I want to build a custom, external api to display some stats that are tied to the users’ accounts. I can keep track of the users through webhooks, but how do I allow them to access their own data securely?
To sum it up: How can I use ghost’s internal authentication with an external application?
You can get a JWT for a logged in user by hitting /members/api/session/
(this is current as of v5, the endpoint on the link below is out of date).
Pass that to app, and have app validate it.
the Public Key is at /members/.well-known/jwks.json
I am having trouble with this part, I found ./versions/5.34.0/core/server/web/well-known.js which has the jwks.json route wellKnownApp.get('/jwks.json', cache, async (req, res) => , but I can’t seem to get it to respond with anything other than a 404. Is there some change I need to make? I did notice anything on the /members/.well-known/ path returns an nginx 404 instead of one from ghost. https://github.com/TryGhost/Ghost/search?q=jwks.json This was somewhat useful, it seems I might have some sort of installation issue as the routes listed don’t function on my server. I tested on a public installation of ghost and it worked fine so it must be an issue with my nginx I think.
Update: solved the issue with nginx. Had to comment some lines out that the cli installer made in the two files in sites-avaliable and its working fine now.
#location ~ /.well-known {
# allow all;
#}
Just a tip for anyone trying to follow along, https://token.dev/ is a great resource. Helped me understand how these things work