tqt
/
Ghost
mirror of https://github.com/TryGhost/Ghost.git
2
1
Fork 0
Code Issues 1 Releases Wiki Activity

Renamed API -> Api for v2 auth logic (#10142) 

closes #10120
This commit is contained in:
Fabien O'Carroll 2018-12-04 00:08:57 +07:00 committed by Katharina Irrgang
parent 6bc658be9b
commit ed77192457
4 changed files with 77 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/server/services/auth/authenticate.js
View File

@ -103,7 +103,7 @@ const authenticate = {
},
// ### v2 API auth middleware
authenticateAdminAPI: [session.safeGetSession, session.getUser],
authenticateAdminApi: [session.safeGetSession, session.getUser],
authenticateContentApi: [apiKeyAuth.content.authenticateContentApiKey, members.authenticateMembersToken]
};

2
core/server/services/auth/authorize.js
View File

@ -37,7 +37,7 @@ const authorize = {
};
},
authorizeAdminAPI: [session.ensureUser],
authorizeAdminApi: [session.ensureUser],
authorizeContentApi(req, res, next) {
const hasApiKey = req.api_key && req.api_key.id;
const hasMember = req.member;

6
core/server/web/api/v2/admin/middleware.js
View File

@ -4,9 +4,9 @@ const shared = require('../../../shared');
/**
* Authentication for private endpoints
*/
module.exports.authAdminAPI = [
auth.authenticate.authenticateAdminAPI,
auth.authorize.authorizeAdminAPI,
module.exports.authAdminApi = [
auth.authenticate.authenticateAdminApi,
auth.authorize.authorizeAdminApi,
shared.middlewares.updateUserLastSeen,
shared.middlewares.api.cors,
shared.middlewares.urlRedirects.adminRedirect,

