To add to my previous post and to clarify a bit more :
There is already middleware that intercepts each request to ‘/ghost’ (which pretty much happens once since admin client is a rich Ember.js app) .
backendApp.use('/ghost', require('../../services/auth/session').createSessionFromToken, require('../admin')());
Then following the trail, you can see the execution flow is as follows:
getRequestCredentials → getIdentityFromCredentials → getUserForIdentity
Return of previous one is fed to the subsequent one as a parameter. Ghost code doing this is the @tryghost/mw-session-from-token package as below:
const token = await getTokenFromRequest(req);
if (!token) {
return next();
}
const email = await getLookupFromToken(token);
if (!email) {
return next();
}
const user = await findUserByLookup(email);
if (!user) {
return next();
}
await createSession(req, res, user);
Whatever you do in the previous two functions, the final function, getUserForIdentity, is what determines who the logged in user will be. As long as you return a user object with a correct id property from this function, whether via a direct return or return a Promise and then resolve, Ghost will set the user in the session to that:
My final function simply does this:
async getUserForIdentity(userEmail) {
let user=null;
return new Promise(async (resolve, reject) => {
try{
if (userEmail != undefined) {
user= await UserModel.getByEmail(userEmail.toLowerCase());
}
if (user !=undefined) {
resolve({id:user.id});
}else resolve(null);
}catch (err){
reject(err);
}
});
}
(…at the end, I guess I could just return the result of UserModel.getByEmail directly, but I have not tested that)
Once the request passes thru this middleware, user session is set and request is intercepted by ‘./admin’ (as you can see at the top) which recognizes the user, since all the API calls going forward is tied to this user session.