OpenSourceArk/Ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
57b5f4da00
Ghost/core/server/middleware/index.js

350 lines
12 KiB
JavaScript
Raw Normal View History

Putting back relative redirects issue #1523 - also added some comments to indicate the difference between the two custom middleware files.
2013-11-26 00:31:18 +04:00
// # Custom Middleware
// The following custom middleware functions cannot yet be unit tested, and as such are kept separate from
// the testable custom middleware functions in middleware.js
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
var api = require('../api'),
bodyParser = require('body-parser'),
config = require('../config'),
errors = require('../errors'),
express = require('express'),
favicon = require('static-favicon'),
fs = require('fs'),
hbs = require('express-hbs'),
logger = require('morgan'),
middleware = require('./middleware'),
packageInfo = require('../../../package.json'),
path = require('path'),
routes = require('../routes'),
slashes = require('connect-slashes'),
storage = require('../storage'),
url = require('url'),
_ = require('lodash'),
passport = require('passport'),
oauth = require('./oauth'),
oauth2orize = require('oauth2orize'),
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
authStrategies = require('./authStrategies'),
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
utils = require('../utils'),
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
expressServer,
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
setupMiddleware;
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// ##Custom Middleware
// ### GhostLocals Middleware
// Expose the standard locals that every external page should have available,
// separating between the theme and the admin
function ghostLocals(req, res, next) {
// Make sure we have a locals value.
res.locals = res.locals || {};
res.locals.version = packageInfo.version;
New URL helper - URL consistency fixes fixes #1765 fixes #1811 issue #1833 New UrlFor functions - moved body of url helper to config.path.urlFor, which can generate a URL for various scenarios - urlFor can take a string (name) or object (relativeUrl: '/') as the first argument - this is the first step towards issue #1833 - also added config.path.urlForPost which is async and handles getting permalink setting - frontend controller, ghost_head helper, cache invalidation all now use urlFor or urlForPost all urls should be correct and consistent URL Consistency Improvements - refactored invalidateCache into cacheInvalidationHeader which returns a promise so that url can be generated properly by urlForPost - moved isPost from models to schema, and refactored schema to have a tables object - deleted posts now return the whole object, not just id and slug, ensuring cache invalidation header can be set on delete - frontend controller rss and archive page redirects work properly with subdirectory - removes {{url}} helper from admin and client, and replaced with adminUrl helper which also uses urlFor - in res.locals ghostRoot becomes relativeUrl, and path is removed
2014-01-03 04:37:21 +04:00
// relative path from the URL, not including subdir
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
res.locals.relativeUrl = req.path.replace(config.paths.subdir, '');
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
next();
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
}
Support for urlSSL config option and forceAdminSSL 403 response closes #1838 - adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect - adding `urlSSL` option to specify SSL variant of `url` - using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified - dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data) - using `urlSSL` in a "reset password" email, if specified - adding unit tests to test `forceAdminSSL` and `urlSSL` options - created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
2014-02-22 05:25:31 +04:00
function initThemeData(secure) {
var themeConfig = config.theme();
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
if (secure && config.urlSSL) {
Support for urlSSL config option and forceAdminSSL 403 response closes #1838 - adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect - adding `urlSSL` option to specify SSL variant of `url` - using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified - dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data) - using `urlSSL` in a "reset password" email, if specified - adding unit tests to test `forceAdminSSL` and `urlSSL` options - created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
2014-02-22 05:25:31 +04:00
// For secure requests override .url property with the SSL version
themeConfig = _.clone(themeConfig);
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
themeConfig.url = config.urlSSL.replace(/\/$/, '');
Support for urlSSL config option and forceAdminSSL 403 response closes #1838 - adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect - adding `urlSSL` option to specify SSL variant of `url` - using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified - dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data) - using `urlSSL` in a "reset password" email, if specified - adding unit tests to test `forceAdminSSL` and `urlSSL` options - created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
2014-02-22 05:25:31 +04:00
}
return themeConfig;
}
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// ### Activate Theme
// Helper for manageAdminAndTheme
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
function activateTheme(activeTheme) {
Bug fixes for partial views closes #1203 - Update express-hbs module to the new version (0.5.2) - Use two instance of hbs one for the theme and an other for the admin - Template helpers are register as partial view - Partial views of the theme are reload when the theme changed Remove clear partial cache in handlebars This code will be move in `express-hbs`. This doesn't cause a problem to remove this line but it is not clean. Remove unused hbs instance Resolve conflict
