lkatney · July 14, 2018 14:48
diff --git a/middleware.js b/middleware.js
 // ### Authenticate Middleware
 // authentication has to be done for /ghost/* routes with
 // exceptions for signin, signout, signup, forgotten, reset only
 // api and frontend use different authentication mechanisms atm
 authenticate: function (req, res, next) {
    var path,
        subPath,
        scope;

    // SubPath is the url path starting after any default subdirectories
    // it is stripped of anything after the two levels `/ghost/.*?/` as the reset link has an argument
    path = req.path;
    /*jslint regexp:true, unparam:true*/
    subPath = path.replace(/^(\/.*?\/.*?\/)(.*)?/, function (match, a) {
        return a;
    });

    scope = req.query.scope; // scope to distinguish if GET POST request is for public use or not

    if (subPath.indexOf('/ghost/api/') === 0
        && path.indexOf('/ghost/api/v0.1/authentication/') !== 0
            && (path.indexOf('v0.1/posts') === -1 || req.method !== 'GET' || scope !== 'public')){ // condition to expose GET POST API publicaly
        return passport.authenticate('bearer', {session: false, failWithError: true},
            function (err, user, info) {
                if (err) {
                    return next(err); // will generate a 500 error
                }
                // Generate a JSON response reflecting authentication status
                if (!user) {
                    var msg = {
                        type: 'error',
                        message: 'Please Sign In',
                        status: 'passive'
                    };
                    res.status(401);
                    return res.send(msg);
                }
                // TODO: figure out, why user & authInfo is lost
                req.authInfo = info;
                req.user = user;
                return next(null, user, info);
            }
        )(req, res, next);
    }
    next();
 }
	// ### Authenticate Middleware
	// authentication has to be done for /ghost/* routes with
	// exceptions for signin, signout, signup, forgotten, reset only
	// api and frontend use different authentication mechanisms atm
	authenticate: function (req, res, next) {
	var path,
	subPath,
	scope;

	// SubPath is the url path starting after any default subdirectories
	// it is stripped of anything after the two levels `/ghost/.*?/` as the reset link has an argument
	path = req.path;
	/jslint regexp:true, unparam:true/
	subPath = path.replace(/^(\/.?\/.?\/)(.*)?/, function (match, a) {
	return a;
	});

	scope = req.query.scope; // scope to distinguish if GET POST request is for public use or not

	if (subPath.indexOf('/ghost/api/') === 0
	&& path.indexOf('/ghost/api/v0.1/authentication/') !== 0
	&& (path.indexOf('v0.1/posts') === -1 \|\| req.method !== 'GET' \|\| scope !== 'public')){ // condition to expose GET POST API publicaly
	return passport.authenticate('bearer', {session: false, failWithError: true},
	function (err, user, info) {
	if (err) {
	return next(err); // will generate a 500 error
	}
	// Generate a JSON response reflecting authentication status
	if (!user) {
	var msg = {
	type: 'error',
	message: 'Please Sign In',
	status: 'passive'
	};
	res.status(401);
	return res.send(msg);
	}
	// TODO: figure out, why user & authInfo is lost
	req.authInfo = info;
	req.user = user;
	return next(null, user, info);
	}
	)(req, res, next);
	}
	next();
	}