Ghost/ghost/members-api/index.js

const {Router, static} = require('express');
const body = require('body-parser');

const {getData, handleError} = require('./util');

const Cookies = require('./cookies');
const Tokens = require('./tokens');
const Users = require('./users');

module.exports = function MembersApi({
    config: {
        issuer,
        privateKey,
        publicKey,
        sessionSecret,
        ssoOrigin
    },
    validateAudience,
    createMember,
    validateMember,
    updateMember,
    getMember,
    sendEmail
}) {
    const {encodeToken, decodeToken, getPublicKeys} = Tokens({privateKey, publicKey, issuer});

    const users = Users({
        createMember,
        updateMember,
        getMember,
        validateMember,
        sendEmail,
        encodeToken,
        decodeToken
    });

    const router = Router();

    const apiRouter = Router();

    apiRouter.use(body.json());

    /* session */
    const {getCookie, setCookie, removeCookie} = Cookies(sessionSecret);

    /* token */
    apiRouter.post('/token', getData('audience'), (req, res) => {
        const {signedin} = getCookie(req);
        if (!signedin) {
            res.writeHead(401, {
                'Set-Cookie': removeCookie()
            });
            return res.end();
        }

        const {audience, origin} = req.data;

        validateAudience({audience, origin, id: signedin})
            .then(() => encodeToken({
                sub: signedin,
                aud: audience
            }))
            .then(token => res.end(token))
            .catch(handleError(403, res));
    });

    /* security */
    function ssoOriginCheck(req, res, next) {
        if (!req.data.origin || req.data.origin !== ssoOrigin) {
            res.writeHead(403);
            return res.end();
        }
        next();
    }

    /* users, token, emails */
    apiRouter.post('/request-password-reset', getData('email'), ssoOriginCheck, (req, res) => {
        const {email} = req.data;

        users.requestPasswordReset({email}).then(() => {
            res.writeHead(200);
            res.end();
        }).catch(handleError(500, res));
    });

    /* users, token */
    apiRouter.post('/reset-password', getData('token', 'password'), ssoOriginCheck, (req, res) => {
        const {token, password} = req.data;

        users.resetPassword({token, password}).then((member) => {
            res.writeHead(200, {
                'Set-Cookie': setCookie(member)
            });
            res.end();
        }).catch(handleError(401, res));
    });

    /* users, email */
    apiRouter.post('/signup', getData('name', 'email', 'password'), ssoOriginCheck, (req, res) => {
        const {name, email, password} = req.data;

        // @TODO this should attempt to reset password before creating member
        users.create({name, email, password}).then((member) => {
            res.writeHead(200, {
                'Set-Cookie': setCookie(member)
            });
            res.end();
        }).catch(handleError(400, res));
    });

    /* users, session */
    apiRouter.post('/signin', getData('email', 'password'), ssoOriginCheck, (req, res) => {
        const {email, password} = req.data;

        users.validate({email, password}).then((member) => {
            res.writeHead(200, {
                'Set-Cookie': setCookie(member)
            });
            res.end();
        }).catch(handleError(401, res));
    });

    /* session */
    apiRouter.post('/signout', getData(), (req, res) => {
        res.writeHead(200, {
            'Set-Cookie': removeCookie()
        });
        res.end();
    });

    /* http */
    const staticRouter = Router();
    staticRouter.use('/static', static(require('path').join(__dirname, './static/auth/dist')));
    staticRouter.use('/gateway', static(require('path').join(__dirname, './static/gateway')));
    staticRouter.get('/*', (req, res) => {
        res.sendFile(require('path').join(__dirname, './static/auth/dist/index.html'));
    });

    /* http */
    router.use('/api', apiRouter);
    router.use('/static', staticRouter);
    /* token */
    router.get('/.well-known/jwks.json', (req, res) => {
        getPublicKeys().then((jwks) => {
            res.json(jwks);
        });
    });

    function httpHandler(req, res, next) {
        return router.handle(req, res, next);
    }

    httpHandler.staticRouter = staticRouter;
    httpHandler.apiRouter = apiRouter;
    httpHandler.memberUserObject = users;

    return httpHandler;
};
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`const {Router, static} = require('express');`
			`const body = require('body-parser');`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`const {getData, handleError} = require('./util');`

			`const Cookies = require('./cookies');`
			`const Tokens = require('./tokens');`
			`const Users = require('./users');`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00
			`module.exports = function MembersApi({`
			`config: {`
			`issuer,`
			`privateKey,`
			`publicKey,`
			`sessionSecret,`
			`ssoOrigin`
			`},`
			`validateAudience,`
			`createMember,`
			`validateMember,`
			`updateMember,`
			`getMember,`
			`sendEmail`
			`}) {`
Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`const {encodeToken, decodeToken, getPublicKeys} = Tokens({privateKey, publicKey, issuer});`

