From 462865981e8aa4c0ed4c820116fdafcd55563132 Mon Sep 17 00:00:00 2001 From: kirrg001 Date: Fri, 18 Jan 2019 17:22:19 +0100 Subject: [PATCH] Updated admin api key authentication to expect api key id in payload refs #9865 - see https://github.com/TryGhost/Ghost/blob/2.11.1/core/server/lib/members/index.js#L52 - consistency --- core/server/services/auth/api-key/admin.js | 3 +- .../unit/services/auth/api-key/admin_spec.js | 37 ++++++++++--------- 2 files changed, 22 insertions(+), 18 deletions(-) diff --git a/core/server/services/auth/api-key/admin.js b/core/server/services/auth/api-key/admin.js index 24714447a0..24473a4fa3 100644 --- a/core/server/services/auth/api-key/admin.js +++ b/core/server/services/auth/api-key/admin.js @@ -61,7 +61,7 @@ const authenticateAdminApiKey = function authenticateAdminApiKey(req, res, next) })); } - const apiKeyId = decoded.header.kid; + const apiKeyId = decoded.payload.kid; models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => { if (!apiKey) { @@ -79,6 +79,7 @@ const authenticateAdminApiKey = function authenticateAdminApiKey(req, res, next) } const secret = Buffer.from(apiKey.get('secret'), 'hex'); + // ensure the token was meant for this endpoint const options = Object.assign({ aud: req.originalUrl diff --git a/core/test/unit/services/auth/api-key/admin_spec.js b/core/test/unit/services/auth/api-key/admin_spec.js index 314c712aee..1192101649 100644 --- a/core/test/unit/services/auth/api-key/admin_spec.js +++ b/core/test/unit/services/auth/api-key/admin_spec.js @@ -1,9 +1,10 @@ -const {authenticateAdminApiKey} = require('../../../../../server/services/auth/api-key/admin'); -const common = require('../../../../../server/lib/common'); const jwt = require('jsonwebtoken'); -const models = require('../../../../../server/models'); const should = require('should'); const sinon = require('sinon'); +const Promise = require('bluebird'); +const {authenticateAdminApiKey} = require('../../../../../server/services/auth/api-key/admin'); +const common = require('../../../../../server/lib/common'); +const models = require('../../../../../server/models'); const testUtils = require('../../../../utils'); const sandbox = sinon.sandbox.create(); @@ -25,8 +26,8 @@ describe('Admin API Key Auth', function () { this.secret = Buffer.from(fakeApiKey.secret, 'hex'); this.apiKeyStub = sandbox.stub(models.ApiKey, 'findOne'); - this.apiKeyStub.returns(new Promise.resolve()); - this.apiKeyStub.withArgs({id: fakeApiKey.id}).returns(new Promise.resolve(fakeApiKey)); + this.apiKeyStub.resolves(); + this.apiKeyStub.withArgs({id: fakeApiKey.id}).resolves(fakeApiKey); }); afterEach(function () { @@ -34,12 +35,13 @@ describe('Admin API Key Auth', function () { }); it('should authenticate known+valid API key', function (done) { - const token = jwt.sign({}, this.secret, { + const token = jwt.sign({ + kid: this.fakeApiKey.id + }, this.secret, { algorithm: 'HS256', expiresIn: '5m', audience: '/test/', - issuer: this.fakeApiKey.id, - keyid: this.fakeApiKey.id + issuer: this.fakeApiKey.id }); const req = { @@ -50,8 +52,8 @@ describe('Admin API Key Auth', function () { }; const res = {}; - authenticateAdminApiKey(req, res, (arg) => { - should.not.exist(arg); + authenticateAdminApiKey(req, res, (err) => { + should.not.exist(err); req.api_key.should.eql(this.fakeApiKey); done(); }); @@ -121,14 +123,14 @@ describe('Admin API Key Auth', function () { it('shouldn\'t authenticate with JWT signed > 5min ago', function (done) { const payload = { + kid: this.fakeApiKey.id, iat: Math.floor(Date.now() / 1000) - 6 * 60 }; const token = jwt.sign(payload, this.secret, { algorithm: 'HS256', expiresIn: '5m', audience: '/test/', - issuer: this.fakeApiKey.id, - keyid: this.fakeApiKey.id + issuer: this.fakeApiKey.id }); const req = { @@ -151,14 +153,14 @@ describe('Admin API Key Auth', function () { it('shouldn\'t authenticate with JWT with maxAge > 5min', function (done) { const payload = { + kid: this.fakeApiKey.id, iat: Math.floor(Date.now() / 1000) - 6 * 60 }; const token = jwt.sign(payload, this.secret, { algorithm: 'HS256', expiresIn: '10m', audience: '/test/', - issuer: this.fakeApiKey.id, - keyid: this.fakeApiKey.id + issuer: this.fakeApiKey.id }); const req = { @@ -180,12 +182,13 @@ describe('Admin API Key Auth', function () { }); it('shouldn\'t authenticate with a Content API Key', function (done) { - const token = jwt.sign({}, this.secret, { + const token = jwt.sign({ + kid: this.fakeApiKey.id + }, this.secret, { algorithm: 'HS256', expiresIn: '5m', audience: '/test/', - issuer: this.fakeApiKey.id, - keyid: this.fakeApiKey.id + issuer: this.fakeApiKey.id }); const req = {