tqt
/
Ghost
mirror of https://github.com/TryGhost/Ghost.git
2
1
Fork 0
Code Issues 1 Releases Wiki Activity
Ghost/core/server/api/authentication.js

249 lines
10 KiB
JavaScript
Raw Normal View History

Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
var _ = require('lodash'),
dataProvider = require('../models'),
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
settings = require('./settings'),
mail = require('./mail'),
utils = require('./utils'),
when = require('when'),
errors = require('../errors'),
config = require('../config'),
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
ONE_DAY = 60 * 60 * 24 * 1000,
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
authentication;
/**
* ## Authentication API Methods
*
* **See:** [API Methods](index.js.html#api%20methods)
*/
authentication = {
/**
* ## Generate Reset Token
* generate a reset token for a given email address
* @param {{passwordreset}}
* @returns {Promise(passwordreset)} message
*/
generateResetToken: function generateResetToken(object) {
var expires = Date.now() + ONE_DAY,
email;
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
Check setup status when making API responses Closes #3303, Closes #3299 - Check whether or not setup has been completed when deciding how to respond to certain API requests. - Add tests.
2014-07-18 22:40:47 +02:00
return authentication.isSetup().then(function (result) {
var setup = result.setup[0].status;
if (!setup) {
return when.reject(new errors.NoPermissionError('Setup must be completed before making this request.'));
}
return utils.checkObject(object, 'passwordreset');
}).then(function (checkedPasswordReset) {
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
if (checkedPasswordReset.passwordreset[0].email) {
email = checkedPasswordReset.passwordreset[0].email;
} else {
return when.reject(new errors.BadRequestError('No email provided.'));
}
Made ember version of reset password work Closes #2843 * Implemnted the ember validator correctly for both reset request and actual reset (with the token) * added reset validator * changed the request route addresses to be `/authentication/passwordreset` * changed the format of data to be `{ thing: [ {data } ] }` Missing: * notifications * tests for these use cases
2014-06-27 21:08:16 +02:00
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {
var dbHash = response.settings[0].value;
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
return dataProvider.User.generateResetToken(email, expires, dbHash);
}).then(function (resetToken) {
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 16:33:21 +02:00
var baseUrl = config.forceAdminSSL ? (config.urlSSL || config.url) : config.url,
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
siteLink = '<a href="' + baseUrl + '">' + baseUrl + '</a>',
resetUrl = baseUrl.replace(/\/$/, '') + '/ghost/reset/' + resetToken + '/',
resetLink = '<a href="' + resetUrl + '">' + resetUrl + '</a>',
payload = {
mail: [{
message: {
to: email,
subject: 'Reset Password',
html: '<p><strong>Hello!</strong></p>' +
'<p>A request has been made to reset the password on the site ' + siteLink + '.</p>' +
'<p>Please follow the link below to reset your password:<br><br>' + resetLink + '</p>' +
'<p>Ghost</p>'
},
options: {}
}]
};
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
Wire permmissions for notifications, mail and tags closes #2739 - wraps the api endpoints for mail, notifications, and tags in a canThis check - add internal context to internal calls - updates tests
2014-07-17 10:48:39 +02:00
return mail.send(payload, {context: {internal: true}});
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
}).then(function () {
return when.resolve({passwordreset: [{message: 'Check your email for further instructions.'}]});
}).otherwise(function (error) {
// TODO: This is kind of sketchy, depends on magic string error.message from Bookshelf.
if (error && error.message === 'NotFound') {
error = new errors.UnauthorizedError('Invalid email address');
}
Check setup status when making API responses Closes #3303, Closes #3299 - Check whether or not setup has been completed when deciding how to respond to certain API requests. - Add tests.