			`const users = Users({`
			`createMember,`
			`updateMember,`
			`getMember,`
			`validateMember,`
			`sendEmail,`
			`encodeToken,`
			`decodeToken`
			`});`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00
			`const router = Router();`

			`const apiRouter = Router();`

			`apiRouter.use(body.json());`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* session */`
			`const {getCookie, setCookie, removeCookie} = Cookies(sessionSecret);`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00
Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* token */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`apiRouter.post('/token', getData('audience'), (req, res) => {`
			`const {signedin} = getCookie(req);`
			`if (!signedin) {`
			`res.writeHead(401, {`
			`'Set-Cookie': removeCookie()`
			`});`
			`return res.end();`
			`}`

			`const {audience, origin} = req.data;`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`validateAudience({audience, origin, id: signedin})`
			`.then(() => encodeToken({`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`sub: signedin,`
Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`aud: audience`
			`}))`
			`.then(token => res.end(token))`
			`.catch(handleError(403, res));`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`});`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* security */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`function ssoOriginCheck(req, res, next) {`
			`if (!req.data.origin \|\| req.data.origin !== ssoOrigin) {`
			`res.writeHead(403);`
			`return res.end();`
			`}`
			`next();`
			`}`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* users, token, emails */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`apiRouter.post('/request-password-reset', getData('email'), ssoOriginCheck, (req, res) => {`
			`const {email} = req.data;`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`users.requestPasswordReset({email}).then(() => {`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`res.writeHead(200);`
			`res.end();`
			`}).catch(handleError(500, res));`
			`});`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* users, token */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`apiRouter.post('/reset-password', getData('token', 'password'), ssoOriginCheck, (req, res) => {`
			`const {token, password} = req.data;`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`users.resetPassword({token, password}).then((member) => {`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`res.writeHead(200, {`
			`'Set-Cookie': setCookie(member)`
			`});`
			`res.end();`
			`}).catch(handleError(401, res));`
			`});`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* users, email */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`apiRouter.post('/signup', getData('name', 'email', 'password'), ssoOriginCheck, (req, res) => {`
			`const {name, email, password} = req.data;`

			`// @TODO this should attempt to reset password before creating member`
Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`users.create({name, email, password}).then((member) => {`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`res.writeHead(200, {`
			`'Set-Cookie': setCookie(member)`
			`});`
			`res.end();`
			`}).catch(handleError(400, res));`
			`});`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* users, session */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`apiRouter.post('/signin', getData('email', 'password'), ssoOriginCheck, (req, res) => {`
			`const {email, password} = req.data;`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`users.validate({email, password}).then((member) => {`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`res.writeHead(200, {`
			`'Set-Cookie': setCookie(member)`
			`});`
			`res.end();`
			`}).catch(handleError(401, res));`
			`});`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* session */`
Removed ssoOriginCheck from signout endpoint (#10277) no-issue the ssoOriginCheck exists to ensure that we only allow signin/signup to be called from the specified auth page, this is a very minor security feature in that it forces signins to go via the page you've designated. signout however does not need this protection as the call to signout completely bypasses any UI (this is the same for the call to /token) 2018-12-14 09:56:31 +03:00			`apiRouter.post('/signout', getData(), (req, res) => {`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`res.writeHead(200, {`
			`'Set-Cookie': removeCookie()`
			`});`
			`res.end();`
			`});`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* http */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`const staticRouter = Router();`
			`staticRouter.use('/static', static(require('path').join(__dirname, './static/auth/dist')));`
			`staticRouter.use('/gateway', static(require('path').join(__dirname, './static/gateway')));`
			`staticRouter.get('/*', (req, res) => {`
			`res.sendFile(require('path').join(__dirname, './static/auth/dist/index.html'));`
			`});`

Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* http */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`router.use('/api', apiRouter);`
			`router.use('/static', staticRouter);`
Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`/* token */`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`router.get('/.well-known/jwks.json', (req, res) => {`
Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`getPublicKeys().then((jwks) => {`
			`res.json(jwks);`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00			`});`
			`});`

			`function httpHandler(req, res, next) {`
			`return router.handle(req, res, next);`
			`}`

			`httpHandler.staticRouter = staticRouter;`
			`httpHandler.apiRouter = apiRouter;`
Refactored members for management api (#10408) no-issue 2019-01-22 17:29:44 +03:00			`httpHandler.memberUserObject = users;`
Added members lib module (#10260) * Added members library inc. gateway refs #10213 * Added the auth pages and build steps for them refs #10213 * Cleaned up logs * Updated gruntfile to run yarn for member auth * Design refinements on members popups * UI refinements * Updated backend call to trigger only if frontend validation passes * Design refinements for error messages * Added error message for email failure * Updated request-password-reset to not attempt to send headers twice * Updated preact publicPath to relative path * Build auth pages on init 2018-12-11 09:47:44 +03:00
			`return httpHandler;`
			`};`