ghost 4.15.0 → 4.17.1

package/core/server/services/settings/index.js

@@ -5,22 +5,18 @@
 const events = require('../../lib/common/events');
 const models = require('../../models');
 const SettingsCache = require('../../../shared/settings-cache');
+const SettingsBREADService = require('./settings-bread-service');
+const {obfuscatedSetting, isSecretSetting, hideValueIfSecret} = require('./settings-utils');
 
-// The string returned when a setting is set as write-only
-const obfuscatedSetting = '••••••••';
-
-// The function used to decide whether a setting is write-only
-function isSecretSetting(setting) {
-    return /secret/.test(setting.key);
-}
-
-// The function that obfuscates a write-only setting
-function hideValueIfSecret(setting) {
-    if (setting.value && isSecretSetting(setting)) {
-        return {...setting, value: obfuscatedSetting};
-    }
-    return setting;
-}
+/**
+ * @returns {SettingsBREADService} instance of the PostsService
+ */
+const getSettingsBREADServiceInstance = () => {
+    return new SettingsBREADService({
+        SettingsModel: models.Settings,
+        settingsCache: SettingsCache
+    });
+};
 
 module.exports = {
     /**
@@ -74,5 +70,6 @@ module.exports = {
 
     obfuscatedSetting,
     isSecretSetting,
-    hideValueIfSecret
+    hideValueIfSecret,
+    getSettingsBREADServiceInstance
 };