2014-07-18 22:40:47 +02:00
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘
2014-07-02 16:22:18 +02:00
return when.reject(error);
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
});
});
},
/**
* ## Reset Password
* reset password if a valid token and password (2x) is passed
* @param {{passwordreset}}
* @returns {Promise(passwordreset)} message
*/
resetPassword: function resetPassword(object) {
var resetToken,
newPassword,
ne2Password;
Check setup status when making API responses Closes #3303, Closes #3299 - Check whether or not setup has been completed when deciding how to respond to certain API requests. - Add tests.
2014-07-18 22:40:47 +02:00
return authentication.isSetup().then(function (result) {
var setup = result.setup[0].status;
if (!setup) {
return when.reject(new errors.NoPermissionError('Setup must be completed before making this request.'));
}
return utils.checkObject(object, 'passwordreset');
}).then(function (checkedPasswordReset) {
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
resetToken = checkedPasswordReset.passwordreset[0].token;
newPassword = checkedPasswordReset.passwordreset[0].newPassword;
ne2Password = checkedPasswordReset.passwordreset[0].ne2Password;
return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {
var dbHash = response.settings[0].value;
return dataProvider.User.resetPassword(resetToken, newPassword, ne2Password, dbHash);
}).then(function () {
return when.resolve({passwordreset: [{message: 'Password changed successfully.'}]});
}).otherwise(function (error) {
return when.reject(new errors.UnauthorizedError(error.message));
});
});
Allow user to accept invitation closes #3081 - added route `/ghost/api/v0.1/authentication/invitation` - added accept invitation - added signup with token - removed check() from users api - fixed promise in resetPassword()
2014-07-03 17:06:07 +02:00
},
/**
* ### Accept Invitation
* @param {User} object the user to create
* @returns {Promise(User}} Newly created user
*/
acceptInvitation: function acceptInvitation(object) {
var resetToken,
newPassword,
ne2Password,
name,
email;
Check setup status when making API responses Closes #3303, Closes #3299 - Check whether or not setup has been completed when deciding how to respond to certain API requests. - Add tests.
2014-07-18 22:40:47 +02:00
return authentication.isSetup().then(function (result) {
var setup = result.setup[0].status;
if (!setup) {
return when.reject(new errors.NoPermissionError('Setup must be completed before making this request.'));
}
return utils.checkObject(object, 'invitation');
}).then(function (checkedInvitation) {
Allow user to accept invitation closes #3081 - added route `/ghost/api/v0.1/authentication/invitation` - added accept invitation - added signup with token - removed check() from users api - fixed promise in resetPassword()
2014-07-03 17:06:07 +02:00
resetToken = checkedInvitation.invitation[0].token;
newPassword = checkedInvitation.invitation[0].password;
ne2Password = checkedInvitation.invitation[0].password;
email = checkedInvitation.invitation[0].email;
name = checkedInvitation.invitation[0].name;
return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {
var dbHash = response.settings[0].value;
return dataProvider.User.resetPassword(resetToken, newPassword, ne2Password, dbHash);
}).then(function (user) {
return dataProvider.User.edit({name: name, email: email}, {id: user.id});
}).then(function () {
return when.resolve({invitation: [{message: 'Invitation accepted.'}]});
}).otherwise(function (error) {
return when.reject(new errors.UnauthorizedError(error.message));
});
});
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
},
isSetup: function () {
Fix tests failing because of spam protection closes #3128 (now really) - added express variable disableLoginLimiter - added disableLoginLimiter to all tests that use Ghost as module and do authentication - fixed isSetup not working for status other than active - removed ‚Ensure a User is Registered‘ test as this is covered by the new setup test
2014-07-17 14:22:32 +02:00
return dataProvider.User.query(function (qb) {
qb.where('status', '=', 'active')
.orWhere('status', '=', 'warn-1')
.orWhere('status', '=', 'warn-2')
.orWhere('status', '=', 'warn-3')
.orWhere('status', '=', 'warn-4')
.orWhere('status', '=', 'locked');
}).fetch().then(function (users) {
if (users) {
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
return when.resolve({ setup: [{status: true}]});
} else {
return when.resolve({ setup: [{status: false}]});
}
});
},
setup: function (object) {
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 13:03:12 +02:00
var setupUser,
internal = {context: {internal: true}};
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
Check setup status when making API responses Closes #3303, Closes #3299 - Check whether or not setup has been completed when deciding how to respond to certain API requests. - Add tests.