144
core/server/web/api/v2/admin/routes.js
View File

@ -23,23 +23,23 @@ module.exports = function apiRoutes() {
// ## Configuration
router.get('/configuration', api.http(api.configuration.read));
router.get('/configuration/:key', mw.authAdminAPI, api.http(api.configuration.read));
router.get('/configuration/:key', mw.authAdminApi, api.http(api.configuration.read));
// ## Posts
router.get('/posts', mw.authAdminAPI, apiv2.http(apiv2.posts.browse));
router.post('/posts', mw.authAdminAPI, apiv2.http(apiv2.posts.add));
router.get('/posts/:id', mw.authAdminAPI, apiv2.http(apiv2.posts.read));
router.get('/posts/slug/:slug', mw.authAdminAPI, apiv2.http(apiv2.posts.read));
router.put('/posts/:id', mw.authAdminAPI, apiv2.http(apiv2.posts.edit));
router.del('/posts/:id', mw.authAdminAPI, apiv2.http(apiv2.posts.destroy));
router.get('/posts', mw.authAdminApi, apiv2.http(apiv2.posts.browse));
router.post('/posts', mw.authAdminApi, apiv2.http(apiv2.posts.add));
router.get('/posts/:id', mw.authAdminApi, apiv2.http(apiv2.posts.read));
router.get('/posts/slug/:slug', mw.authAdminApi, apiv2.http(apiv2.posts.read));
router.put('/posts/:id', mw.authAdminApi, apiv2.http(apiv2.posts.edit));
router.del('/posts/:id', mw.authAdminApi, apiv2.http(apiv2.posts.destroy));
// # Integrations
router.get('/integrations', mw.authAdminAPI, apiv2.http(apiv2.integrations.browse));
router.get('/integrations/:id', mw.authAdminAPI, apiv2.http(apiv2.integrations.read));
router.post('/integrations', mw.authAdminAPI, apiv2.http(apiv2.integrations.add));
router.put('/integrations/:id', mw.authAdminAPI, apiv2.http(apiv2.integrations.edit));
router.del('/integrations/:id', mw.authAdminAPI, apiv2.http(apiv2.integrations.destroy));
router.get('/integrations', mw.authAdminApi, apiv2.http(apiv2.integrations.browse));
router.get('/integrations/:id', mw.authAdminApi, apiv2.http(apiv2.integrations.read));
router.post('/integrations', mw.authAdminApi, apiv2.http(apiv2.integrations.add));
router.put('/integrations/:id', mw.authAdminApi, apiv2.http(apiv2.integrations.edit));
router.del('/integrations/:id', mw.authAdminApi, apiv2.http(apiv2.integrations.destroy));
// ## Schedules
router.put('/schedules/posts/:id', [
@ -48,120 +48,120 @@ module.exports = function apiRoutes() {
], api.http(api.schedules.publishPost));
// ## Settings
router.get('/settings/routes/yaml', mw.authAdminAPI, apiv2.http(apiv2.settings.download));
router.get('/settings/routes/yaml', mw.authAdminApi, apiv2.http(apiv2.settings.download));
router.post('/settings/routes/yaml',
mw.authAdminAPI,
mw.authAdminApi,
upload.single('routes'),
shared.middlewares.validation.upload({type: 'routes'}),
apiv2.http(apiv2.settings.upload)
);
router.get('/settings', mw.authAdminAPI, apiv2.http(apiv2.settings.browse));
router.get('/settings/:key', mw.authAdminAPI, apiv2.http(apiv2.settings.read));
router.put('/settings', mw.authAdminAPI, apiv2.http(apiv2.settings.edit));
router.get('/settings', mw.authAdminApi, apiv2.http(apiv2.settings.browse));
router.get('/settings/:key', mw.authAdminApi, apiv2.http(apiv2.settings.read));
router.put('/settings', mw.authAdminApi, apiv2.http(apiv2.settings.edit));
// ## Users
router.get('/users', mw.authAdminAPI, apiv2.http(apiv2.users.browse));
router.get('/users/:id', mw.authAdminAPI, apiv2.http(apiv2.users.read));
router.get('/users/slug/:slug', mw.authAdminAPI, apiv2.http(apiv2.users.read));
router.get('/users', mw.authAdminApi, apiv2.http(apiv2.users.browse));
router.get('/users/:id', mw.authAdminApi, apiv2.http(apiv2.users.read));
router.get('/users/slug/:slug', mw.authAdminApi, apiv2.http(apiv2.users.read));
// NOTE: We don't expose any email addresses via the public api.
router.get('/users/email/:email', mw.authAdminAPI, apiv2.http(apiv2.users.read));
router.get('/users/email/:email', mw.authAdminApi, apiv2.http(apiv2.users.read));
router.put('/users/password', mw.authAdminAPI, apiv2.http(apiv2.users.changePassword));
router.put('/users/owner', mw.authAdminAPI, apiv2.http(apiv2.users.transferOwnership));
router.put('/users/:id', mw.authAdminAPI, apiv2.http(apiv2.users.edit));
router.del('/users/:id', mw.authAdminAPI, apiv2.http(apiv2.users.destroy));
router.put('/users/password', mw.authAdminApi, apiv2.http(apiv2.users.changePassword));
router.put('/users/owner', mw.authAdminApi, apiv2.http(apiv2.users.transferOwnership));
router.put('/users/:id', mw.authAdminApi, apiv2.http(apiv2.users.edit));
router.del('/users/:id', mw.authAdminApi, apiv2.http(apiv2.users.destroy));