package/core/server/services/settings/settings-bread-service.js

@@ -0,0 +1,188 @@
+const _ = require('lodash');
+const tpl = require('@tryghost/tpl');
+const {NotFoundError, NoPermissionError, BadRequestError} = require('@tryghost/errors');
+const {obfuscatedSetting, isSecretSetting, hideValueIfSecret} = require('./settings-utils');
+
+const messages = {
+    problemFindingSetting: 'Problem finding setting: {key}',
+    accessCoreSettingFromExtReq: 'Attempted to access core setting from external request'
+};
+
+class SettingsBREADService {
+    /**
+     *
+     * @param {Object} options
+     * @param {Object} options.SettingsModel
+     * @param {Object} options.settingsCache - SettingsCache instance
+     */
+    constructor({SettingsModel, settingsCache}) {
+        this.SettingsModel = SettingsModel;
+        this.settingsCache = settingsCache;
+    }
+
+    /**
+     *
+     * @param {Object} context ghost API context instance
+     * @returns
+     */
+    browse(context) {
+        let settings = this.settingsCache.getAll();
+
+        // CASE: no context passed (functional call)
+        if (!context) {
+            return Promise.resolve(settings.filter((setting) => {
+                return setting.group === 'site';
+            }));
+        }
+
+        if (!context.internal) {
+            // CASE: omit core settings unless internal request
+            settings = _.filter(settings, (setting) => {
+                const isCore = setting.group === 'core';
+                return !isCore;
+            });
+            // CASE: omit secret settings unless internal request
+            settings = settings.map(hideValueIfSecret);
+        }
+
+        return settings;
+    }
+
+    /**
+     *
+     * @param {String} key setting key
+     * @param {Object} [context] API context instance
+     * @returns {Object} an object with a filled out key that comes in a parameter
+     */
+    read(key, context) {
+        let setting;
+
+        if (key === 'slack') {
+            const slackURL = this.settingsCache.get('slack_url', {resolve: false});
+            const slackUsername = this.settingsCache.get('slack_username', {resolve: false});
+
+            setting = slackURL || slackUsername;
+            setting.key = 'slack';
+            setting.value = [{
+                url: slackURL && slackURL.value,
+                username: slackUsername && slackUsername.value
+            }];
+        } else {
+            setting = this.settingsCache.get(key, {resolve: false});
+        }
+
+        if (!setting) {
+            return Promise.reject(new NotFoundError({
+                message: tpl(messages.problemFindingSetting, {
+                    key: key
+                })
+            }));
+        }
+
+        // @TODO: handle in settings model permissible fn
+        if (setting.group === 'core' && !(context && context.internal)) {
+            return Promise.reject(new NoPermissionError({
+                message: tpl(messages.accessCoreSettingFromExtReq)
+            }));
+        }
+
+        setting = hideValueIfSecret(setting);
+
+        return {
+            [key]: setting
+        };
+    }
+
+    /**
+     *
+     * @param {Object[]} settings
+     * @param {Object} options
+     * @param {Object} [options.context]
+     * @param {Object} [stripeConnectData]
+     * @returns
+     */
+    async edit(settings, options, stripeConnectData) {
+        const filteredSettings = settings.filter((setting) => {
+            // The `stripe_connect_integration_token` "setting" is only used to set the `stripe_connect_*` settings.
+            return ![
+                'stripe_connect_integration_token',
+                'stripe_connect_publishable_key',
+                'stripe_connect_secret_key',
+                'stripe_connect_livemode',
+                'stripe_connect_account_id',
+                'stripe_connect_display_name'
+            ].includes(setting.key)
+                // Remove obfuscated settings
+                && !(setting.value === obfuscatedSetting && isSecretSetting(setting));
+        });
+
+        const getSetting = setting => this.settingsCache.get(setting.key, {resolve: false});
+
+        const firstUnknownSetting = filteredSettings.find(setting => !getSetting(setting));
+
+        if (firstUnknownSetting) {
+            throw new NotFoundError({
+                message: tpl(messages.problemFindingSetting, {
+                    key: firstUnknownSetting.key
+                })
+            });
+        }
+
+        if (!(options.context && options.context.internal)) {
+            const firstCoreSetting = filteredSettings.find(setting => getSetting(setting).group === 'core');
+
+            if (firstCoreSetting) {
+                throw new NoPermissionError({
+                    message: tpl(messages.accessCoreSettingFromExtReq)
+                });
+            }
+        }
+
+        if (stripeConnectData) {
+            filteredSettings.push({
+                key: 'stripe_connect_publishable_key',
+                value: stripeConnectData.public_key
+            });
+            filteredSettings.push({
+                key: 'stripe_connect_secret_key',
+                value: stripeConnectData.secret_key
+            });
+            filteredSettings.push({
+                key: 'stripe_connect_livemode',
+                value: stripeConnectData.livemode
+            });
+            filteredSettings.push({
+                key: 'stripe_connect_display_name',
+                value: stripeConnectData.display_name
+            });
+            filteredSettings.push({
+                key: 'stripe_connect_account_id',
+                value: stripeConnectData.account_id
+            });
+        }
+
+        return this.SettingsModel.edit(filteredSettings, options);
+    }
+
+    /**
+     *
+     * @param {Object} stripeConnectIntegrationToken
+     * @param {Function} getSessionProp sync function fetching property from session store
+     * @param {Function} getStripeConnectTokenData async function retreiving Stripe Connect data for settings
+     * @returns {Promise<Object>} resolves with an object with following keys: public_key, secret_key, livemode, display_name, account_id
+     */
+    async getStripeConnectData(stripeConnectIntegrationToken, getSessionProp, getStripeConnectTokenData) {
+        if (stripeConnectIntegrationToken && stripeConnectIntegrationToken.value) {
+            try {
+                return await getStripeConnectTokenData(stripeConnectIntegrationToken.value, getSessionProp);
+            } catch (err) {
+                throw new BadRequestError({
+                    err,
+                    message: 'The Stripe Connect token could not be parsed.'
+                });
+            }
+        }
+    }
+}
+
+module.exports = SettingsBREADService;