2013-12-02 03:31:55 +04:00
var hbsOptions,
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
themePartials = path.join(config.paths.themePath, activeTheme, 'partials');
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// clear the view cache
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
expressServer.cache = {};
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
Bug fixes for partial views closes #1203 - Update express-hbs module to the new version (0.5.2) - Use two instance of hbs one for the theme and an other for the admin - Template helpers are register as partial view - Partial views of the theme are reload when the theme changed Remove clear partial cache in handlebars This code will be move in `express-hbs`. This doesn't cause a problem to remove this line but it is not clean. Remove unused hbs instance Resolve conflict
2013-12-02 03:31:55 +04:00
// set view engine
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
hbsOptions = { partialsDir: [ config.paths.helperTemplates ] };
Including theme partials in a way that supports symbolically linked directories closes #1937 - using fs.stat() instead of hasOwnProperty() to test for directory existence
2014-01-14 03:11:59 +04:00
fs.stat(themePartials, function (err, stats) {
Bug fixes for partial views closes #1203 - Update express-hbs module to the new version (0.5.2) - Use two instance of hbs one for the theme and an other for the admin - Template helpers are register as partial view - Partial views of the theme are reload when the theme changed Remove clear partial cache in handlebars This code will be move in `express-hbs`. This doesn't cause a problem to remove this line but it is not clean. Remove unused hbs instance Resolve conflict
2013-12-02 03:31:55 +04:00
// Check that the theme has a partials directory before trying to use it
Including theme partials in a way that supports symbolically linked directories closes #1937 - using fs.stat() instead of hasOwnProperty() to test for directory existence
2014-01-14 03:11:59 +04:00
if (!err && stats && stats.isDirectory()) {
hbsOptions.partialsDir.push(themePartials);
}
});
Bug fixes for partial views closes #1203 - Update express-hbs module to the new version (0.5.2) - Use two instance of hbs one for the theme and an other for the admin - Template helpers are register as partial view - Partial views of the theme are reload when the theme changed Remove clear partial cache in handlebars This code will be move in `express-hbs`. This doesn't cause a problem to remove this line but it is not clean. Remove unused hbs instance Resolve conflict
2013-12-02 03:31:55 +04:00
expressServer.set('theme view engine', hbs.express3(hbsOptions));
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// Update user error template
Fixed check for a theme's custom error.hbs: Closes #2513 - Checks for property `error.hbs` on active theme - Added unit test to ensure `error` view is rendered when activeTheme has a custom error template. - Removed unused variable, `userErrorTemplatePath` from errorHandler - Refactored errorHandler.`updateActiveTheme` to take one argument, the new active theme, and to then check if the active theme has an error.hbs - Changed errorHandler unit test to use rewire for mocking config.
2014-03-27 00:43:16 +04:00
errors.updateActiveTheme(activeTheme);
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
// Set active theme variable on the express server
expressServer.set('activeTheme', activeTheme);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
}
Switch middleware order to result in proper error fixes #3694 - Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 20:17:07 +04:00
// ### decideIsAdmin Middleware
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// Uses the URL to detect whether this response should be an admin response
// This is used to ensure the right content is served, and is not for security purposes
Switch middleware order to result in proper error fixes #3694 - Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 20:17:07 +04:00
function decideIsAdmin(req, res, next) {
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
res.isAdmin = req.url.lastIndexOf(config.paths.subdir + '/ghost/', 0) === 0;
Switch middleware order to result in proper error fixes #3694 - Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 20:17:07 +04:00
next();
}
Install in sub-directory support. refs #527
2013-11-17 22:40:26 +04:00
Switch middleware order to result in proper error fixes #3694 - Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 20:17:07 +04:00
// ### configHbsForContext Middleware
// Setup handlebars for the current context (admin or theme)
function configHbsForContext(req, res, next) {
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
if (res.isAdmin) {
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
expressServer.enable('admin');
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
expressServer.engine('hbs', expressServer.get('admin view engine'));
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
expressServer.set('views', config.paths.adminViews);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
} else {
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
expressServer.disable('admin');
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
var themeData = initThemeData(req.secure);
hbs.updateTemplateOptions({ data: {blog: themeData} });
expressServer.engine('hbs', expressServer.get('theme view engine'));
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
expressServer.set('views', path.join(config.paths.themePath, expressServer.get('activeTheme')));
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
}
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
// Pass 'secure' flag to the view engine
// so that templates can choose 'url' vs 'urlSSL'
res.locals.secure = req.secure;
next();
}
// ### updateActiveTheme
// Updates the expressServer's activeTheme variable and subsequently
// activates that theme's views with the hbs templating engine if it
// is not yet activated.