2014-07-18 22:40:47 +02:00
return authentication.isSetup().then(function (result) {
var setup = result.setup[0].status;
if (setup) {
return when.reject(new errors.NoPermissionError('Setup has already been completed.'));
}
return utils.checkObject(object, 'setup');
}).then(function (checkedSetupData) {
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
setupUser = {
name: checkedSetupData.setup[0].name,
email: checkedSetupData.setup[0].email,
password: checkedSetupData.setup[0].password,
blogTitle: checkedSetupData.setup[0].blogTitle,
status: 'active'
};
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 13:03:12 +02:00
return dataProvider.User.findOne({role: 'Owner'});
}).then(function (ownerUser) {
if (ownerUser) {
return dataProvider.User.setup(setupUser, _.extend(internal, {id: ownerUser.id}));
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
} else {
// TODO: needs to pass owner role when role endpoint is finished!
Extending context concept to models fixes #3275, fixes #3290, ref #3086, ref #3084 - Ensure that we use the current logged in user and not just user 1 when - removing hard coded user: 1 except where absolutely necessary - passing context, rather than user to models - base model has a new function to determine what id to use for created_by etc
2014-07-15 13:03:12 +02:00
return dataProvider.User.add(setupUser, internal);
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
}
}).then(function (user) {
var userSettings = [];
userSettings.push({key: 'email', value: setupUser.email});
// Handles the additional values set by the setup screen.
if (!_.isEmpty(setupUser.blogTitle)) {
userSettings.push({key: 'title', value: setupUser.blogTitle});
userSettings.push({key: 'description', value: 'Thoughts, stories and ideas by ' + setupUser.name});
}
setupUser = user.toJSON();
Adding and renaming permissions refs #3283, refs #2739, refs #3096 - Renames permissions which didn't follow bread - Adds permissions for notifications, mail and tags Still todo: - wire up the new permissions where they are needed - add permissions for roles
2014-07-15 23:43:22 +02:00
return settings.edit({settings: userSettings}, {context: {user: setupUser.id}});
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
}).then(function () {
var message = {
to: setupUser.email,
subject: 'Your New Ghost Blog',
html: '<p><strong>Hello!</strong></p>' +
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 16:33:21 +02:00
'<p>Good news! You\'ve successfully created a brand new Ghost blog over on ' + config.url + '</p>' +
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
'<p>You can log in to your admin account with the following details:</p>' +
'<p> Email Address: ' + setupUser.email + '<br>' +
'Password: The password you chose when you signed up</p>' +
'<p>Keep this email somewhere safe for future reference, and have fun!</p>' +
'<p>xoxo</p>' +
'<p>Team Ghost<br>' +
'<a href="https://ghost.org">https://ghost.org</a></p>'
},
payload = {
mail: [{
message: message,
options: {}
}]
};
Wire permmissions for notifications, mail and tags closes #2739 - wraps the api endpoints for mail, notifications, and tags in a canThis check - add internal context to internal calls - updates tests
2014-07-17 10:48:39 +02:00
return mail.send(payload, {context: {internal: true}}).otherwise(function (error) {
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 14:17:09 +02:00
errors.logError(
error.message,
"Unable to send welcome email, your blog will continue to function.",
"Please see http://docs.ghost.org/mail/ for instructions on configuring email."
);
});
}).then(function () {
return when.resolve({ users: [setupUser]});
});
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password
2014-06-20 11:15:01 +02:00
}
};
Check setup status when making API responses Closes #3303, Closes #3299 - Check whether or not setup has been completed when deciding how to respond to certain API requests. - Add tests.
2014-07-18 22:40:47 +02:00
module.exports = authentication;