// ## Tags
router.get('/tags', mw.authAdminAPI, apiv2.http(apiv2.tags.browse));
router.get('/tags/:id', mw.authAdminAPI, apiv2.http(apiv2.tags.read));
router.get('/tags/slug/:slug', mw.authAdminAPI, apiv2.http(apiv2.tags.read));
router.post('/tags', mw.authAdminAPI, apiv2.http(apiv2.tags.add));
router.put('/tags/:id', mw.authAdminAPI, apiv2.http(apiv2.tags.edit));
router.del('/tags/:id', mw.authAdminAPI, apiv2.http(apiv2.tags.destroy));
router.get('/tags', mw.authAdminApi, apiv2.http(apiv2.tags.browse));
router.get('/tags/:id', mw.authAdminApi, apiv2.http(apiv2.tags.read));
router.get('/tags/slug/:slug', mw.authAdminApi, apiv2.http(apiv2.tags.read));
router.post('/tags', mw.authAdminApi, apiv2.http(apiv2.tags.add));
router.put('/tags/:id', mw.authAdminApi, apiv2.http(apiv2.tags.edit));
router.del('/tags/:id', mw.authAdminApi, apiv2.http(apiv2.tags.destroy));
// ## Subscribers
router.get('/subscribers', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.browse));
router.get('/subscribers/csv', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.exportCSV));
router.get('/subscribers', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.browse));
router.get('/subscribers/csv', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.exportCSV));
router.post('/subscribers/csv',
shared.middlewares.labs.subscribers,
mw.authAdminAPI,
mw.authAdminApi,
upload.single('subscribersfile'),
shared.middlewares.validation.upload({type: 'subscribers'}),
apiv2.http(apiv2.subscribers.importCSV)
);
router.get('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.read));
router.get('/subscribers/email/:email', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.read));
router.post('/subscribers', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.add));
router.put('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.edit));
router.del('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.destroy));
router.del('/subscribers/email/:email', shared.middlewares.labs.subscribers, mw.authAdminAPI, apiv2.http(apiv2.subscribers.destroy));
router.get('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.read));
router.get('/subscribers/email/:email', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.read));
router.post('/subscribers', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.add));
router.put('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.edit));
router.del('/subscribers/:id', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.destroy));
router.del('/subscribers/email/:email', shared.middlewares.labs.subscribers, mw.authAdminApi, apiv2.http(apiv2.subscribers.destroy));
// ## Roles
router.get('/roles/', mw.authAdminAPI, apiv2.http(apiv2.roles.browse));
router.get('/roles/', mw.authAdminApi, apiv2.http(apiv2.roles.browse));
// ## Clients
router.get('/clients/slug/:slug', api.http(api.clients.read));
// ## Slugs
router.get('/slugs/:type/:name', mw.authAdminAPI, apiv2.http(apiv2.slugs.generate));
router.get('/slugs/:type/:name', mw.authAdminApi, apiv2.http(apiv2.slugs.generate));
// ## Themes
router.get('/themes/', mw.authAdminAPI, api.http(api.themes.browse));
router.get('/themes/', mw.authAdminApi, api.http(api.themes.browse));
router.get('/themes/:name/download',
mw.authAdminAPI,
mw.authAdminApi,
api.http(api.themes.download)
);
router.post('/themes/upload',
mw.authAdminAPI,
mw.authAdminApi,
upload.single('theme'),
shared.middlewares.validation.upload({type: 'themes'}),
api.http(api.themes.upload)
);
router.put('/themes/:name/activate',
mw.authAdminAPI,
mw.authAdminApi,
api.http(api.themes.activate)
);
router.del('/themes/:name',
mw.authAdminAPI,
mw.authAdminApi,
api.http(api.themes.destroy)
);
// ## Notifications
router.get('/notifications', mw.authAdminAPI, apiv2.http(apiv2.notifications.browse));
router.post('/notifications', mw.authAdminAPI, apiv2.http(apiv2.notifications.add));
router.del('/notifications/:notification_id', mw.authAdminAPI, apiv2.http(apiv2.notifications.destroy));
router.get('/notifications', mw.authAdminApi, apiv2.http(apiv2.notifications.browse));
router.post('/notifications', mw.authAdminApi, apiv2.http(apiv2.notifications.add));
router.del('/notifications/:notification_id', mw.authAdminApi, apiv2.http(apiv2.notifications.destroy));
// ## DB
router.get('/db', mw.authAdminAPI, api.http(api.db.exportContent));
router.get('/db', mw.authAdminApi, api.http(api.db.exportContent));
router.post('/db',
mw.authAdminAPI,
mw.authAdminApi,
upload.single('importfile'),