function updateActiveTheme(req, res, next) {
Refactor API arguments closes #2610, refs #2697 - cleanup API index.js, and add docs - all API methods take consistent arguments: object & options - browse, read, destroy take options, edit and add take object and options - the context is passed as part of options, meaning no more .call everywhere - destroy expects an object, rather than an id all the way down to the model layer - route params such as :id, :slug, and :key are passed as an option & used to perform reads, updates and deletes where possible - settings / themes may need work here still - HTTP posts api can find a post by slug - Add API utils for checkData
2014-05-08 16:41:19 +04:00
api.settings.read({context: {internal: true}, key: 'activeTheme'}).then(function (response) {
Settings API Primary Document refactor Closes #2606 - Refactor settings api responses to { settings: [ ] } format - Update all code using api.settings to handle new response format - Update test stubs to return new format - Update client site settings model to parse new format into one object of key/value pairs - Refactor to include all setting values - Remove unused settingsCollection method - Update settingsCache to store all attributes - Update settingsResult to send all attributes - Remove unnecessary when() wraps - Reject if editing a setting that doesn't exist - Reject earlier if setting key is empty - Update tests with new error messages - Use setting.add instead of edit that was incorrectly adding - Update importer to properly import activePlugins and installedPlugins - Update expected setting result fields - Fix a weird situation where hasOwnProperty didn't exist :shrug:
2014-04-28 03:28:50 +04:00
var activeTheme = response.settings[0];
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
// Check if the theme changed
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
if (activeTheme.value !== expressServer.get('activeTheme')) {
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
// Change theme
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
if (!config.paths.availableThemes.hasOwnProperty(activeTheme.value)) {
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
if (!res.isAdmin) {
// Throw an error if the theme is not available, but not on the admin UI
Start up safely when the activeTheme is not present fixes #2000 - resolves errors when attempting to start Ghost without the active theme present - the frontend will render a 500 error page safely - issues with themes that have an error template are resolved separately in #2018
2014-01-25 02:14:56 +04:00
return errors.throwError('The currently active theme ' + activeTheme.value + ' is missing.');
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
}
} else {
activateTheme(activeTheme.value);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
}
}
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
next();
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
}).catch(function (err) {
Start up safely when the activeTheme is not present fixes #2000 - resolves errors when attempting to start Ghost without the active theme present - the frontend will render a 500 error page safely - issues with themes that have an error template are resolved separately in #2018
2014-01-25 02:14:56 +04:00
// Trying to start up without the active theme present, setup a simple hbs instance
// and render an error page straight away.
