From 6684ab0b5a0b034693ab3d1833ec9174665c8585 Mon Sep 17 00:00:00 2001 From: shubhsherl Date: Fri, 14 Jun 2019 18:31:11 +0530 Subject: [PATCH] change auth method --- core/server/api/v0.1/authentication.js | 1 - core/server/api/v2/session.js | 2 ++ core/server/api/v2/utils/rc-utils.js | 35 +++++++++++++++++-- core/server/lib/constants.js | 1 + .../services/auth/session/middleware.js | 34 ++++++++++++++---- 5 files changed, 64 insertions(+), 9 deletions(-) diff --git a/core/server/api/v0.1/authentication.js b/core/server/api/v0.1/authentication.js index 0009bff8ba4..8ee6fb3417b 100644 --- a/core/server/api/v0.1/authentication.js +++ b/core/server/api/v0.1/authentication.js @@ -489,7 +489,6 @@ authentication = { function processInvitation(invitation) { const data = invitation.user[0]; - console.log(data); return rcUtils.getUser(rc_uid, rc_token, data.rc_username) .then((user) => { if (user.success && user.user) { diff --git a/core/server/api/v2/session.js b/core/server/api/v2/session.js index 18167e950eb..04b5cb5a0d9 100644 --- a/core/server/api/v2/session.js +++ b/core/server/api/v2/session.js @@ -14,6 +14,7 @@ const session = { */ return models.User.findOne({id: options.context.user}); }, + add(object) { if (!object || !object.rc_id || !object.rc_token) { return Promise.reject(new common.errors.UnauthorizedError({ @@ -53,6 +54,7 @@ const session = { }); }); }, + delete() { return Promise.resolve((req, res, next) => { auth.session.destroySession(req, res, next); diff --git a/core/server/api/v2/utils/rc-utils.js b/core/server/api/v2/utils/rc-utils.js index 9c15c68e7f2..5acff7ff422 100644 --- a/core/server/api/v2/utils/rc-utils.js +++ b/core/server/api/v2/utils/rc-utils.js @@ -1,5 +1,8 @@ const Promise = require('bluebird'); const request = require('request'); +const { forEach } = require('lodash'); +const models = require('../../../models'); +const auth = require('../../../services/auth'); const settingsCache = require('../../../services/settings/cache'); const common = require('../../../lib/common'); @@ -8,9 +11,7 @@ function getRCUrl() { } function buildMeUrl(url = null) { - console.log('hrere'); const base = url || getRCUrl(); - console.log(base); return base + '/api/v1/me'; } @@ -25,6 +26,17 @@ function getHeader(id, token) { }; } +function getIdToken(req) { + let id, token; + forEach(req.headers.cookie.split(';'), (v) => { + if (v.includes('rc_uid')) + id = v.split('=')[1]; + if (v.includes('rc_token')) + token = v.split('=')[1]; + }); + return { id, token }; +} + module.exports = { checkAdmin(url, id, token) { let user; @@ -108,5 +120,24 @@ module.exports = { resolve(user); }); }); + }, + + createSession(req) { + const { id, token } = getIdToken(req); + if (!id || !token) + return req; + return models.User.findOne({ rc_id: id }).then((user) => { + if (!user) { + return req; + } + return this.getMe(id, token) + .then((u) => { + if (!u.success) { + return req; + } + req.user = user; + return req; + }); + }); } }; diff --git a/core/server/lib/constants.js b/core/server/lib/constants.js index 28a5912180f..bd45920cf27 100644 --- a/core/server/lib/constants.js +++ b/core/server/lib/constants.js @@ -9,6 +9,7 @@ module.exports = { ONE_DAY_MS: 86400000, ONE_WEEK_MS: 604800000, ONE_MONTH_MS: 2628000000, + THREE_MONTH_MS: 7795200000, SIX_MONTH_MS: 15768000000, ONE_YEAR_MS: 31536000000 }; diff --git a/core/server/services/auth/session/middleware.js b/core/server/services/auth/session/middleware.js index e702122d371..34f347ec967 100644 --- a/core/server/services/auth/session/middleware.js +++ b/core/server/services/auth/session/middleware.js @@ -3,6 +3,7 @@ const session = require('express-session'); const common = require('../../../lib/common'); const constants = require('../../../lib/constants'); const config = require('../../../config'); +const rcUtils = require('../../../api/v2/utils/rc-utils'); const settingsCache = require('../../settings/cache'); const models = require('../../../models'); const SessionStore = require('./store'); @@ -37,9 +38,9 @@ const getSession = (req, res, next) => { saveUninitialized: false, name: 'ghost-admin-api-session', cookie: { - maxAge: constants.SIX_MONTH_MS, - httpOnly: true, - path: urlService.utils.getSubdir() + '/ghost', + maxAge: constants.THREE_MONTH_MS, + httpOnly: false, + path: urlService.utils.getSubdir() + '/', sameSite: 'lax', secure: urlService.utils.isSSL(config.get('url')) } @@ -85,10 +86,11 @@ const cookieCsrfProtection = (req) => { const origin = getOrigin(req); - if (req.session.origin !== origin) { + // Check the origin allow Ghost and RC server_url + if (req.session.origin !== origin && settingsCache.get('server_url') !== origin) { throw new common.errors.BadRequestError({ message: common.i18n.t('errors.middleware.auth.mismatchedOrigin', { - expected: req.session.origin, + expected: req.session.origin + ' OR ' + settingsCache.get('server_url'), actual: origin }) }); @@ -116,7 +118,27 @@ const authenticate = (req, res, next) => { if (!req.session || !req.session.user_id) { req.user = null; - return next(); + return rcUtils.createSession(req) + .then((req) => { + if(req.user) { + getSession(req, res, function (err) { + if (err) { + return next(err); + } + const origin = getOrigin(req); + if (!origin) { + return next(new common.errors.BadRequestError({ + message: common.i18n.t('errors.middleware.auth.unknownOrigin') + })); + } + req.session.user_id = req.user.id; + req.session.origin = origin; + req.session.user_agent = req.get('user-agent'); + req.session.ip = req.ip; + }); + } + return next(); + }); } models.User.findOne({id: req.session.user_id})