Skip to content

API v2 - Authentication #9865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kevinansfield opened this issue Sep 12, 2018 · 0 comments
Closed

API v2 - Authentication #9865

kevinansfield opened this issue Sep 12, 2018 · 0 comments
Assignees
@kevinansfield @naz @kirrg001
Labels
affects:admin Anything relating to Ghost Admin affects:api Affects the Ghost API affects:server Issues relating to the server or core of Ghost feature [triage] New features we're planning or working on

Comments

@kevinansfield
Copy link
Member

kevinansfield commented Sep 12, 2018
edited
Loading

We're working towards a new versioned API and making both the public and private APIs in Ghost first-class citizens. As part of this work we'll be overhauling the authentication methods for the new versioned API endpoints.

  • Content API = public content only, equivalent to current public API
  • Admin API = all content and settings, equivalent to current private API

Each API will live on a new endpoint and there will be three different authentication methods to access them depending on the API being used and the particular use-case...

  • /admin/
    • User / Password login with session cookie authentication. Used by Ghost-Admin and other admin clients such as the Android app
    • API keys with JWT authentication. Used by integrations such as Zapier or custom server-side apps
  • /content/
    • API key authentication using query parameters

As part of the overhaul, the new APIs will have the restrictive and confusing trusted_domains and client_id/client_secret concepts removed. HTTP access will be deprecated for the Admin API in production until Ghost 3.0 where the Admin API will become HTTPS-only.

We will be providing an SDK for making authenticated requests to the the new API endpoints.

The existing API will be deprecated but will continue to live on /api/v0.1/ with the current authentication methods until such time as the 0.1 version is fully removed from Ghost. See
#9866 for details on the new API endpoints and API versioning.
@kevinansfield kevinansfield added affects:admin Anything relating to Ghost Admin affects:server Issues relating to the server or core of Ghost affects:api Affects the Ghost API OAuth labels Sep 12, 2018
@kirrg001 kirrg001 mentioned this issue Sep 12, 2018
Closed
@allouis allouis mentioned this issue Sep 13, 2018
Closed
@kevinansfield kevinansfield added the feature [triage] New features we're planning or working on label Sep 13, 2018
@kevinansfield kevinansfield mentioned this issue Sep 13, 2018
Closed
12 tasks
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Installed deps
bef901a 
refs TryGhost/Ghost#9865

Adds jsonwebtoken and got
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Installed dev deps
f056130 
refs TryGhost/Ghost#9865

Adds eslint, eslint-plugin-ghost, mocha and sinon
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Added .eslintrc's
663a8b8 
refs TryGhost/Ghost#9865
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Removed example test file
0e71177 
refs TryGhost/Ghost#9865
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Added basic token creation lib
bb9253b 
refs TryGhost/Ghost#9865
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Added initial api module
ac1961d 
refs TryGhost/Ghost#9865
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Added package.json scripts
b709a06 
refs TryGhost/Ghost#9865
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Added initial README
00de570 
refs TryGhost/Ghost#9865
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Added basic CLI functionality
6d1d967 
refs TryGhost/Ghost#9865

This should make it easier to use in development
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Updated getToken to use endpoint as aud claim
26bda6b 
refs TryGhost/Ghost#9865
allouis added a commit to allouis/Ghost-SDK that referenced this issue Sep 18, 2018
@allouis
Added docs for CLI usage
b44bc82 
refs TryGhost/Ghost#9865
kirrg001 added a commit that referenced this issue Jan 18, 2019
@kirrg001
Renamed authenticateAdminApiKey to authenticate for admin api key auth
1b5b95e 
refs #9865

- the outer authentication layer wants a consistent interface of each authentication package
  - admin.authenticate
  - session.authenticate

- furthermore, there is no need to put the full feature into the exposed function name
kirrg001 added a commit that referenced this issue Jan 18, 2019
@kirrg001
Protected against empty admin api key
3f758c6 
refs #9865
kirrg001 added a commit that referenced this issue Jan 18, 2019
@kirrg001
Switched to use new implementation of authorizeAdminApi
e90148e 
refs #9865