expressServer.engine('hbs', hbs.express3());
next(err);
remove ghost.settings and ghost.notifications covers 90% of #755 - moved ghost.settings to api.settings - moved ghost.notifications to api.notifications - split up api/index.js to notifications.js, posts.js, settings.js, tags.js and users.js - added instance.globals as temp workaround for blogglobals (Known issue: blog title and blog description are updated after restart only) - added webroot to config() to remove `var root = ...` - changed `e` and `url` helper to async - updated tests
2013-12-06 12:51:35 +04:00
});
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
}
New setup screen for blog installation. fixes #3072 - Change router to handle /ember/setup/ - Adjust doSignup to also handle setup - Adjust tests and add new where necessary - Add setup controller, setup validation, setup route - Adjust casper emberSetup to handle new setup
2014-06-25 16:12:48 +04:00
// Redirect to setup if no user exists
function redirectToSetup(req, res, next) {
/*jslint unparam:true*/
Move setup to API closes #3136 - moved setup to authentication API - added `POST /ghost/api/v0.1/authentication/setup` to execute the setup process - added `GET /ghost/api/v0.1/authentication/setup` to check if blog is already set up (needed for #3145) - removed unused methods from api/users.js
2014-07-11 16:17:09 +04:00
api.authentication.isSetup().then(function (exists) {
if (!exists.setup[0].status && !req.path.match(/\/ghost\/setup\//)) {
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
return res.redirect(config.paths.subdir + '/ghost/setup/');
New setup screen for blog installation. fixes #3072 - Change router to handle /ember/setup/ - Adjust doSignup to also handle setup - Adjust tests and add new where necessary - Add setup controller, setup validation, setup route - Adjust casper emberSetup to handle new setup
2014-06-25 16:12:48 +04:00
}
next();
Replace the when promise library with bluebird. Closes #968
2014-08-17 10:17:23 +04:00
}).catch(function (err) {
New setup screen for blog installation. fixes #3072 - Change router to handle /ember/setup/ - Adjust doSignup to also handle setup - Adjust tests and add new where necessary - Add setup controller, setup validation, setup route - Adjust casper emberSetup to handle new setup
2014-06-25 16:12:48 +04:00
return next(new Error(err));
});
}
Redirect uppercase routes to lowercase version fixes #3857 - adds uncapitalise middleware which detects uppercase in req.path and redirects to the lowercase equivalent - change the ghost route to a regex, just so it's consistent with other routes in the file
2014-08-23 20:23:34 +04:00
// Detect uppercase in req.path
function uncapitalise(req, res, next) {
Uncapitalise middleware should not affect tokens no issue - Whilst testing on next, I noticed trying to signup didn't prepopulate email addresses any more, and this is why
2014-08-27 01:07:03 +04:00
var pathToTest = req.path,
Restrict uncapitalise middleware for API no ref - Do not lowercase anything after /api/v0.1/<resource>/ to protect :key/:slug
2014-08-29 23:48:58 +04:00
isSignupOrReset = req.path.match(/(\/ghost\/(signup|reset)\/)/i),
isAPI = req.path.match(/(\/ghost\/api\/v0[\d\.]+\/.*?\/)/i);
Uncapitalise middleware should not affect tokens no issue - Whilst testing on next, I noticed trying to signup didn't prepopulate email addresses any more, and this is why
2014-08-27 01:07:03 +04:00
if (isSignupOrReset) {
pathToTest = isSignupOrReset[1];
}
Restrict uncapitalise middleware for API no ref - Do not lowercase anything after /api/v0.1/<resource>/ to protect :key/:slug
2014-08-29 23:48:58 +04:00
// Do not lowercase anything after /api/v0.1/ to protect :key/:slug
if (isAPI) {
pathToTest = isAPI[1];
}
Uncapitalise middleware should not affect tokens no issue - Whilst testing on next, I noticed trying to signup didn't prepopulate email addresses any more, and this is why
2014-08-27 01:07:03 +04:00
if (/[A-Z]/.test(pathToTest)) {
Redirect uppercase routes to lowercase version fixes #3857 - adds uncapitalise middleware which detects uppercase in req.path and redirects to the lowercase equivalent - change the ghost route to a regex, just so it's consistent with other routes in the file
2014-08-23 20:23:34 +04:00
res.set('Cache-Control', 'public, max-age=' + utils.ONE_YEAR_S);
Uncapitalise middleware should not affect tokens no issue - Whilst testing on next, I noticed trying to signup didn't prepopulate email addresses any more, and this is why
2014-08-27 01:07:03 +04:00
res.redirect(301, req.url.replace(pathToTest, pathToTest.toLowerCase()));
Redirect uppercase routes to lowercase version fixes #3857 - adds uncapitalise middleware which detects uppercase in req.path and redirects to the lowercase equivalent - change the ghost route to a regex, just so it's consistent with other routes in the file
