Ghost/ghost/extract-api-key/lib/extract-api-key.js

const jwt = require('jsonwebtoken');

/**
 * Remove 'Ghost' from raw authorization header and extract the JWT token.
 * Eg. Authorization: Ghost ${JWT}
 * @param {string} header
 */
const extractTokenFromHeader = (header) => {
    const [scheme, token] = header.split(' ');

    if (/^Ghost$/i.test(scheme)) {
        return token;
    }
};

const extractAdminAPIKey = (token) => {
    const decoded = jwt.decode(token, {complete: true});

    if (!decoded || !decoded.header || !decoded.header.kid) {
        return null;
    }

    return decoded.header.kid;
};

/**
 * @typedef {object} ApiKey
 * @prop {string} key
 * @prop {string} type
 */

/**
 * When it's a Content API the function resolves with the value of the key secret.
 * When it's an Admin API the function resolves with the value of the key id.
 *
 * @param {import('express').Request} req
 * @returns {ApiKey}
 */
const extractAPIKey = (req) => {
    let keyValue = null;
    let keyType = null;

    if (req.query && req.query.key) {
        keyValue = req.query.key;
        keyType = 'content';
    } else if (req.headers && req.headers.authorization) {
        keyValue = extractAdminAPIKey(extractTokenFromHeader(req.headers.authorization));
        keyType = 'admin';
    }

    return {
        key: keyValue,
        type: keyType
    };
};

module.exports = extractAPIKey;
Added support for Admin API key extraction refs https://github.com/TryGhost/Toolbox/issues/292 - Allows to detect and extract admin api key ID value. The reason why we are not dealing withe the "secret" value here in a similar way as Content API key is to keep the package independent from the model layer. It only provides "identification" information along with the key type so that the version mismatch data service can deal with this information in an optimal way (just one db query). 2022-05-10 11:08:54 +03:00			`const jwt = require('jsonwebtoken');`

			`/**`
			`* Remove 'Ghost' from raw authorization header and extract the JWT token.`
			`* Eg. Authorization: Ghost ${JWT}`
			`* @param {string} header`
			`*/`
			`const extractTokenFromHeader = (header) => {`
			`const [scheme, token] = header.split(' ');`

			`if (/^Ghost$/i.test(scheme)) {`
			`return token;`
			`}`
			`};`

			`const extractAdminAPIKey = (token) => {`
			`const decoded = jwt.decode(token, {complete: true});`

			`if (!decoded \|\| !decoded.header \|\| !decoded.header.kid) {`
			`return null;`
			`}`

			`return decoded.header.kid;`
			`};`

			`/**`
			`* @typedef {object} ApiKey`
			`* @prop {string} key`
			`* @prop {string} type`
			`*/`

