Added role to identity token

Right now identity tokens can only be fetched by the Owner, which means they
implicitly have the Owner role, but we want to expand that. The first step is
adding the role to the token, and then we need to update each place which uses
the token and add an assertion that the role is correct.

ghost/core/core/server/api/endpoints/identities.js

@@ -1,3 +1,4 @@
+const logging = require('@tryghost/logging');
 const settings = require('../../../shared/settings-cache');
 const urlUtils = require('../../../shared/url-utils');
 const jwt = require('jsonwebtoken');
@@ -13,7 +14,7 @@ const getKeyID = async () => {
     return key.kid;
 };
 
-const sign = async (claims, options) => {
+const sign = async (claims, options = {}) => {
     const kid = await getKeyID();
     return jwt.sign(claims, dangerousPrivateKey, Object.assign({
         issuer,
@@ -32,7 +33,20 @@ const controller = {
         },
         permissions: true,
         async query(frame) {
-            const token = await sign({sub: frame.user.get('email')});
+            let role = null;
+            try {
+                await frame.user.load(['roles']);
+                role = frame.user.relations.roles.toJSON()[0].name;
+            } catch (err) {
+                logging.warn('Could not load role for identity');
+            }
+            const claims = {
+                sub: frame.user.get('email')
+            };
+            if (typeof role === 'string') {
+                claims.role = role;
+            }
+            const token = await sign(claims);
             return {token};
         }
     }

ghost/core/test/regression/api/admin/identities.test.js

@@ -60,6 +60,7 @@ describe('Identities API', function () {
                 })
                 .then((decoded) => {
                     decoded.sub.should.equal('jbloggs@example.com');
+                    decoded.role.should.equal('Owner');
                 });
         });
     });