2014-08-23 20:23:34 +04:00
} else {
next();
}
}
Set cookie secure flag closes #1680 - added secure flag for cookies if SSL is forced
2013-12-19 20:05:45 +04:00
function isSSLrequired(isAdmin) {
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
var forceSSL = url.parse(config.url).protocol === 'https:' ? true : false,
forceAdminSSL = (isAdmin && config.forceAdminSSL);
Set cookie secure flag closes #1680 - added secure flag for cookies if SSL is forced
2013-12-19 20:05:45 +04:00
if (forceSSL || forceAdminSSL) {
return true;
Add Force SSL Configuration/Middleware Solves #1300 - Adds forceAdminSSL bool config value - Adds checkSSL middleware - Adds redirectSSL helper function
2013-12-09 23:41:19 +04:00
}
Set cookie secure flag closes #1680 - added secure flag for cookies if SSL is forced
2013-12-19 20:05:45 +04:00
return false;
Add Force SSL Configuration/Middleware Solves #1300 - Adds forceAdminSSL bool config value - Adds checkSSL middleware - Adds redirectSSL helper function
2013-12-09 23:41:19 +04:00
}
Set cookie secure flag closes #1680 - added secure flag for cookies if SSL is forced
2013-12-19 20:05:45 +04:00
// Check to see if we should use SSL
// and redirect if needed
Add Force SSL Configuration/Middleware Solves #1300 - Adds forceAdminSSL bool config value - Adds checkSSL middleware - Adds redirectSSL helper function
2013-12-09 23:41:19 +04:00
function checkSSL(req, res, next) {
Set cookie secure flag closes #1680 - added secure flag for cookies if SSL is forced
2013-12-19 20:05:45 +04:00
if (isSSLrequired(res.isAdmin)) {
Detect SSL connection whether or not behind a proxy closes #1836 - adding server.enable('trust proxy') to let connect framework do the work of detecting X-Forwarded-Proto header - replacing explicit checking for the X-Forwarded-Proto header with just 'req.secure' boolean check
2014-01-27 02:00:50 +04:00
if (!req.secure) {
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
var forceAdminSSL = config.forceAdminSSL,
Support for urlSSL config option and forceAdminSSL 403 response closes #1838 - adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect - adding `urlSSL` option to specify SSL variant of `url` - using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified - dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data) - using `urlSSL` in a "reset password" email, if specified - adding unit tests to test `forceAdminSSL` and `urlSSL` options - created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
2014-02-22 05:25:31 +04:00
redirectUrl;
// Check if forceAdminSSL: { redirect: false } is set, which means
// we should just deny non-SSL access rather than redirect
if (forceAdminSSL && forceAdminSSL.redirect !== undefined && !forceAdminSSL.redirect) {
Update express and body-parser dependencies. No Issue - Upgrade to versions of these packages that use qs >= 1.0.0.
2014-08-09 17:48:58 +04:00
return res.status(403).end();
Support for urlSSL config option and forceAdminSSL 403 response closes #1838 - adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect - adding `urlSSL` option to specify SSL variant of `url` - using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified - dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data) - using `urlSSL` in a "reset password" email, if specified - adding unit tests to test `forceAdminSSL` and `urlSSL` options - created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
2014-02-22 05:25:31 +04:00
}
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
redirectUrl = url.parse(config.urlSSL || config.url);
Set cookie secure flag closes #1680 - added secure flag for cookies if SSL is forced
2013-12-19 20:05:45 +04:00
return res.redirect(301, url.format({
protocol: 'https:',
Support for urlSSL config option and forceAdminSSL 403 response closes #1838 - adding `forceAdminSSL: {redirect: true/false}` option to allow 403 over non-SSL rather than redirect - adding `urlSSL` option to specify SSL variant of `url` - using `urlSSL` when redirecting to SSL (forceAdminSSL), if specified - dynamically patching `.url` property for view engine templates to use SSL variant over HTTPS connections (pass `.secure` property as view engine data) - using `urlSSL` in a "reset password" email, if specified - adding unit tests to test `forceAdminSSL` and `urlSSL` options - created a unit test utility function to dynamically fork a new instance of Ghost during the test, with different configuration options
2014-02-22 05:25:31 +04:00
hostname: redirectUrl.hostname,
port: redirectUrl.port,
Set cookie secure flag closes #1680 - added secure flag for cookies if SSL is forced
2013-12-19 20:05:45 +04:00
pathname: req.path,
query: req.query
}));
}
