npm - ghost - Versions diffs - 4.20.4 → 4.22.2 - Mend

ghost 4.20.4 → 4.22.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (107) hide show

package/core/server/services/members/stripe-connect.js CHANGED Viewed

@@ -4,6 +4,9 @@ const {Buffer} = require('buffer');
 const {randomBytes} = require('crypto');
 const {URL} = require('url');
+const config = require('../../../shared/config');
+const urlUtils = require('../../../shared/url-utils');
 const messages = {
     incorrectState: 'State did not match.'
 };
@@ -24,6 +27,7 @@ const redirectURI = 'https://stripe.ghost.org';
  * @returns {Promise<URL>}
  */
 async function getStripeConnectOAuthUrl(setSessionProp, mode = 'live') {
+    checkCanConnect();
     const randomState = randomBytes(16).toString('hex');
     const state = Buffer.from(JSON.stringify({
         mode,
@@ -71,6 +75,16 @@ async function getStripeConnectTokenData(encodedData, getSessionProp) {
     };
 }
+function checkCanConnect() {
+    const siteUrl = urlUtils.getSiteUrl();
+    const productionMode = config.get('env') === 'production';
+    const siteUrlUsingSSL = /^https/.test(siteUrl);
+    const cannotConnectToStripe = productionMode && !siteUrlUsingSSL;
+    if (cannotConnectToStripe) {
+        throw new errors.BadRequestError('Cannot connect to stripe unless site is using https://');
+    }
+}
 module.exports = {
     getStripeConnectOAuthUrl,
     getStripeConnectTokenData,

package/core/server/services/nft-oembed.js ADDED Viewed

@@ -0,0 +1,71 @@
+/**
+ * @typedef {import('./oembed').ICustomProvider} ICustomProvider
+ * @typedef {import('./oembed').IExternalRequest} IExternalRequest
+ */
+const OPENSEA_PATH_REGEX = /^\/assets\/(0x[a-f0-9]+)\/(\d+)/;
+/**
+ * @implements ICustomProvider
+ */
+class NFTOEmbedProvider {
+    /**
+     * @param {object} dependencies
+     */
+    constructor(dependencies) {
+        this.dependencies = dependencies;
+    }
+    /**
+     * @param {URL} url
+     * @returns {Promise<boolean>}
+     */
+    async canSupportRequest(url) {
+        return url.host === 'opensea.io' && OPENSEA_PATH_REGEX.test(url.pathname);
+    }
+    /**
+     * @param {URL} url
+     * @param {IExternalRequest} externalRequest
+     *
+     * @returns {Promise<import('oembed-parser').RichTypeData & Object<string, any>>}
+     */
+    async getOEmbedData(url, externalRequest) {
+        const [match, transaction, asset] = url.pathname.match(OPENSEA_PATH_REGEX);
+        if (!match) {
+            return null;
+        }
+        const result = await externalRequest(`https://api.opensea.io/api/v1/asset/${transaction}/${asset}/`, {
+            json: true
+        });
+        return {
+            version: '1.0',
+            type: 'rich',
+            title: result.body.name,
+            author_name: result.body.creator.user.username,
+            author_url: `https://opensea.io/${result.body.creator.user.username}`,
+            provider_name: 'OpenSea',
+            provider_url: 'https://opensea.io',
+            html: `
+            <a href="${result.body.permalink}" class="kg-nft-card">
+                <img class="kg-nft-image" src="${result.body.image_url}">
+                <div class="kg-nft-metadata">
+                    <div class="kg-nft-header">
+                        <h4 class="kg-nft-title"> ${result.body.name} </h4>
+                    </div>
+                    <div class="kg-nft-creator">
+                        Created by <span class="kg-nft-creator-name">${result.body.creator.user.username}</span>
+                        ${(result.body.collection.name ? `&bull; ${result.body.collection.name}` : ``)}
+                    </div>
+                    ${(result.body.description ? `<p class="kg-nft-description">${result.body.description}</p>` : ``)}
+                </div>
+            </a>
+            `,
+            width: 1000,
+            height: 1000,
+            noIframe: true
+        };
+    }
+}
+module.exports = NFTOEmbedProvider;