package/core/server/services/settings/settings-utils.js

@@ -0,0 +1,32 @@
+// The string returned when a setting is set as write-only
+const obfuscatedSetting = '••••••••';
+
+/**
+ * @description // The function used to decide whether a setting is write-only
+ * @param {Object} setting setting record
+ * @param {String} setting.key
+ * @returns {Boolean}
+ */
+function isSecretSetting(setting) {
+    return /secret/.test(setting.key);
+}
+
+/**
+ * @description The function that obfuscates a write-only setting
+ * @param {Object} setting setting record
+ * @param {String} setting.value
+ * @param {String} setting.key
+ * @returns {Object} settings record with obfuscated value if it's a secret
+ */
+function hideValueIfSecret(setting) {
+    if (setting.value && isSecretSetting(setting)) {
+        return {...setting, value: obfuscatedSetting};
+    }
+    return setting;
+}
+
+module.exports = {
+    obfuscatedSetting,
+    isSecretSetting,
+    hideValueIfSecret
+};

package/core/server/services/themes/ThemeStorage.js

@@ -60,8 +60,8 @@ class ThemeStorage extends LocalFileStorage {
     /**
      * Rename a file / folder
      *
-     *
-     * @param String fileName
+     * @param {String} srcName
+     * @param {String} destName
      */
     rename(srcName, destName) {
         let src = path.join(this.getTargetDir(), srcName);
@@ -71,9 +71,10 @@ class ThemeStorage extends LocalFileStorage {
     }
 
     /**
-     * Rename a file / folder
+     * Remove a file / folder
      *
-     * @param String backupName
+     * @param {String} fileName
+     * @returns {Promise<void>}
      */
     delete(fileName) {
         return fs.remove(path.join(this.getTargetDir(), fileName));

package/core/server/services/themes/activation-bridge.js

@@ -1,5 +1,7 @@
 const debug = require('@tryghost/debug')('themes');
 const bridge = require('../../../bridge');
+const labs = require('../../../shared/labs');
+const customThemeSettings = require('../custom-theme-settings');
 
 /**
  * These helper methods mean that the bridge is only required in one place
@@ -8,14 +10,26 @@ const bridge = require('../../../bridge');
 module.exports = {
     activateFromBoot: (themeName, theme, checkedTheme) => {
         debug('Activating theme (method A on boot)', themeName);
+        // TODO: probably a better place for this to happen - after successful activation / when reloading site?
+        if (labs.isSet('customThemeSettings')) {
+            customThemeSettings.activateTheme(checkedTheme);
+        }
         bridge.activateTheme(theme, checkedTheme);
     },
     activateFromAPI: (themeName, theme, checkedTheme) => {
         debug('Activating theme (method B on API "activate")', themeName);
+        // TODO: probably a better place for this to happen - after successful activation / when reloading site?
+        if (labs.isSet('customThemeSettings')) {
+            customThemeSettings.activateTheme(checkedTheme);
+        }
         bridge.activateTheme(theme, checkedTheme);
     },
     activateFromAPIOverride: (themeName, theme, checkedTheme) => {
         debug('Activating theme (method C on API "override")', themeName);
+        // TODO: probably a better place for this to happen - after successful activation / when reloading site?
+        if (labs.isSet('customThemeSettings')) {
+            customThemeSettings.activateTheme(checkedTheme);
+        }
         bridge.activateTheme(theme, checkedTheme);
     }
 };

package/core/server/services/themes/validate.js

@@ -2,6 +2,7 @@ const debug = require('@tryghost/debug')('themes');
 const _ = require('lodash');
 const fs = require('fs-extra');
 const config = require('../../../shared/config');
+const labs = require('../../../shared/labs');
 const tpl = require('@tryghost/tpl');
 const errors = require('@tryghost/errors');
 
@@ -27,12 +28,14 @@ const check = async function check(theme, isZip) {
         debug('zip mode');
         checkedTheme = await gscan.checkZip(theme, {
             keepExtractedDir: true,
-            checkVersion: 'canary'
+            checkVersion: 'canary',
+            labs: labs.getAll()
         });
     } else {
         debug('non-zip mode');
         checkedTheme = await gscan.check(theme.path, {
-            checkVersion: 'canary'
+            checkVersion: 'canary',
+            labs: labs.getAll()
         });
     }
 

package/core/server/web/admin/views/default-prod.html

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.15%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.17%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
 