Add Force SSL Configuration/Middleware Solves #1300 - Adds forceAdminSSL bool config value - Adds checkSSL middleware - Adds redirectSSL helper function
2013-12-09 23:41:19 +04:00
}
next();
}
Serve default robots.txt closes #2062 - Server robots.txt from theme if available - Serve default robots.txt from /core/shared/ otherwise - Added tests for default robots.txt
2014-03-09 13:28:58 +04:00
// ### Robots Middleware
// Handle requests to robots.txt and cache file
function robots() {
var content, // file cache
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
filePath = path.join(config.paths.corePath, '/shared/robots.txt');
Serve default robots.txt closes #2062 - Server robots.txt from theme if available - Serve default robots.txt from /core/shared/ otherwise - Added tests for default robots.txt
2014-03-09 13:28:58 +04:00
return function robots(req, res, next) {
if ('/robots.txt' === req.url) {
if (content) {
res.writeHead(200, content.headers);
res.end(content.body);
} else {
fs.readFile(filePath, function (err, buf) {
if (err) {
return next(err);
}
Move user API to primary document format closes #2593 - added new format to user API methods - changed all places where the user api was used - updated tests and added more coverage - little bit of cleanup in utils/api
2014-04-29 00:42:38 +04:00
Serve default robots.txt closes #2062 - Server robots.txt from theme if available - Serve default robots.txt from /core/shared/ otherwise - Added tests for default robots.txt
2014-03-09 13:28:58 +04:00
content = {
headers: {
'Content-Type': 'text/plain',
'Content-Length': buf.length,
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
'Cache-Control': 'public, max-age=' + utils.ONE_YEAR_S
Serve default robots.txt closes #2062 - Server robots.txt from theme if available - Serve default robots.txt from /core/shared/ otherwise - Added tests for default robots.txt
2014-03-09 13:28:58 +04:00
},
body: buf
};
res.writeHead(200, content.headers);
res.end(content.body);
});
}
} else {
next();
}
};
}
Server side cleanup - remove sessions - remove all references to csrf - create a shared base model for the 2 types of token
2014-07-14 16:29:45 +04:00
setupMiddleware = function (server) {
This aims to speed up both the ghost application and tests by migration from usage of config() to just an object of config. no relevant issue - Change 'loadConfig' task to 'ensureConfig' to more accurately reflect what it is actually doing. Its sole purpose is to make sure a `config.js` file exists, and as such the name now reflects that purpose. - Update config/index.js to export the ghostConfig object directly so that it can be accessed from other modules - Update all references of config(). to config. This was a blind global find all and replace, treat it as such. - Fixes to tests to support new config access method - Allow each test to still work when invoked invidually
2014-07-17 18:33:21 +04:00
var logging = config.logging,
subdir = config.paths.subdir,
corePath = config.paths.corePath,
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
oauthServer = oauth2orize.createServer();
// silence JSHint without disabling unused check for the whole file
authStrategies = authStrategies;
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
// Cache express server instance
expressServer = server;
middleware.cacheServer(expressServer);
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
middleware.cacheOauthServer(oauthServer);
Improve spam prevention closes #3544 - limit forgotten password requests to five requests per IP per hour for different email addresses - limit forgotten password requests to five requests per email address - limit signin requests to ten failed requests per IP per hour - removed special treatment for tests
2014-08-05 14:58:58 +04:00
oauth.init(oauthServer, middleware.resetSpamCounter);
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
Detect SSL connection whether or not behind a proxy closes #1836 - adding server.enable('trust proxy') to let connect framework do the work of detecting X-Forwarded-Proto header - replacing explicit checking for the X-Forwarded-Proto header with just 'req.secure' boolean check
2014-01-27 02:00:50 +04:00
// Make sure 'req.secure' is valid for proxied requests
// (X-Forwarded-Proto header will be checked, if present)
expressServer.enable('trust proxy');
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// Logging configuration
Add logging config option closes #2103 - Deactivate logging for testing environments - Override logging with settings from config
2014-02-11 01:07:11 +04:00
if (logging !== false) {
if (expressServer.get('env') !== 'development') {
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
expressServer.use(logger(logging || {}));
Add logging config option closes #2103 - Deactivate logging for testing environments - Override logging with settings from config
