846894
Compare
deletedMessage = 'Deleted Settings Key `session-secret`.'; | ||
|
||
module.exports.up = () => { | ||
return models.Settings.findOne({key: 'session-secret'}) |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
core/server/data/schema/schema.js
Outdated
@@ -300,5 +300,12 @@ module.exports = { | |||
created_by: {type: 'string', maxlength: 24, nullable: false}, | |||
updated_at: {type: 'dateTime', nullable: true}, | |||
updated_by: {type: 'string', maxlength: 24, nullable: true} | |||
}, | |||
sessions: { | |||
id: {type: 'string', maxlength: 32, nullable: false, primary: true}, |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
core/server/data/schema/schema.js
Outdated
sessions: { | ||
id: {type: 'string', maxlength: 32, nullable: false, primary: true}, | ||
user_id: {type: 'string', maxlength: 24, nullable: false}, | ||
session_data: {type: 'text', maxlength: 2000, nullable: false}, |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lots of style issues and some comments.
@@ -0,0 +1,35 @@ | |||
var common = require('../../../../lib/common'), |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
message2 = 'Dropping table: ' + table; | ||
|
||
module.exports.up = function addSessionsTable(options) { | ||
let connection = options.connection; |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
}; | ||
|
||
module.exports.down = function removeSessionsTable(options) { | ||
let connection = options.connection; |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
@@ -19,7 +19,7 @@ var should = require('should'), | |||
*/ | |||
describe('DB version integrity', function () { | |||
// Only these variables should need updating | |||
var currentSchemaHash = '22d24b1de23d118b90e9547fefae5ad7', | |||
var currentSchemaHash = 'd40f0e1f36c3d2f73852f60323cfa09c', |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
core/server/models/session.js
Outdated
@@ -0,0 +1,39 @@ | |||
const ghostBookshelf = require('./base'); | |||
|
|||
let Session, |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
@@ -0,0 +1,255 @@ | |||
const SessionStore = require('../../../../../server/services/auth/session/store'), |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
@@ -2,6 +2,7 @@ var passport = require('passport'), | |||
authUtils = require('./utils'), | |||
models = require('../../models'), | |||
common = require('../../lib/common'), | |||
session = require('./session'), |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
@@ -1,4 +1,5 @@ | |||
var labs = require('../labs'), | |||
session = require('./session'), |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
core/server/services/auth/auth.js
Outdated
@@ -0,0 +1,5 @@ | |||
const authenticate = require('./authenticate'), |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
// ## Sessions | ||
// Only need to `getSession` here because this is only route they don't | ||
// have to be authenticated for. | ||
router.post('/session', auth.session.getSession, auth.session.createSession); |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
core/server/services/auth/auth.js
Outdated
authorize = require('./authorize'); | ||
|
||
module.exports.contentAPI = [authenticate.authenticateContentAPI, authorize.authorizeContentAPI]; | ||
module.exports.adminAPI = [authenticate.authenticateAdminAPI, authorize.authorizeAdminAPI]; |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
core/server/services/auth/index.js
Outdated
oauth = require('./oauth'); | ||
|
||
/* TODO: Remove when v0.1 is dropped */ |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
@@ -0,0 +1,255 @@ | |||
const SessionStore = require('../../../../../server/services/auth/session/store'), |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This reverts commit 1bd8a10.
refs #9865 This is to ensure that if a controller returns a function, it will always get called regardless of method. Also cleaned up top level const usage
refs #9865 This is so we can use the service inside of a controller, and handle as much as possible in the controller, leaving only session specific stuff up to this service.
refs #9865 Note that this controller is the singular, that's because we plan to make a session resource controller to be used with /sessions, wheras this is on /session
This reverts commit b171248.
This reverts commit 4bd5151.
refs #9865 Updates the function signature to look like other db methods for consistency
refs #9865 this keeps model logic in tha model
let UNO_SESSIONIONA; | ||
const getSession = (req, res, next) => { | ||
if (!UNO_SESSIONIONA) { | ||
UNO_SESSIONIONA = session({ |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
closing this in favour of smaller PRs 👍 |
This is the session side of #9865
This adds a "session auth" service, which exposes some middleware to be used by the admin api.
getSession
- populatesreq.session
cookieCsrfProtection
- makes sure request is made from same origin session was createdsafeGetSession
- the above two mixed togethergetUser
- populatesreq.user
based onreq.session.user_id
ensureUser
- responds with 401 if the user is missingcreateSession
- accepts user credentials and creates a user session (login)destroySession
- deletes the current session (logout)