shared.middlewares.validation.upload({type: 'db'}),
api.http(api.db.importContent)
);
router.del('/db', mw.authAdminAPI, api.http(api.db.deleteAllContent));
router.del('/db', mw.authAdminApi, api.http(api.db.deleteAllContent));
// ## Mail
router.post('/mail', mw.authAdminAPI, apiv2.http(apiv2.mail.send));
router.post('/mail/test', mw.authAdminAPI, apiv2.http(apiv2.mail.sendTest));
router.post('/mail', mw.authAdminApi, apiv2.http(apiv2.mail.send));
router.post('/mail/test', mw.authAdminApi, apiv2.http(apiv2.mail.sendTest));
// ## Slack
router.post('/slack/test', mw.authAdminAPI, apiv2.http(apiv2.slack.sendTest));
router.post('/slack/test', mw.authAdminApi, apiv2.http(apiv2.slack.sendTest));
// ## Sessions
router.get('/session', mw.authAdminAPI, api.http(apiv2.session.read));
router.get('/session', mw.authAdminApi, api.http(apiv2.session.read));
// We don't need auth when creating a new session (logging in)
router.post('/session',
shared.middlewares.brute.globalBlock,
shared.middlewares.brute.userLogin,
api.http(apiv2.session.add)
);
router.del('/session', mw.authAdminAPI, api.http(apiv2.session.delete));
router.del('/session', mw.authAdminApi, api.http(apiv2.session.delete));
// ## Authentication
router.post('/authentication/passwordreset',
@ -173,13 +173,13 @@ module.exports = function apiRoutes() {
router.post('/authentication/invitation', api.http(api.authentication.acceptInvitation));
router.get('/authentication/invitation', api.http(api.authentication.isInvitation));
router.post('/authentication/setup', api.http(api.authentication.setup));
router.put('/authentication/setup', mw.authAdminAPI, api.http(api.authentication.updateSetup));
router.put('/authentication/setup', mw.authAdminApi, api.http(api.authentication.updateSetup));
router.get('/authentication/setup', api.http(api.authentication.isSetup));
// ## Uploads
// @TODO: rename endpoint to /images/upload (or similar)
router.post('/uploads',
mw.authAdminAPI,
mw.authAdminApi,
upload.single('uploadimage'),
shared.middlewares.validation.upload({type: 'images'}),
shared.middlewares.image.normalize,
@ -187,7 +187,7 @@ module.exports = function apiRoutes() {
);
router.post('/uploads/profile-image',
mw.authAdminAPI,
mw.authAdminApi,
upload.single('uploadimage'),
shared.middlewares.validation.upload({type: 'images'}),
shared.middlewares.validation.profileImage,
@ -198,7 +198,7 @@ module.exports = function apiRoutes() {
router.post('/db/backup', mw.authenticateClient('Ghost Backup'), api.http(api.db.backupContent));
router.post('/uploads/icon',
mw.authAdminAPI,
mw.authAdminApi,
upload.single('uploadimage'),
shared.middlewares.validation.upload({type: 'icons'}),
shared.middlewares.validation.blogIcon(),
@ -206,27 +206,27 @@ module.exports = function apiRoutes() {
);
// ## Invites
router.get('/invites', mw.authAdminAPI, apiv2.http(apiv2.invites.browse));
router.get('/invites/:id', mw.authAdminAPI, apiv2.http(apiv2.invites.read));
router.post('/invites', mw.authAdminAPI, apiv2.http(apiv2.invites.add));
router.del('/invites/:id', mw.authAdminAPI, apiv2.http(apiv2.invites.destroy));
router.get('/invites', mw.authAdminApi, apiv2.http(apiv2.invites.browse));
router.get('/invites/:id', mw.authAdminApi, apiv2.http(apiv2.invites.read));
router.post('/invites', mw.authAdminApi, apiv2.http(apiv2.invites.add));
router.del('/invites/:id', mw.authAdminApi, apiv2.http(apiv2.invites.destroy));
// ## Redirects (JSON based)
router.get('/redirects/json', mw.authAdminAPI, api.http(api.redirects.download));
router.get('/redirects/json', mw.authAdminApi, api.http(api.redirects.download));
router.post('/redirects/json',
mw.authAdminAPI,
mw.authAdminApi,
upload.single('redirects'),
shared.middlewares.validation.upload({type: 'redirects'}),
api.http(api.redirects.upload)
);
// ## Webhooks (RESTHooks)
router.post('/webhooks', mw.authAdminAPI, apiv2.http(apiv2.webhooks.add));
router.put('/webhooks/:id', mw.authAdminAPI, apiv2.http(apiv2.webhooks.edit));
router.del('/webhooks/:id', mw.authAdminAPI, apiv2.http(apiv2.webhooks.destroy));
router.post('/webhooks', mw.authAdminApi, apiv2.http(apiv2.webhooks.add));
router.put('/webhooks/:id', mw.authAdminApi, apiv2.http(apiv2.webhooks.edit));
router.del('/webhooks/:id', mw.authAdminApi, apiv2.http(apiv2.webhooks.destroy));
// ## Oembed (fetch response from oembed provider)
router.get('/oembed', mw.authAdminAPI, apiv2.http(apiv2.oembed.read));
router.get('/oembed', mw.authAdminApi, apiv2.http(apiv2.oembed.read));
return router;
};