2014-02-11 01:07:11 +04:00
} else {
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
expressServer.use(logger(logging || 'dev'));
Add logging config option closes #2103 - Deactivate logging for testing environments - Override logging with settings from config
2014-02-11 01:07:11 +04:00
}
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
}
// Favicon
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
expressServer.use(subdir, favicon(corePath + '/shared/favicon.ico'));
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
// Static assets
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
expressServer.use(subdir + '/shared', express['static'](path.join(corePath, '/shared'), {maxAge: utils.ONE_HOUR_MS}));
Path, url and subdir cleanup & test issue #1754 - remove path (it was only used once, and not needed) - change webroot to subdir - add unit tests for config.paths - various other cleanup - renamed client-side ghostRoot to subdir - added url helper for client
2013-12-28 20:01:08 +04:00
expressServer.use(subdir + '/content/images', storage.get_storage().serve());
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
expressServer.use(subdir + '/ghost/scripts', express['static'](path.join(corePath, '/built/scripts'), {maxAge: utils.ONE_YEAR_MS}));
expressServer.use(subdir + '/public', express['static'](path.join(corePath, '/built/public'), {maxAge: utils.ONE_YEAR_MS}));
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// First determine whether we're serving admin or theme content
Switch middleware order to result in proper error fixes #3694 - Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 20:17:07 +04:00
expressServer.use(decideIsAdmin);
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
expressServer.use(updateActiveTheme);
Switch middleware order to result in proper error fixes #3694 - Split the res.isAdmin check out into it's own thing because we need to detect whether we are in the admin, before everything else
2014-08-08 20:17:07 +04:00
expressServer.use(configHbsForContext);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// Admin only config
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
expressServer.use(subdir + '/ghost', middleware.whenEnabled('admin', express['static'](path.join(corePath, '/client/assets'), {maxAge: utils.ONE_YEAR_MS})));
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
Fix error page resources loading when forceAdminSSL is true closes #1837 - moved admin theme static resource service above 'checkSSL', otherwise when forceAdminSSL is true it will try to redirect them to HTTPS, and error pages will be unstyled
2014-01-27 02:21:24 +04:00
// Force SSL
// NOTE: Importantly this is _after_ the check above for admin-theme static resources,
// which do not need HTTPS. In fact, if HTTPS is forced on them, then 404 page might
// not display properly when HTTPS is not available!
expressServer.use(checkSSL);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// Theme only config
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
expressServer.use(subdir, middleware.staticTheme());
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
Serve default robots.txt closes #2062 - Server robots.txt from theme if available - Serve default robots.txt from /core/shared/ otherwise - Added tests for default robots.txt
2014-03-09 13:28:58 +04:00
// Serve robots.txt if not found in theme
expressServer.use(robots());
Redirect uppercase routes to lowercase version fixes #3857 - adds uncapitalise middleware which detects uppercase in req.path and redirects to the lowercase equivalent - change the ghost route to a regex, just so it's consistent with other routes in the file
2014-08-23 20:23:34 +04:00
// Handle trailing slashes and capitalization of routes
Change refresh token expiry no issue - acquiring a new access token using a refresh token sets the expiration time of the refresh token to now + 24 hrs. - moved all occurrences of ONE_HOUR, ONE_DAY and ONE_YEAR to `core/server/utils`
2014-07-28 17:19:49 +04:00
expressServer.use(slashes(true, {headers: {'Cache-Control': 'public, max-age=' + utils.ONE_YEAR_S}}));
Redirect uppercase routes to lowercase version fixes #3857 - adds uncapitalise middleware which detects uppercase in req.path and redirects to the lowercase equivalent - change the ghost route to a regex, just so it's consistent with other routes in the file
2014-08-23 20:23:34 +04:00
expressServer.use(uncapitalise);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
// Body parsing
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
expressServer.use(bodyParser.json());
Update express and body-parser dependencies. No Issue - Upgrade to versions of these packages that use qs >= 1.0.0.