package/core/server/services/oembed.js CHANGED Viewed

@@ -1,4 +1,3 @@
-const Promise = require('bluebird');
 const errors = require('@tryghost/errors');
 const tpl = require('@tryghost/tpl');
 const {extract, hasProvider} = require('oembed-parser');
@@ -11,6 +10,10 @@ const messages = {
     insufficientMetadata: 'URL contains insufficient metadata.'
 };
+/**
+ * @param {string} url
+ * @returns {{url: string, provider: boolean}}
+ */
 const findUrlWithProvider = (url) => {
     let provider;
@@ -44,6 +47,12 @@ const findUrlWithProvider = (url) => {
  * @typedef {(url: string, config: Object) => Promise} IExternalRequest
  */
+/**
+ * @typedef {object} ICustomProvider
+ * @prop {(url: URL) => Promise<boolean>} canSupportRequest
+ * @prop {(url: URL, externalRequest: IExternalRequest) => Promise<import('oembed-parser').OembedData>} getOEmbedData
+ */
 class OEmbed {
     /**
      *
@@ -53,29 +62,62 @@ class OEmbed {
      */
     constructor({config, externalRequest}) {
         this.config = config;
-        this.externalRequest = externalRequest;
+        /** @type {IExternalRequest} */
+        this.externalRequest = async (url, requestConfig) => {
+            if (this.isIpOrLocalhost(url)) {
+                return this.unknownProvider(url);
+            }
+            const response = await externalRequest(url, requestConfig);
+            if (this.isIpOrLocalhost(response.url)) {
+                return this.unknownProvider(url);
+            }
+            return response;
+        };
+        /** @type {ICustomProvider[]} */
+        this.customProviders = [];
+    }
+    /**
+     * @param {ICustomProvider} provider
+     */
+    registerProvider(provider) {
+        this.customProviders.push(provider);
     }
-    unknownProvider(url) {
-        return Promise.reject(new errors.ValidationError({
+    /**
+     * @param {string} url
+     */
+    async unknownProvider(url) {
+        throw new errors.ValidationError({
             message: tpl(messages.unknownProvider),
             context: url
-        }));
+        });
     }
-    knownProvider(url) {
-        return extract(url).catch((err) => {
-            return Promise.reject(new errors.InternalServerError({
+    /**
+     * @param {string} url
+     */
+    async knownProvider(url) {
+        try {
+            return await extract(url);
+        } catch (err) {
+            throw new errors.InternalServerError({
                 message: err.message
-            }));
-        });
+            });
+        }
     }
+    /**
+     * @param {string} url
+     */
     errorHandler(url) {
-        return (err) => {
+        /**
+         * @param {Error|errors.GhostError} err
+         */
+        return async (err) => {
             // allow specific validation errors through for better error messages
             if (errors.utils.isIgnitionError(err) && err.errorType === 'ValidationError') {
-                return Promise.reject(err);
+                throw err;
             }
             // default to unknown provider to avoid leaking any app specifics
@@ -97,19 +139,11 @@ class OEmbed {
         let scraperResponse;
-        try {
-            const cookieJar = new CookieJar();
-            const response = await this.externalRequest(url, {cookieJar});
+        const cookieJar = new CookieJar();
+        const response = await this.externalRequest(url, {cookieJar});
-            if (this.isIpOrLocalhost(response.url)) {
-                scraperResponse = {};
-            } else {
-                const html = response.body;
-                scraperResponse = await metascraper({html, url});
-            }
-        } catch (err) {
-            return Promise.reject(err);
-        }
+        const html = response.body;
+        scraperResponse = await metascraper({html, url});
         const metadata = Object.assign({}, scraperResponse, {
             thumbnail: scraperResponse.image,
@@ -119,20 +153,25 @@ class OEmbed {
         delete metadata.image;
         delete metadata.logo;
-        if (metadata.title) {
-            return Promise.resolve({
-                type: 'bookmark',
-                url,
-                metadata
+        if (!metadata.title) {
+            throw new errors.ValidationError({
+                message: tpl(messages.insufficientMetadata),
+                context: url
             });
         }
-        return Promise.reject(new errors.ValidationError({
-            message: tpl(messages.insufficientMetadata),
-            context: url
-        }));
+        return {
+            version: '1.0',
+            type: 'bookmark',
+            url,
+            metadata
+        };
     }
+    /**
+     * @param {string} url
+     * @returns {boolean}
+     */
     isIpOrLocalhost(url) {
         try {
             const IPV4_REGEX = /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
@@ -163,14 +202,7 @@ class OEmbed {
      *
      * @returns {Promise<Object>}
      */
-    fetchOembedData(_url, cardType) {
-        // parse the url then validate the protocol and host to make sure it's
-        // http(s) and not an IP address or localhost to avoid potential access to
-        // internal network endpoints
-        if (this.isIpOrLocalhost(_url)) {
-            return this.unknownProvider();
-        }
+    async fetchOembedData(_url, cardType) {
         // check against known oembed list
         let {url, provider} = findUrlWithProvider(_url);
         if (provider) {
@@ -180,88 +212,81 @@ class OEmbed {
         // url not in oembed list so fetch it in case it's a redirect or has a
         // <link rel="alternate" type="application/json+oembed"> element
         const cookieJar = new CookieJar();
-        return this.externalRequest(url, {
+        const pageResponse = await this.externalRequest(url, {
             method: 'GET',
             timeout: 2 * 1000,
             followRedirect: true,
             cookieJar
-        }).then((pageResponse) => {
-            // url changed after fetch, see if we were redirected to a known oembed
-            if (pageResponse.url !== url) {
-                ({url, provider} = findUrlWithProvider(pageResponse.url));
-                if (provider) {
-                    return this.knownProvider(url);
-                }
+        });
+        // url changed after fetch, see if we were redirected to a known oembed
+        if (pageResponse.url !== url) {
