UNPKG

ghost

Version:

The professional publishing platform

ghost.org

TryGhost/Ghost

135 lines (119 loc) 4.13 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
const errors = require('@tryghost/errors'); const tpl = require('@tryghost/tpl'); const auth = require('../../../../services/auth'); const shared = require('../../../shared'); const apiMw = require('../../middleware'); const messages = { notImplemented: 'The server does not support the functionality required to fulfill the request.', staffTokenBlocked: 'Staff tokens are not allowed to access this endpoint' }; /** * @param {import('express').Request} req * @param {import('express').Response} res * @param {import('express').NextFunction} next */ const notImplemented = function notImplemented(req, res, next) { // CASE: user is logged in with user auth, skip to permission system if (!req.api_key) { return next(); } // CASE: user is requesting with staff token, check blocklist, else skip to permission system // Staff tokens have a user_id associated with them, integration tokens don't if (req.api_key?.get('user_id')) { // Check if staff token is trying to access blocked endpoints const isDeleteAllContent = req.method === 'DELETE' && req.path === '/db/'; const isTransferOwnership = req.method === 'PUT' && req.path === '/users/owner/'; if (isDeleteAllContent || isTransferOwnership) { return next(new errors.NoPermissionError({ message: tpl(messages.staffTokenBlocked) })); } return next(); } // CASE: god mode is enabled & we're in development, skip to permission system if (req.query.god_mode && process.env.NODE_ENV === 'development') { return next(); } // CASE: we're using an integration token, check allowlist for permitted endpoints const allowlisted = { site: ['GET'], posts: ['GET', 'PUT', 'DELETE', 'POST'], pages: ['GET', 'PUT', 'DELETE', 'POST'], images: ['POST'], webhooks: ['POST', 'PUT', 'DELETE'], actions: ['GET'], tags: ['GET', 'PUT', 'DELETE', 'POST'], labels: ['GET', 'PUT', 'DELETE', 'POST'], users: ['GET'], roles: ['GET'], invites: ['POST'], themes: ['POST', 'PUT'], members: ['GET', 'PUT', 'DELETE', 'POST'], tiers: ['GET', 'PUT', 'POST'], offers: ['GET', 'PUT', 'POST'], newsletters: ['GET', 'PUT', 'POST'], config: ['GET'], explore: ['GET'], schedules: ['PUT'], files: ['POST'], media: ['POST'], db: ['GET', 'POST'], settings: ['GET'], comments: ['GET', 'POST', 'PUT'], oembed: ['GET'], 'search-index': ['GET'] }; const match = req.url.match(/^\/([^/?]+)\/?/); if (match) { const entity = match[1]; if (allowlisted[entity] && allowlisted[entity].includes(req.method)) { return next(); } } next(new errors.InternalServerError({ errorType: 'NotImplementedError', message: tpl(messages.notImplemented), statusCode: 501 })); }; /** @typedef {import('express').RequestHandler} RequestHandler */ /** * Authentication for private endpoints * * @type {RequestHandler[]} */ module.exports.authAdminApi = [ auth.authenticate.authenticateAdminApi, auth.authorize.authorizeAdminApi, apiMw.updateUserLastSeen, apiMw.cors, shared.middleware.urlRedirects.adminSSLAndHostRedirect, shared.middleware.prettyUrls, notImplemented ]; /** * Authentication for private endpoints with token in URL * Ex.: For scheduler publish endpoint * * @type {RequestHandler[]} */ module.exports.authAdminApiWithUrl = [ auth.authenticate.authenticateAdminApiWithUrl, auth.authorize.authorizeAdminApi, apiMw.updateUserLastSeen, apiMw.cors, shared.middleware.urlRedirects.adminSSLAndHostRedirect, shared.middleware.prettyUrls, notImplemented ]; /** * Middleware for public admin endpoints * * @type {RequestHandler[]} */ module.exports.publicAdminApi = [ apiMw.cors, shared.middleware.urlRedirects.adminSSLAndHostRedirect, shared.middleware.prettyUrls, notImplemented ];