2014-08-09 17:48:58 +04:00
expressServer.use(bodyParser.urlencoded({ extended: true }));
Install in sub-directory support. refs #527
2013-11-17 22:40:26 +04:00
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
expressServer.use(passport.initialize());
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
// ### Caching
expressServer.use(middleware.cacheControl('public'));
Respect subdirectory in authenticate middleware
2014-02-20 02:53:40 +04:00
expressServer.use(subdir + '/ghost/', middleware.cacheControl('private'));
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
Proper endpoints for persistent notifications closes #2637 - Add new get API route for all notifications - Wrap API responses to comply with JSON-API - Add new tests / adjust fixtures - Adjust all occurences of passive notifications
2014-04-29 00:58:18 +04:00
oAuth closes #2759 closes #3027 - added oauth2orize library for server side oAuth handling - added ember-simple-auth library for admin oAuth handling - added tables for client, accesstoken and refreshtoken - implemented RFC6749 4.3 Ressouce Owner Password Credentials Grant - updated api tests with oAuth - removed session, authentication is now token based Known issues: - Restore spam prevention #3128 - Signin after Signup #3125 - Signin validation #3125 **Attention** - oldClient doesn't work with this PR anymore, session authentication was removed
2014-06-30 16:58:10 +04:00
// enable authentication
Make session expiry less arsey closes #2171 - added authentication middleware - removed authentication from routes - moved authentication before CSRF validation - moved caching rules before authentication - changed/added test
2014-02-14 14:00:11 +04:00
expressServer.use(middleware.authenticate);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// local data
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
expressServer.use(ghostLocals);
Proper endpoints for persistent notifications closes #2637 - Add new get API route for all notifications - Wrap API responses to comply with JSON-API - Add new tests / adjust fixtures - Adjust all occurences of passive notifications
2014-04-29 00:58:18 +04:00
Cache control headers & query string asset management closes #1470 issue #1405 - added cache control middleware - added defaults for all routes, assets, etc - updated asset helper to add a query string with a timestamp hash to all assets - added unit tests for asset and ghostScriptTags helpers - added cache-control checks to route tests
2013-12-31 03:13:25 +04:00
// ### Routing
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
// Set up API routes
Move post slug endpoint & add endpoints for users closes #3187 - move slug endpoint to post/slug/:slug - create similar slug and email endpoint for users - add/update tests
2014-07-09 02:28:31 +04:00
expressServer.use(subdir + routes.apiBaseUri, routes.api(middleware));
Upgrade to Express 4.0 no related issue - Updates package.json packages, adding express middleware packages that have been broken into their own modules - Updates controllers/frontend.js to use the new Layer object that Express 4.0 has. Requires some monkey-patching as the Layer object isn't explicitly surfaced, however it should be safe to do. - Moved the setup of routes into middleware/index.js because they need to be added as a middleware function before the 404 and 500 handlers. This is no longer possible with the old app.use(app.router) as that has been removed. - Cleaned up middleware/index.js to make it compatible with Express 4.0. - Simplified the way themes are activated and enabled when they are activated. The new handling is simpler, yet should still cover all the use cases that previously existed. - The entire flow of activating a theme through middleware should be a little more centralized, letting it be easier to read and maintain. - Moved every routes/*.js file to use an individual express.Router() instance.
2014-04-12 07:46:15 +04:00
// Set up Admin routes
expressServer.use(subdir, routes.admin(middleware));
// Set up Frontend routes
expressServer.use(subdir, routes.frontend());
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// ### Error handling
// 404 Handler
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
expressServer.use(errors.error404);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// 500 Handler
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
expressServer.use(errors.error500);
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
};
Server side cleanup - remove sessions - remove all references to csrf - create a shared base model for the 2 types of token
2014-07-14 16:29:45 +04:00
module.exports = setupMiddleware;
Move server middleware configuration to related file
2013-11-12 10:03:25 +04:00
// Export middleware functions directly
Install in sub-directory support. refs #527
2013-11-17 22:40:26 +04:00
module.exports.middleware = middleware;
Remove ghost.js fixes #1575 - Moves most code that was in ghost.js into ./core/server/index.js - Creates ./core/server/config/theme.js to hold all theme configurations (which previously lived on ghost.blogGlobals()) - Removed ghost.server, passing it in as an argument where needed and allowing middleware to hold onto a reference for lazy use.
2013-12-06 18:13:15 +04:00
// Expose middleware functions in this file as well
New setup screen for blog installation. fixes #3072 - Change router to handle /ember/setup/ - Adjust doSignup to also handle setup - Adjust tests and add new where necessary - Add setup controller, setup validation, setup route - Adjust casper emberSetup to handle new setup
2014-06-25 16:12:48 +04:00
module.exports.middleware.redirectToSetup = redirectToSetup;
Reference in New Issue Copy Permalink