Move Public API behind labs flag

sebgie · sebgie · commit bf65c136cec1 · 2015-11-02T14:18:58.000+01:00
closes TryGhost#5941 - added UI to labs page - added method to determine if full authentication is required - updated public_api tests to enable public api first
diff --git a/core/client/app/controllers/feature.js b/core/client/app/controllers/feature.js
@@ -25,5 +25,9 @@ export default Ember.Controller.extend(Ember.PromiseProxyMixin, {
         }
 
         return value;
+    }),
+
+    publicAPI: Ember.computed('config.publicAPI', 'labs.publicAPI', function () {
+        return this.get('config.publicAPI') || this.get('labs.publicAPI');
     })
 });
diff --git a/core/client/app/controllers/settings/labs.js b/core/client/app/controllers/settings/labs.js
@@ -9,6 +9,7 @@ export default Ember.Controller.extend({
     ghostPaths: Ember.inject.service('ghost-paths'),
     notifications: Ember.inject.service(),
     session: Ember.inject.service(),
+    feature: Ember.inject.controller(),
 
     labsJSON: Ember.computed('model.labs', function () {
         return JSON.parse(this.get('model.labs') || {});
@@ -29,6 +30,16 @@ export default Ember.Controller.extend({
         });
     },
 
+    usePublicAPI: Ember.computed('feature.publicAPI', {
+        get: function () {
+            return this.get('feature.publicAPI');
+        },
+        set: function (key, value) {
+            this.saveLabs('publicAPI', value);
+            return value;
+        }
+    }),
+
     actions: {
         onUpload: function (file) {
             var self = this,
diff --git a/core/client/app/templates/settings/labs.hbs b/core/client/app/templates/settings/labs.hbs
@@ -42,5 +42,19 @@
                 </div>
             </fieldset>
         </form>
+        <hr>
+        <form>
+            <fieldset>
+                <div class="form-group for-checkbox">
+                    <label for="labs-publicAPI">Public API</label>
+                    <label class="checkbox" for="labs-publicAPI">
+                        {{input id="labs-publicAPI" name="labs[publicAPI]" type="checkbox" checked=usePublicAPI}}
+                        <span class="input-toggle-component"></span>
+                        <p>Enable public API access.</p>
+                    </label>
+                    <p>Allow access to the publicly available Ghost API using JavaScript.</p>
+                </div>
+            </fieldset>
+        </form>
     </section>
 </section>
diff --git a/core/server/api/configuration.js b/core/server/api/configuration.js
@@ -10,6 +10,7 @@ var _                  = require('lodash'),
 function getValidKeys() {
     var validKeys = {
             fileStorage: config.fileStorage === false ? false : true,
+            publicAPI: config.publicAPI === true ? true : false,
             apps: config.apps === true ? true : false,
             version: config.ghostVersion,
             environment: process.env.NODE_ENV,
diff --git a/core/server/middleware/auth.js b/core/server/middleware/auth.js
@@ -3,6 +3,7 @@ var _           = require('lodash'),
     url         = require('url'),
     errors      = require('../errors'),
     config      = require('../config'),
+    api         = require('../api'),
     oauthServer,
 
     auth;
@@ -130,6 +131,30 @@ auth = {
         }
     },
 
+    // ### Require user depending on public API being activated.
+    requiresAuthorizedUserPublicAPI: function requiresAuthorizedUserPublicAPI(req, res, next) {
+        return api.settings.read({key: 'labs', context: {internal: true}}).then(function (response) {
+            var labs,
+                labsValue;
+
+            labs = _.find(response.settings, function (setting) {
+                return setting.key === 'labs';
+            });
+
+            labsValue = JSON.parse(labs.value);
+
+            if (labsValue.publicAPI && labsValue.publicAPI === true) {
+                return next();
+            } else {
+                if (req.user) {
+                    return next();
+                } else {
+                    return errors.handleAPIError(new errors.NoPermissionError('Please Sign In'), req, res, next);
+                }
+            }
+        });
+    },
+
     // ### Generate access token Middleware
     // register the oauth2orize middleware for password and refresh token grants
     generateAccessToken: function generateAccessToken(req, res, next) {
diff --git a/core/server/middleware/index.js b/core/server/middleware/index.js
@@ -43,6 +43,7 @@ middleware = {
         authenticateClient: auth.authenticateClient,
         authenticateUser: auth.authenticateUser,
         requiresAuthorizedUser: auth.requiresAuthorizedUser,
+        requiresAuthorizedUserPublicAPI: auth.requiresAuthorizedUserPublicAPI,
         generateAccessToken: auth.generateAccessToken,
         errorHandler: errors.handleAPIError
     }
diff --git a/core/server/routes/api.js b/core/server/routes/api.js
@@ -8,7 +8,8 @@ apiRoutes = function apiRoutes(middleware) {
         // Authentication for public endpoints
         authenticatePublic = [
             middleware.api.authenticateClient,
-            middleware.api.authenticateUser
+            middleware.api.authenticateUser,
+            middleware.api.requiresAuthorizedUserPublicAPI
         ],
         // Require user for private endpoints
         authenticatePrivate = [
diff --git a/core/test/functional/routes/api/public_api_spec.js b/core/test/functional/routes/api/public_api_spec.js
@@ -10,15 +10,33 @@ var testUtils     = require('../../../utils'),
     request;
 
 describe('Public API', function () {
+    var publicAPIaccessSetting = {
+        settings: [
+            {key: 'labs', value: {publicAPI: true}}
+        ]
+    };
+
     before(function (done) {
         // starting ghost automatically populates the db
         // TODO: prevent db init, and manage bringing up the DB with fixtures ourselves
         ghost().then(function (ghostServer) {
             request = supertest.agent(ghostServer.rootApp);
         }).then(function () {
             return testUtils.doAuth(request, 'posts', 'tags');
-        }).then(function () {
-            done();
+        }).then(function (token) {
+            // enable public API
+            return request.put(testUtils.API.getApiQuery('settings/'))
+                .set('Authorization', 'Bearer ' + token)
+                .send(publicAPIaccessSetting)
+                .expect('Content-Type', /json/)
+                .expect('Cache-Control', testUtils.cacheRules.private)
+                .expect(200)
+                .end(function (err) {
+                    if (err) {
+                        return done(err);
+                    }
+                    done();
+                });
         }).catch(done);
     });
 

Original file line number	Diff line number	Diff line change
`@@ -25,5 +25,9 @@ export default Ember.Controller.extend(Ember.PromiseProxyMixin, {`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`return value;`
	`28`	`+ }),`
	`29`	`+`
	`30`	`+ publicAPI: Ember.computed('config.publicAPI', 'labs.publicAPI', function () {`
	`31`	`+ return this.get('config.publicAPI') \|\| this.get('labs.publicAPI');`
`28`	`32`	`})`
`29`	`33`	`});`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ middleware = {`
`43`	`43`	`authenticateClient: auth.authenticateClient,`
`44`	`44`	`authenticateUser: auth.authenticateUser,`
`45`	`45`	`requiresAuthorizedUser: auth.requiresAuthorizedUser,`
	`46`	`+ requiresAuthorizedUserPublicAPI: auth.requiresAuthorizedUserPublicAPI,`
`46`	`47`	`generateAccessToken: auth.generateAccessToken,`
`47`	`48`	`errorHandler: errors.handleAPIError`
`48`	`49`	`}`