Ensure cors check happens for /authentication/token route (#9317)

no issue

- otherwise external browser clients run into cors problems

core/server/services/auth/authorize.js

@@ -29,7 +29,7 @@ authorize = {
     // Requires the authenticated client to match specific client
     requiresAuthorizedClient: function requiresAuthorizedClient(client) {
         return function doAuthorizedClient(req, res, next) {
-            if (!req.client || !req.client.name || req.client.name !== client) {
+            if (client && (!req.client || !req.client.name || req.client.name !== client)) {
                 return next(new common.errors.NoPermissionError({message: common.i18n.t('errors.permissions.noPermissionToAction')}));
             }
 

core/server/web/api/routes.js

@@ -158,10 +158,11 @@ module.exports = function apiRoutes() {
     apiRouter.post('/authentication/setup', api.http(api.authentication.setup));
     apiRouter.put('/authentication/setup', mw.authenticatePrivate, api.http(api.authentication.updateSetup));
     apiRouter.get('/authentication/setup', api.http(api.authentication.isSetup));
+
     apiRouter.post('/authentication/token',
+        mw.authenticateClient(),
         brute.globalBlock,
         brute.userLogin,
-        auth.authenticate.authenticateClient,
         auth.oauth.generateAccessToken
     );
 
@@ -176,7 +177,7 @@ module.exports = function apiRoutes() {
         api.http(api.uploads.add)
     );
 
-    apiRouter.post('/db/backup',  mw.authenticateClient('Ghost Backup'), api.http(api.db.backupContent));
+    apiRouter.post('/db/backup', mw.authenticateClient('Ghost Backup'), api.http(api.db.backupContent));
 
     apiRouter.post('/uploads/icon',
         mw.authenticatePrivate,