+            ({url, provider} = findUrlWithProvider(pageResponse.url));
+            if (provider) {
+                return this.knownProvider(url);
             }
+        }
-            // check for <link rel="alternate" type="application/json+oembed"> element
-            let oembedUrl;
-            try {
-                oembedUrl = cheerio('link[type="application/json+oembed"]', pageResponse.body).attr('href');
-            } catch (e) {
-                return this.unknownProvider(url);
+        // check for <link rel="alternate" type="application/json+oembed"> element
+        let oembedUrl;
+        try {
+            oembedUrl = cheerio('link[type="application/json+oembed"]', pageResponse.body).attr('href');
+        } catch (e) {
+            return this.unknownProvider(url);
+        }
+        if (oembedUrl) {
+            // for standard WP oembed's we want to insert a bookmark card rather than their blockquote+script
+            // which breaks in the editor and most Ghost themes. Only fallback if card type was not explicitly chosen
+            if (!cardType && oembedUrl.match(/wp-json\/oembed/)) {
+                return;
             }
-            if (oembedUrl) {
-                // make sure the linked url is not an ip address or localhost
-                if (this.isIpOrLocalhost(oembedUrl)) {
-                    return this.unknownProvider(oembedUrl);
+            // fetch oembed response from embedded rel="alternate" url
+            const oembedResponse = await this.externalRequest(oembedUrl, {
+                method: 'GET',
+                json: true,
+                timeout: 2 * 1000,
+                followRedirect: true,
+                cookieJar
+            });
+            // validate the fetched json against the oembed spec to avoid
+            // leaking non-oembed responses
+            const body = oembedResponse.body;
+            const hasRequiredFields = body.type && body.version;
+            const hasValidType = ['photo', 'video', 'link', 'rich'].includes(body.type);
+            if (hasRequiredFields && hasValidType) {
+                // extract known oembed fields from the response to limit leaking of unrecognised data
+                const knownFields = [
+                    'type',
+                    'version',
+                    'html',
+                    'url',
+                    'title',
+                    'width',
+                    'height',
+                    'author_name',
+                    'author_url',
+                    'provider_name',
+                    'provider_url',
+                    'thumbnail_url',
+                    'thumbnail_width',
+                    'thumbnail_height'
+                ];
+                const oembed = _.pick(body, knownFields);
+                // ensure we have required data for certain types
+                if (oembed.type === 'photo' && !oembed.url) {
+                    return;
                 }
-                // for standard WP oembed's we want to insert a bookmark card rather than their blockquote+script
-                // which breaks in the editor and most Ghost themes. Only fallback if card type was not explicitly chosen
-                if (!cardType && oembedUrl.match(/wp-json\/oembed/)) {
+                if ((oembed.type === 'video' || oembed.type === 'rich') && (!oembed.html || !oembed.width || !oembed.height)) {
                     return;
                 }
-                // fetch oembed response from embedded rel="alternate" url
-                return this.externalRequest(oembedUrl, {
-                    method: 'GET',
-                    json: true,
-                    timeout: 2 * 1000,
-                    followRedirect: true,
-                    cookieJar
-                }).then((oembedResponse) => {
-                    // validate the fetched json against the oembed spec to avoid
-                    // leaking non-oembed responses
-                    const body = oembedResponse.body;
-                    const hasRequiredFields = body.type && body.version;
-                    const hasValidType = ['photo', 'video', 'link', 'rich'].includes(body.type);
-                    if (hasRequiredFields && hasValidType) {
-                        // extract known oembed fields from the response to limit leaking of unrecognised data
-                        const knownFields = [
-                            'type',
-                            'version',
-                            'html',
-                            'url',
-                            'title',
-                            'width',
-                            'height',
-                            'author_name',
-                            'author_url',
-                            'provider_name',
-                            'provider_url',
-                            'thumbnail_url',
-                            'thumbnail_width',
-                            'thumbnail_height'
-                        ];
-                        const oembed = _.pick(body, knownFields);
-                        // ensure we have required data for certain types
-                        if (oembed.type === 'photo' && !oembed.url) {
-                            return;
-                        }
-                        if ((oembed.type === 'video' || oembed.type === 'rich') && (!oembed.html || !oembed.width || !oembed.height)) {
-                            return;
-                        }
-                        // return the extracted object, don't pass through the response body
-                        return oembed;
-                    }
-                }).catch(() => {});
+                // return the extracted object, don't pass through the response body
+                return oembed;
             }
-        });
+        }
     }
     /**
@@ -274,6 +299,16 @@ class OEmbed {
         let data;
         try {
+            const urlObject = new URL(url);
+            for (const provider of this.customProviders) {
+                if (await provider.canSupportRequest(urlObject)) {
+                    const result = await provider.getOEmbedData(urlObject, this.externalRequest);
+                    if (result !== null) {
+                        return result;
+                    }
+                }
+            }
             if (type === 'bookmark') {
                 return this.fetchBookmarkData(url);
             }