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -41,7 +41,7 @@
 
     
                 <link rel="stylesheet" href="assets/vendor.min-987af30228885bce50f05c4723fe6f53.css">
-                <link rel="stylesheet" href="assets/ghost.min-7aa074ad556a8455155ac88ceaca03ab.css" title="light">
+                <link rel="stylesheet" href="assets/ghost.min-741246f42f000c073999a5363434ea2c.css" title="light">
             
 
     
@@ -59,8 +59,8 @@
 <div id="ember-basic-dropdown-wormhole"></div>
 
 
-                <script src="assets/vendor.min-ca33abc718f21a51327841d58f8875d0.js"></script>
-                <script src="assets/ghost.min-e35cfee26d942c364166f57f3dcc9e75.js"></script>
+                <script src="assets/vendor.min-1bfc9d56d27508db88ef417deb55f16f.js"></script>
+                <script src="assets/ghost.min-52a5420ffcea6bf17761b5c59cf020e2.js"></script>
             
 </body>
 </html>

package/core/server/web/admin/views/default.html

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.15%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.17%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
 
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -41,7 +41,7 @@
 
     
                 <link rel="stylesheet" href="assets/vendor.min-987af30228885bce50f05c4723fe6f53.css">
-                <link rel="stylesheet" href="assets/ghost.min-7aa074ad556a8455155ac88ceaca03ab.css" title="light">
+                <link rel="stylesheet" href="assets/ghost.min-741246f42f000c073999a5363434ea2c.css" title="light">
             
 
     
@@ -59,8 +59,8 @@
 <div id="ember-basic-dropdown-wormhole"></div>
 
 
-                <script src="assets/vendor.min-ca33abc718f21a51327841d58f8875d0.js"></script>
-                <script src="assets/ghost.min-e35cfee26d942c364166f57f3dcc9e75.js"></script>
+                <script src="assets/vendor.min-1bfc9d56d27508db88ef417deb55f16f.js"></script>
+                <script src="assets/ghost.min-52a5420ffcea6bf17761b5c59cf020e2.js"></script>
             
 </body>
 </html>

package/core/server/web/api/canary/admin/routes.js

@@ -98,7 +98,7 @@ module.exports = function apiRoutes() {
     router.get('/members', mw.authAdminApi, http(api.members.browse));
     router.post('/members', mw.authAdminApi, http(api.members.add));
     router.del('/members', mw.authAdminApi, http(api.members.bulkDestroy));
-    router.put('/members/bulk', labs.enabledMiddleware('membersFiltering'), mw.authAdminApi, http(api.members.bulkEdit));
+    router.put('/members/bulk', mw.authAdminApi, http(api.members.bulkEdit));
 
     router.get('/members/stats/count', mw.authAdminApi, http(api.members.memberStats));
     router.get('/members/stats/mrr', mw.authAdminApi, http(api.members.mrrStats));
@@ -273,5 +273,9 @@ module.exports = function apiRoutes() {
     router.put('/snippets/:id', mw.authAdminApi, http(api.snippets.edit));
     router.del('/snippets/:id', mw.authAdminApi, http(api.snippets.destroy));
 
+    // ## Custom theme settings
+    router.get('/custom_theme_settings', mw.authAdminApi, labs.enabledMiddleware('customThemeSettings'), http(api.customThemeSettings.browse));
+    router.put('/custom_theme_settings', mw.authAdminApi, labs.enabledMiddleware('customThemeSettings'), http(api.customThemeSettings.edit));
+
     return router;
 };

package/core/server/web/members/app.js

@@ -7,6 +7,7 @@ const urlUtils = require('../../../shared/url-utils');
 const membersService = require('../../services/members');
 const middleware = membersService.middleware;
 const shared = require('../shared');
+const labs = require('../../../shared/labs');
 
