Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove authentication for public endpoints #4181

Closed
sebgie opened this issue Sep 26, 2014 · 8 comments · Fixed by #5848
Closed

Remove authentication for public endpoints #4181

sebgie opened this issue Sep 26, 2014 · 8 comments · Fixed by #5848
Assignees
@sebgie
Labels
affects:api Affects the Ghost API
Milestone
Public API v1

Comments

@sebgie
Copy link
Contributor

sebgie commented Sep 26, 2014

This belongs to the OAuth Epic: #4004 - please read this for the big picture of what this issue is for :)

Requires: #4179 and #4180

The authorization method needs to be changed to allow access to the following API endpoints without requiring authentication:

  • GET /ghost/api/v0.1/posts/ (status == published)
  • GET /ghost/api/v0.1/posts/<id> (status == published)
  • GET /ghost/api/v0.1/posts/slug/<slug> (status == published)
  • GET /ghost/api/v0.1/tags/
  • GET /ghost/api/v0.1/settings/ (type == blog)
  • GET /ghost/api/v0.1/settings/<key> (type == blog)
  • GET /ghost/api/v0.1/users/<id>
  • GET /ghost/api/v0.1/users/slug/<slug>
  • GET /ghost/api/v0.1/users/email/<email>

While implementing this issue it would be good to investigate if it is possible to do the authentication only if a bearer token is available in the request body and let canThis() deny access if authentication is required.

Attention: Third party access to public endpoints should not be allowed before all permissions are in place (#3911).
@sebgie sebgie added affects:api Affects the Ghost API OAuth labels Sep 26, 2014
@sebgie sebgie added this to the Future Backlog milestone Sep 26, 2014
@sebgie sebgie mentioned this issue Sep 26, 2014
Closed
15 tasks
@recursivefunk
Copy link

Very interested in getting this going any help needed here?

@julianlam
Copy link

Latest blog comments plugin for NodeBB seems to rely on these routes to be publically accessible, so that particular plugin is no longer compatible with v0.5

👍 for this issue.

@fuzzmz
Copy link

fuzzmz commented Oct 7, 2014

👍 from me as well. There are workaround to making the routes publically
accessible, but it's not a clean solution.

-- Serban Constantin

On Wed, Oct 8, 2014 at 12:52 AM, Julian Lam notifications@github.com
wrote:

Latest blog comments plugin for NodeBB
http://psychobunny/nodebb-plugin-blog-comments seems to rely on these
routes to be publically accessible, so that particular plugin is no longer
compatible with v0.5

[image: 👍] for this issue.


Reply to this email directly or view it on GitHub
#4181 (comment).

@ErisDS
Copy link
Member

ErisDS commented Oct 7, 2014

There's a big chain of dependencies here starting with #3910 but we'd absolutely love someone to get stuck in and give us a hand.

@recursivefunk
Copy link

Cool. I have a first pass as what I think might be a good solution I'll solicit feed back in the coming week hopefully.

@novaugust
Copy link
Contributor

@jrayaustin Feel free to put up a PR with [WIP] prefixing the title if you to claim this even while you're working things out =)

@recursivefunk
Copy link

Will do! @novaugust

@recursivefunk recursivefunk mentioned this issue Oct 8, 2014
Closed
@recursivefunk
Copy link

You guys can monitor the progress for this #4251

@fczuardi fczuardi mentioned this issue Feb 11, 2015
Closed
@ErisDS ErisDS mentioned this issue Jun 30, 2015
Closed
31 tasks
@sebgie sebgie mentioned this issue Sep 18, 2015
Merged
@ErisDS ErisDS modified the milestone: Current Backlog Oct 9, 2015
@ErisDS ErisDS modified the milestone: Public API v1 Oct 13, 2015
@vadimdemedes vadimdemedes mentioned this issue Oct 20, 2015
Closed
@ErisDS ErisDS mentioned this issue Oct 20, 2015
Closed
24 tasks
sebgie added a commit to sebgie/Ghost that referenced this issue Oct 22, 2015
@sebgie
Public API
f48dfb0 
refs TryGhost#4180
closes TryGhost#4181
- added client and user authentication
- added authenticatePublic/authenticatePrivate as workaround for
missing permissions
- added domain validation
- added CORS header for valid clients
- merged authenticate.js and client-auth.js into auth.js
- removed middleware/api-error-handlers.js
- removed authentication middleware
- added and updated tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sebgie sebgie

Labels
affects:api Affects the Ghost API
Projects
None yet
Milestone
Public API v1
Development

Successfully merging a pull request may close this issue.

Public API sebgie/Ghost
6 participants
@ErisDS @recursivefunk @sebgie @julianlam @novaugust @fuzzmz