change auth method

shubhsherl · Jun 14, 2019 · 6684ab0 · 6684ab0
1 parent f436db5
commit 6684ab0
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 9 deletions.
diff --git a/core/server/api/v0.1/authentication.js b/core/server/api/v0.1/authentication.js
@@ -489,7 +489,6 @@ authentication = {
 
         function processInvitation(invitation) {
             const data = invitation.user[0];
-            console.log(data);
             return rcUtils.getUser(rc_uid, rc_token, data.rc_username)
                 .then((user) => {
                     if (user.success && user.user) {

diff --git a/core/server/api/v2/session.js b/core/server/api/v2/session.js
@@ -14,6 +14,7 @@ const session = {
          */
         return models.User.findOne({id: options.context.user});
     },
+
     add(object) {
         if (!object || !object.rc_id || !object.rc_token) {
             return Promise.reject(new common.errors.UnauthorizedError({
@@ -53,6 +54,7 @@ const session = {
             });
         });
     },
+
     delete() {
         return Promise.resolve((req, res, next) => {
             auth.session.destroySession(req, res, next);

diff --git a/core/server/api/v2/utils/rc-utils.js b/core/server/api/v2/utils/rc-utils.js
@@ -1,5 +1,8 @@
 const Promise = require('bluebird');
 const request = require('request');
+const { forEach } = require('lodash');
+const models = require('../../../models');
+const auth = require('../../../services/auth');
 const settingsCache = require('../../../services/settings/cache');
 const common = require('../../../lib/common');
 
@@ -8,9 +11,7 @@ function getRCUrl() {
 }
 
 function buildMeUrl(url = null) {
-    console.log('hrere');
     const base = url || getRCUrl();
-    console.log(base);
     return base + '/api/v1/me';
 }
 
@@ -25,6 +26,17 @@ function getHeader(id, token) {
     };
 }
 
+function getIdToken(req) {
+    let id, token;
+    forEach(req.headers.cookie.split(';'), (v) => {
+        if (v.includes('rc_uid'))
+            id = v.split('=')[1];
+        if (v.includes('rc_token'))
+            token = v.split('=')[1];
+    });
+    return { id, token };
+}
+
 module.exports = {
     checkAdmin(url, id, token) {
         let user;
@@ -108,5 +120,24 @@ module.exports = {
                 resolve(user);
             });
         });
+    },
+
+    createSession(req) {
+        const { id, token } = getIdToken(req);
+        if (!id || !token)
+            return req;
+        return models.User.findOne({ rc_id: id }).then((user) => {
+            if (!user) {
+                return req;
+            }
+            return this.getMe(id, token)
+                .then((u) => {
+                    if (!u.success) {
+                        return req;
+                    }
+                    req.user = user;
+                    return req;
+                });
+        });
     }
 };
diff --git a/core/server/lib/constants.js b/core/server/lib/constants.js
@@ -9,6 +9,7 @@ module.exports = {
     ONE_DAY_MS: 86400000,
     ONE_WEEK_MS: 604800000,
     ONE_MONTH_MS: 2628000000,
+    THREE_MONTH_MS: 7795200000,
     SIX_MONTH_MS: 15768000000,
     ONE_YEAR_MS: 31536000000
 };
diff --git a/core/server/services/auth/session/middleware.js b/core/server/services/auth/session/middleware.js
@@ -3,6 +3,7 @@ const session = require('express-session');
 const common = require('../../../lib/common');
 const constants = require('../../../lib/constants');
 const config = require('../../../config');
+const rcUtils = require('../../../api/v2/utils/rc-utils');
 const settingsCache = require('../../settings/cache');
 const models = require('../../../models');
 const SessionStore = require('./store');
@@ -37,9 +38,9 @@ const getSession = (req, res, next) => {
             saveUninitialized: false,
             name: 'ghost-admin-api-session',
             cookie: {
-                maxAge: constants.SIX_MONTH_MS,
-                httpOnly: true,
-                path: urlService.utils.getSubdir() + '/ghost',
+                maxAge: constants.THREE_MONTH_MS,
+                httpOnly: false,
+                path: urlService.utils.getSubdir() + '/',
                 sameSite: 'lax',
                 secure: urlService.utils.isSSL(config.get('url'))
             }
@@ -85,10 +86,11 @@ const cookieCsrfProtection = (req) => {
 
     const origin = getOrigin(req);
 
-    if (req.session.origin !== origin) {
+    // Check the origin allow Ghost and RC server_url
+    if (req.session.origin !== origin && settingsCache.get('server_url') !== origin) {
         throw new common.errors.BadRequestError({
             message: common.i18n.t('errors.middleware.auth.mismatchedOrigin', {
-                expected: req.session.origin,
+                expected: req.session.origin + ' OR ' + settingsCache.get('server_url'),
                 actual: origin
             })
         });
@@ -116,7 +118,27 @@ const authenticate = (req, res, next) => {
 
         if (!req.session || !req.session.user_id) {
             req.user = null;
-            return next();
+            return rcUtils.createSession(req)
+                .then((req) => {
+                    if(req.user) {
+                        getSession(req, res, function (err) {
+                            if (err) {
+                                return next(err);
+                            }
+                            const origin = getOrigin(req);
+                            if (!origin) {
+                                return next(new common.errors.BadRequestError({
+                                    message: common.i18n.t('errors.middleware.auth.unknownOrigin')
+                                }));
+                            }
+                            req.session.user_id = req.user.id;
+                            req.session.origin = origin;
+                            req.session.user_agent = req.get('user-agent');
+                            req.session.ip = req.ip;
+                        });
+                    }
+                    return next();
+                });
         }
 
         models.User.findOne({id: req.session.user_id})