 module.exports = function setupMembersApp() {
     debug('Members App setup start');
@@ -34,6 +35,7 @@ module.exports = function setupMembersApp() {
     // We don't want to add global bodyParser middleware as that interfers with stripe webhook requests on - `/webhooks`.
     membersApp.get('/api/member', middleware.getMemberData);
     membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData);
+    membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res));
     membersApp.get('/api/session', middleware.getIdentityToken);
     membersApp.delete('/api/session', middleware.deleteSession);
     membersApp.get('/api/site', middleware.getMemberSiteData);
@@ -43,6 +45,7 @@ module.exports = function setupMembersApp() {
     membersApp.post('/api/create-stripe-checkout-session', (req, res, next) => membersService.api.middleware.createCheckoutSession(req, res, next));
     membersApp.post('/api/create-stripe-update-session', (req, res, next) => membersService.api.middleware.createCheckoutSetupSession(req, res, next));
     membersApp.put('/api/subscriptions/:id', (req, res, next) => membersService.api.middleware.updateSubscription(req, res, next));
+    membersApp.post('/api/events', labs.enabledMiddleware('membersActivity'), middleware.loadMemberSession, (req, res, next) => membersService.api.middleware.createEvents(req, res, next));
 
     // API error handling
     membersApp.use('/api', shared.middlewares.errorHandler.resourceNotFound);

package/core/server/web/oauth/app.js

@@ -36,11 +36,10 @@ module.exports = function setupOAuthApp() {
      */
     function googleOAuthMiddleware(clientId, secret) {
         return (req, res, next) => {
-            // TODO: use url config instead of the string /ghost
+            const adminURL = urlUtils.urlFor('admin', true);
 
             //Create the callback url to be sent to Google
-            const callbackUrl = new URL(urlUtils.getSiteUrl());
-            callbackUrl.pathname = '/ghost/oauth/google/callback';
+            const callbackUrl = new URL('oauth/google/callback', adminURL);
 
             passport.authenticate(new GoogleStrategy({
                 clientID: clientId,
@@ -55,7 +54,7 @@ module.exports = function setupOAuthApp() {
                     const emails = profile.emails.filter(email => email.verified === true).map(email => email.value);
 
                     if (!emails.includes(req.user.get('email'))) {
-                        return res.redirect('/ghost/#/staff/?message=oauth-linking-failed');
+                        return res.redirect(new URL('#/staff?message=oauth-linking-failed', adminURL));
                     }
 
                     // TODO: configure the oauth data for this user (row in the oauth table)
@@ -70,7 +69,7 @@ module.exports = function setupOAuthApp() {
                     //TODO: instead find the oauth row with the email use the provider id
                     const emails = profile.emails.filter(email => email.verified === true);
                     if (emails.length < 1) {
-                        return res.redirect('/ghost/#/signin?message=login-failed');
+                        return res.redirect(new URL('#/signin?message=login-failed', adminURL));
                     }
                     const email = emails[0].value;
 
@@ -85,7 +84,7 @@ module.exports = function setupOAuthApp() {
                         let invite = await models.Invite.findOne({email, status: 'sent'}, options);
 
                         if (!invite || invite.get('expires') < Date.now()) {
-                            return res.redirect('/ghost/#/signin?message=login-failed');
+                            return res.redirect(new URL('#/signin?message=login-failed', adminURL));
                         }
 
                         //Accept invite
@@ -106,7 +105,7 @@ module.exports = function setupOAuthApp() {
 
                 await auth.session.sessionService.createSessionForUser(req, res, req.user);
 
-                return res.redirect('/ghost/');
+                return res.redirect(adminURL);
             }), {
                 scope: ['profile', 'email'],
                 session: false,
@@ -133,7 +132,7 @@ module.exports = function setupOAuthApp() {
 
     oauthApp.get('/:provider/callback', (req, res, next) => {
         // Set the referrer as the ghost instance domain so that the session is linked to the ghost instance domain
-        req.headers.referrer = urlUtils.getSiteUrl();
+        req.headers.referrer = urlUtils.getAdminUrl();
         next();
     }, auth.authenticate.authenticateAdminApi, (req, res, next) => {
         if (req.params.provider !== 'google') {