OpenSourceArk/Ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updated admin api key authentication to expect api key id in payload

Browse Source 
refs #9865

- see https://github.com/TryGhost/Ghost/blob/2.11.1/core/server/lib/members/index.js#L52
- consistency
This commit is contained in:
kirrg001 2019-01-18 17:22:19 +01:00
parent 1c56221d80
commit 462865981e
2 changed files with 22 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/server/services/auth/api-key/admin.js
View File

@ -61,7 +61,7 @@ const authenticateAdminApiKey = function authenticateAdminApiKey(req, res, next)
})); }));
} }
const apiKeyId = decoded.header.kid; const apiKeyId = decoded.payload.kid;
models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => { models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => {
if (!apiKey) { if (!apiKey) {
@ -79,6 +79,7 @@ const authenticateAdminApiKey = function authenticateAdminApiKey(req, res, next)
} }
const secret = Buffer.from(apiKey.get('secret'), 'hex'); const secret = Buffer.from(apiKey.get('secret'), 'hex');
// ensure the token was meant for this endpoint // ensure the token was meant for this endpoint
const options = Object.assign({ const options = Object.assign({
aud: req.originalUrl aud: req.originalUrl

37
core/test/unit/services/auth/api-key/admin_spec.js
View File

@ -1,9 +1,10 @@
const {authenticateAdminApiKey} = require('../../../../../server/services/auth/api-key/admin');
const common = require('../../../../../server/lib/common');
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const models = require('../../../../../server/models');
const should = require('should'); const should = require('should');
const sinon = require('sinon'); const sinon = require('sinon');
const Promise = require('bluebird');
const {authenticateAdminApiKey} = require('../../../../../server/services/auth/api-key/admin');
const common = require('../../../../../server/lib/common');
const models = require('../../../../../server/models');
const testUtils = require('../../../../utils'); const testUtils = require('../../../../utils');
const sandbox = sinon.sandbox.create(); const sandbox = sinon.sandbox.create();
@ -25,8 +26,8 @@ describe('Admin API Key Auth', function () {
this.secret = Buffer.from(fakeApiKey.secret, 'hex'); this.secret = Buffer.from(fakeApiKey.secret, 'hex');
this.apiKeyStub = sandbox.stub(models.ApiKey, 'findOne'); this.apiKeyStub = sandbox.stub(models.ApiKey, 'findOne');
this.apiKeyStub.returns(new Promise.resolve()); this.apiKeyStub.resolves();
this.apiKeyStub.withArgs({id: fakeApiKey.id}).returns(new Promise.resolve(fakeApiKey)); this.apiKeyStub.withArgs({id: fakeApiKey.id}).resolves(fakeApiKey);
}); });
afterEach(function () { afterEach(function () {
@ -34,12 +35,13 @@ describe('Admin API Key Auth', function () {
}); });
it('should authenticate known+valid API key', function (done) { it('should authenticate known+valid API key', function (done) {
const token = jwt.sign({}, this.secret, { const token = jwt.sign({
kid: this.fakeApiKey.id
}, this.secret, {
algorithm: 'HS256', algorithm: 'HS256',
expiresIn: '5m', expiresIn: '5m',
audience: '/test/', audience: '/test/',
issuer: this.fakeApiKey.id, issuer: this.fakeApiKey.id
keyid: this.fakeApiKey.id
}); });
const req = { const req = {
@ -50,8 +52,8 @@ describe('Admin API Key Auth', function () {
}; };
const res = {}; const res = {};
authenticateAdminApiKey(req, res, (arg) => { authenticateAdminApiKey(req, res, (err) => {
should.not.exist(arg); should.not.exist(err);
req.api_key.should.eql(this.fakeApiKey); req.api_key.should.eql(this.fakeApiKey);
done(); done();
}); });
@ -121,14 +123,14 @@ describe('Admin API Key Auth', function () {
it('shouldn\'t authenticate with JWT signed > 5min ago', function (done) { it('shouldn\'t authenticate with JWT signed > 5min ago', function (done) {
const payload = { const payload = {
kid: this.fakeApiKey.id,
iat: Math.floor(Date.now() / 1000) - 6 * 60 iat: Math.floor(Date.now() / 1000) - 6 * 60
}; };
const token = jwt.sign(payload, this.secret, { const token = jwt.sign(payload, this.secret, {
algorithm: 'HS256', algorithm: 'HS256',
expiresIn: '5m', expiresIn: '5m',
audience: '/test/', audience: '/test/',
issuer: this.fakeApiKey.id, issuer: this.fakeApiKey.id
keyid: this.fakeApiKey.id
}); });
const req = { const req = {
@ -151,14 +153,14 @@ describe('Admin API Key Auth', function () {
it('shouldn\'t authenticate with JWT with maxAge > 5min', function (done) { it('shouldn\'t authenticate with JWT with maxAge > 5min', function (done) {
const payload = { const payload = {
kid: this.fakeApiKey.id,
iat: Math.floor(Date.now() / 1000) - 6 * 60 iat: Math.floor(Date.now() / 1000) - 6 * 60
}; };
const token = jwt.sign(payload, this.secret, { const token = jwt.sign(payload, this.secret, {
algorithm: 'HS256', algorithm: 'HS256',
expiresIn: '10m', expiresIn: '10m',
audience: '/test/', audience: '/test/',
issuer: this.fakeApiKey.id, issuer: this.fakeApiKey.id
keyid: this.fakeApiKey.id
}); });
const req = { const req = {
@ -180,12 +182,13 @@ describe('Admin API Key Auth', function () {
}); });
it('shouldn\'t authenticate with a Content API Key', function (done) { it('shouldn\'t authenticate with a Content API Key', function (done) {
const token = jwt.sign({}, this.secret, { const token = jwt.sign({
kid: this.fakeApiKey.id
}, this.secret, {
algorithm: 'HS256', algorithm: 'HS256',
expiresIn: '5m', expiresIn: '5m',
audience: '/test/', audience: '/test/',
issuer: this.fakeApiKey.id, issuer: this.fakeApiKey.id
keyid: this.fakeApiKey.id
}); });
const req = { const req = {