- see code comments
kirrg001 added a commit that referenced this issue Jan 18, 2019
@kirrg001
Added easy way to enable admin api key authentication
1126997 
refs #9865

- small refactoring to make both session and admin api key handling similar
- admin api key authentication is still disabled, but easy to enable
- added proof test how to authenticate using admin api keys
@allouis allouis assigned naz and kirrg001 and unassigned allouis Jan 21, 2019
naz added a commit to naz/Ghost that referenced this issue Jan 23, 2019
@naz
Added audience check in Admin API key authentication
776e236 
refs TryGhost#9865

- Extracted tests related to Admin API key authenticatoin into separate
acceptance test suite
naz added a commit to naz/Ghost that referenced this issue Jan 23, 2019
@naz
Modified Admin API key output format
5fbad09 
refs TryGhost#9865

- Changed key format to {id}:{secret} so API consumer only has to worry about copying a single value during setup
- Updated key expiration time in getValidAdminToken test helper to match server side expiration check
@naz naz mentioned this issue Jan 24, 2019
Merged
naz added a commit to naz/Ghost that referenced this issue Jan 24, 2019
@naz
Changed context.api_key_id to an object containing key type information
cdae0d7 
refs TryGhost#9865

- Changed id passed for api_key to an object to be able to differenciate between admin and content api requests
- Added integration id to frame context
- Small refactoring of frame context initialization
naz added a commit that referenced this issue Jan 24, 2019
@naz
Changed context.api_key_id to an object containing key type information
6318b65 
refs #9865

- Changed id passed for api_key to an object to be able to differenciate between admin and content api requests
- Added integration id to frame context
- Small refactoring of frame context initialization
kirrg001 added a commit that referenced this issue Jan 30, 2019
@kirrg001
Added notImplemented middleware for integrations
7d05cbb 
refs #9865
naz added a commit that referenced this issue Jan 30, 2019
@naz
Enabled Admin API key authentication
5903657 
refs #9865
kirrg001 added a commit that referenced this issue Jan 31, 2019
@kirrg001
Allowed subscribers for admin api v2 with api key authentication
a45f76c 
refs #9865

- needed for Zapier
naz added a commit that referenced this issue Feb 1, 2019
@naz
Added a note on secret transformation before token verification
3274138 
refs #9865

- Added some clarificatoin around why secret used for token verification has to be transformed binary decoded from hex
kevinansfield added a commit that referenced this issue Feb 6, 2019
@kevinansfield
Allowed GET /configuration/about/ for Admin API v2 with API Key auth
c9d6ffa 
refs #9865
- needed for Zapier
@kirrg001 kirrg001 mentioned this issue Feb 6, 2019
Closed
4 tasks
kirrg001 added a commit to kirrg001/Ghost that referenced this issue Feb 6, 2019
@kirrg001
Allowed browse actions for integrations
837c437 
refs TryGhost#9865
kirrg001 added a commit that referenced this issue Feb 6, 2019
@kirrg001
Allowed browse actions for integrations
dbd3832 
refs #9865
kirrg001 added a commit to kirrg001/Ghost that referenced this issue Feb 7, 2019
@kirrg001
Allowed POST & DELETE webhooks endpoints for integrations
8116c22 
refs TryGhost#9865

- was not sure about allowing to edit webhooks
kirrg001 added a commit that referenced this issue Feb 7, 2019
@kirrg001
Allowed POST & DELETE webhooks endpoints for integrations
f8a2868 
refs #9865

- was not sure about allowing to edit webhooks
kirrg001 added a commit that referenced this issue Feb 23, 2019
@kirrg001
Reverted access to "actions" for integrations
487a328 
refs #9865

- see dbd3832
- we are not aware of any use cases so far
- reverting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kevinansfield kevinansfield

@naz naz

@kirrg001 kirrg001

Labels
affects:admin Anything relating to Ghost Admin affects:api Affects the Ghost API affects:server Issues relating to the server or core of Ghost feature [triage] New features we're planning or working on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kevinansfield @ErisDS @naz @kirrg001 @allouis