🐛 Fixed v0.1 username/password authentication

no issue - refs 39edb7646e
2019-03-06 10:38:16 +01:00 · 2019-03-06 10:38:16 +01:00 · ac26436c10
parent 5b73e8238e
commit ac26436c10
3 changed files with 9 additions and 28 deletions
--- a/core/server/services/auth/authenticate.js
+++ b/core/server/services/auth/authenticate.js
@ -5,7 +5,6 @@ const common = require('../../lib/common');
 const session = require('./session');
 const apiKeyAuth = require('./api-key');
 const members = require('./members');
-const labs = require('../labs');

 const authenticate = {
    // ### Authenticate Client Middleware
@ -39,14 +38,6 @@ const authenticate = {
            req.body.client_secret = req.query.client_secret;
        }

-        if (labs.isSet('publicAPI') !== true) {
-            return next(new common.errors.NoPermissionError({
-                message: common.i18n.t('errors.middleware.auth.publicAPIDisabled.error'),
-                context: common.i18n.t('errors.middleware.auth.publicAPIDisabled.context'),
-                help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://docs.ghost.org/api/content/'})
-            }));
-        }
-
        if (!req.body.client_id || !req.body.client_secret) {
            return next(new common.errors.UnauthorizedError({
                message: common.i18n.t('errors.middleware.auth.accessDenied'),
--- a/core/server/services/auth/authorize.js
+++ b/core/server/services/auth/authorize.js
@ -22,6 +22,15 @@ const authorize = {
            if (req.user && req.user.id) {
                return next();
            } else {
+                // CASE: has no user access and public api is disabled
+                if (labs.isSet('publicAPI') !== true) {
+                    return next(new common.errors.NoPermissionError({
+                        message: common.i18n.t('errors.middleware.auth.publicAPIDisabled.error'),
+                        context: common.i18n.t('errors.middleware.auth.publicAPIDisabled.context'),
+                        help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://docs.ghost.org/api/content/'})
+                    }));
+                }
+
                return next(new common.errors.NoPermissionError({
                    message: common.i18n.t('errors.middleware.auth.pleaseSignIn')
                }));
--- a/core/test/unit/services/auth/authenticate_spec.js
+++ b/core/test/unit/services/auth/authenticate_spec.js
@ -349,25 +349,6 @@ describe('Auth', function () {
            done();
        });

-        it('shouldn\'t authenticate when publicAPI is disabled', function (done) {
-            labs.isSet.restore();
-            sinon.stub(labs, 'isSet').withArgs('publicAPI').returns(false);
-
-            req.body = {};
-            req.body.client_id = testClient;
-            req.body.client_secret = testSecret;
-            req.headers = {};
-
-            var next = function next(err) {
-                err.statusCode.should.eql(403);
-                (err instanceof common.errors.NoPermissionError).should.eql(true);
-                done();
-            };
-
-            registerSuccessfulClientPasswordStrategy();
-            auth.authenticate.authenticateClient(req, res, next);
-        });
-
        it('shouldn\'t authenticate when error', function (done) {
            req.body = {};
            req.body.client_id = testClient;