Can the Owner Staff token still be used for impersonation?

Integrations & API
1

Hi all,
I’m trying to get an impersonation URL for a user, similar to what’s described here:

I’m successfully creating a jwt using the Owner’s staff token, as the article says, like so:

let GHOST_TOKEN = jwt.sign({}, Buffer.from(GHOST_SECRET, 'hex'), {
    keyid: GHOST_ID,
    algorithm: 'HS256',
    expiresIn: '5m',
    audience: '/canary/admin'
});

I’m pretty sure I’m getting a valid key, because I can get data from the members endpoint OK, like so:

  let result = await fetch('https:/mysite.ghost.io/ghost/api/admin/members/' + id , {
  method: 'GET'  ,
  headers: {
      'Authorization': 'Ghost ' + GHOST_TOKEN}
  })
  let json= await result.json()

[I also checked the JWT with an online tool, which said it was valid.]

HOWEVER, when I switch to the /ghost/api/canary/admin/members/' + id + '/signin_urls/ endpoint, I get the following error:

      message: 'Permission error, cannot read member_signin_url.',
      context: 'You do not have permission to read member_signin_urls',
      type: 'NoPermissionError',

So… although my JWT works elsewhere, it isn’t working here. Can anyone give me a nudge in the right direction?

I read this thread (Admin API endpoint 403 forbidden - #7 by Kevin) and maybe I need to be doing user authentication instead of using the owner’s staff token? But that thread is older than the Discourse link above, which seems pretty clear about the owner’s staff token working…

help?

1 Like
2

Update. I can hit the sign_url endpoint if I use an admin session cookie. So it’s not that the endpoint is broken. It either doesn’t like the JWT I’m generating (although I’m following the directions to use the owner’s staff key and that JWT works elsewhere), or it doesn’t take JWTs.

This is basically the last piece I need to build a single sign-on implementation. [Not that I’m done, but I know how to do the rest.] I’d prefer to give the sign-in the owner’s staff key than the owner’s password, if that’s possible.

3

I opened an issue: admin/members/:id/signin_url won't take Owner's staff access token · Issue #16748 · TryGhost/Ghost · GitHub

4

Hey @Cathy_Sarisky did you ever get to the bottom of this? I’m facing exactly the same problem

5

Hi @Edd , nope, I switched to using a cookie. (An administrator cookie is adequate - owner’s credentials not needed.)

Those of you following closely may infer that this is the reason my social sign-on offering requires the admin login and password.

6

Hey @Cathy_Sarisky, thank you for your reply!

Hmm, I’ve tried extracting the cookie also. I noticed that using Developer Tools that it is using ghost-private in the cookie which isn’t return from the session authentication endpoint. I’ve tried appending this statically at no avail.

How are you getting your Administrator Cookie? Would you be happy to share any details with me? I appreciate you’re offering a paid service. Happy to speak privately if needs be and share my process

Many thanks

7

Scratch that, I have it working. I was sending an Authorization Header as well as the Cookie. I only needed to send the Cookie!

Many thanks

1 Like