package/core/server/services/offers/service.js CHANGED Viewed

@@ -1,6 +1,3 @@
-const labs = require('../../../shared/labs');
-const events = require('../../lib/common/events');
 const DynamicRedirectManager = require('@tryghost/express-dynamic-redirects');
 const OffersModule = require('@tryghost/members-offers');
@@ -28,34 +25,7 @@ module.exports = {
         this.api = offersModule.api;
-        let initCalled = false;
-        if (labs.isSet('offers')) {
-            // handles setting up redirects
-            const promise = offersModule.init();
-            initCalled = true;
-            await promise;
-        }
-        // TODO: Delete after GA
-        let offersEnabled = labs.isSet('offers');
-        events.on('settings.labs.edited', async () => {
-            if (labs.isSet('offers') && !initCalled) {
-                const promise = offersModule.init();
-                initCalled = true;
-                await promise;
-            } else if (labs.isSet('offers') !== offersEnabled) {
-                offersEnabled = labs.isSet('offers');
-                if (offersEnabled) {
-                    const offers = await this.api.listOffers({});
-                    for (const offer of offers) {
-                        redirectManager.addRedirect(`/${offer.code}`, `/#/portal/offers/${offer.id}`, {permanent: false});
-                    }
-                } else {
-                    redirectManager.removeAllRedirects();
-                }
-            }
-        });
+        await offersModule.init();
     },
     api: null,

package/core/server/services/public-config/config.js CHANGED Viewed

@@ -16,7 +16,8 @@ module.exports = function getConfigProperties() {
         stripeDirect: config.get('stripeDirect'),
         mailgunIsConfigured: config.get('bulkEmail') && config.get('bulkEmail').mailgun,
         emailAnalytics: config.get('emailAnalytics'),
-        hostSettings: config.get('hostSettings')
+        hostSettings: config.get('hostSettings'),
+        tenorApiKey: config.get('tenorApiKey')
     };
     const billingUrl = config.get('hostSettings:billing:enabled') ? config.get('hostSettings:billing:url') : '';