I am creating a small app that to compliment the content on Ghost for my members and I would like a way for the app to only qualify members who are logged in via the Ghost site. To clarify, I would like to solely rely on Ghost’s authentication system for my app.
I did some scouting, it looks like the following cookies are stored for members.
__cfduid, ghost-members-ssr, ghost-members-ssr.sig, ugid
Additionally, after exploring the database a bit I found the following in the settings table:
members_public_key, members_private_key, members_email_auth_secret
I am also aware of possible relevant tables such as
members. Could someone explain to me how they all tie together?
Here is my assumption of how it might work:
ghost-members-ssr.sig is the public key that I would use the
members_private_key to decrypt via RSA, revealing the session info that I can use to check if the user is qualified i.e. ghost-members-ssr matches user email from backend and cookie has not expired. That said, there are some obvious gaps in my knowledge and I am unsure what the other cookie variables and
members_email_auth_secret represent so I thought it would be best to check first before starting. Also, the decryption method is using RSA?