Bootstrapped api key extractor package refs https://github.com/TryGhost/Toolbox/issues/292 - The package is meant to be one stop shop for extraction of any API keys from requests known to Ghost - To start with it should detect and return keys for Content and Admin APIs for the purposes of api version mismatch handling 2022-05-10 07:37:05 +03:00			`/**`
Added support for Admin API key extraction refs https://github.com/TryGhost/Toolbox/issues/292 - Allows to detect and extract admin api key ID value. The reason why we are not dealing withe the "secret" value here in a similar way as Content API key is to keep the package independent from the model layer. It only provides "identification" information along with the key type so that the version mismatch data service can deal with this information in an optimal way (just one db query). 2022-05-10 11:08:54 +03:00			`* When it's a Content API the function resolves with the value of the key secret.`
			`* When it's an Admin API the function resolves with the value of the key id.`
Bootstrapped api key extractor package refs https://github.com/TryGhost/Toolbox/issues/292 - The package is meant to be one stop shop for extraction of any API keys from requests known to Ghost - To start with it should detect and return keys for Content and Admin APIs for the purposes of api version mismatch handling 2022-05-10 07:37:05 +03:00			`*`
			`* @param {import('express').Request} req`
Added support for Admin API key extraction refs https://github.com/TryGhost/Toolbox/issues/292 - Allows to detect and extract admin api key ID value. The reason why we are not dealing withe the "secret" value here in a similar way as Content API key is to keep the package independent from the model layer. It only provides "identification" information along with the key type so that the version mismatch data service can deal with this information in an optimal way (just one db query). 2022-05-10 11:08:54 +03:00			`* @returns {ApiKey}`
Bootstrapped api key extractor package refs https://github.com/TryGhost/Toolbox/issues/292 - The package is meant to be one stop shop for extraction of any API keys from requests known to Ghost - To start with it should detect and return keys for Content and Admin APIs for the purposes of api version mismatch handling 2022-05-10 07:37:05 +03:00			`*/`
			`const extractAPIKey = (req) => {`
Simplified returned data from api key extraction refs https://github.com/TryGhost/Toolbox/issues/292 - We can query the data base by the API key itself, there's no need for type of the API at any point yet 2022-05-10 09:44:55 +03:00			`let keyValue = null;`
Added support for Admin API key extraction refs https://github.com/TryGhost/Toolbox/issues/292 - Allows to detect and extract admin api key ID value. The reason why we are not dealing withe the "secret" value here in a similar way as Content API key is to keep the package independent from the model layer. It only provides "identification" information along with the key type so that the version mismatch data service can deal with this information in an optimal way (just one db query). 2022-05-10 11:08:54 +03:00			`let keyType = null;`
Bootstrapped api key extractor package refs https://github.com/TryGhost/Toolbox/issues/292 - The package is meant to be one stop shop for extraction of any API keys from requests known to Ghost - To start with it should detect and return keys for Content and Admin APIs for the purposes of api version mismatch handling 2022-05-10 07:37:05 +03:00
			`if (req.query && req.query.key) {`
Simplified returned data from api key extraction refs https://github.com/TryGhost/Toolbox/issues/292 - We can query the data base by the API key itself, there's no need for type of the API at any point yet 2022-05-10 09:44:55 +03:00			`keyValue = req.query.key;`
Added support for Admin API key extraction refs https://github.com/TryGhost/Toolbox/issues/292 - Allows to detect and extract admin api key ID value. The reason why we are not dealing withe the "secret" value here in a similar way as Content API key is to keep the package independent from the model layer. It only provides "identification" information along with the key type so that the version mismatch data service can deal with this information in an optimal way (just one db query). 2022-05-10 11:08:54 +03:00			`keyType = 'content';`
			`} else if (req.headers && req.headers.authorization) {`
			`keyValue = extractAdminAPIKey(extractTokenFromHeader(req.headers.authorization));`
			`keyType = 'admin';`
Bootstrapped api key extractor package refs https://github.com/TryGhost/Toolbox/issues/292 - The package is meant to be one stop shop for extraction of any API keys from requests known to Ghost - To start with it should detect and return keys for Content and Admin APIs for the purposes of api version mismatch handling 2022-05-10 07:37:05 +03:00			`}`

Added support for Admin API key extraction refs https://github.com/TryGhost/Toolbox/issues/292 - Allows to detect and extract admin api key ID value. The reason why we are not dealing withe the "secret" value here in a similar way as Content API key is to keep the package independent from the model layer. It only provides "identification" information along with the key type so that the version mismatch data service can deal with this information in an optimal way (just one db query). 2022-05-10 11:08:54 +03:00			`return {`
			`key: keyValue,`
			`type: keyType`
			`};`
Bootstrapped api key extractor package refs https://github.com/TryGhost/Toolbox/issues/292 - The package is meant to be one stop shop for extraction of any API keys from requests known to Ghost - To start with it should detect and return keys for Content and Admin APIs for the purposes of api version mismatch handling 2022-05-10 07:37:05 +03:00			`};`

			`module.exports = extractAPIKey;`