ghost 4.21.0 → 4.22.0

package/core/server/services/redirects/api.js

@@ -0,0 +1,270 @@
+const fs = require('fs-extra');
+const path = require('path');
+const moment = require('moment-timezone');
+const yaml = require('js-yaml');
+
+const logging = require('@tryghost/logging');
+const tpl = require('@tryghost/tpl');
+const errors = require('@tryghost/errors');
+
+const validation = require('./validation');
+
+const messages = {
+    jsonParse: 'Could not parse JSON: {context}.',
+    yamlParse: 'Could not parse YAML: {context}.',
+    yamlPlainString: 'YAML input cannot be a plain string. Check the format of your YAML file.',
+    redirectsHelp: 'https://ghost.org/docs/themes/routing/#redirects',
+    redirectsRegister: 'Could not register custom redirects.'
+};
+
+/**
+ * Redirect configuration object
+ * @typedef {Object} RedirectConfig
+ * @property {String} from - Defines the relative incoming URL or pattern (regex)
+ * @property {String} to - Defines where the incoming traffic should be redirected to, which can be a static URL, or a dynamic value using regex (example: "to": "/$1/")
+ * @property {boolean} permanent - Can be defined with true for a permanent HTTP 301 redirect, or false for a temporary HTTP 302 redirect
+ */
+
+/**
+ * @param {string} redirectsPath
+ * @returns {Promise<string>}
+ */
+const readRedirectsFile = async (redirectsPath) => {
+    try {
+        return await fs.readFile(redirectsPath, 'utf-8');
+    } catch (err) {
+        if (err.code === 'ENOENT') {
+            return '';
+        }
+
+        if (errors.utils.isIgnitionError(err)) {
+            throw err;
+        }
+
+        throw new errors.NotFoundError({
+            err: err
+        });
+    }
+};
+
+/**
+ *
+ * @param {String} content serialized JSON or YAML configuration
+ * @param {String} ext one of `.json` or `.yaml` extensions
+ *
+ * @returns {RedirectConfig[]} of parsed redirect config objects
+ */
+const parseRedirectsFile = (content, ext) => {
+    if (ext === '.json') {
+        let redirects;
+
+        try {
+            redirects = JSON.parse(content);
+        } catch (err) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.jsonParse, {context: err.message})
+            });
+        }
+
+        return redirects;
+    }
+
+    if (ext === '.yaml') {
+        let redirects = [];
+        let configYaml;
+
+        try {
+            configYaml = yaml.load(content);
+        } catch (err) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.yamlParse, {context: err.message})
+            });
+        }
+
+        // yaml.load passes almost every yaml code.
+        // Because of that, it's hard to detect if there's an error in the file.
+        // But one of the obvious errors is the plain string output.
+        // Here we check if the user made this mistake.
+        if (typeof configYaml === 'string') {
+            throw new errors.BadRequestError({
+                message: tpl(messages.yamlPlainString),
+                help: tpl(messages.redirectsHelp)
+            });
+        }
+
+        /**
+         * 302: Temporary redirects
+         */
+        for (const redirect in configYaml['302']) {
+            redirects.push({
+                from: redirect,
+                to: configYaml['302'][redirect],
+                permanent: false
+            });
+        }
+
+        /**
+         * 301: Permanent redirects
+         */
+        for (const redirect in configYaml['301']) {
+            redirects.push({
+                from: redirect,
+                to: configYaml['301'][redirect],
+                permanent: true
+            });
+        }
+
+        return redirects;
+    }
+
+    throw new errors.IncorrectUsageError();
+};
+
+/**
+ * @param {string} filePath
+ * @returns {string}
+ */
+const getBackupRedirectsFilePath = (filePath) => {
+    const {dir, name, ext} = path.parse(filePath);
+
+    return path.join(dir, `${name}-${moment().format('YYYY-MM-DD-HH-mm-ss')}${ext}`);
+};
+
+/**
+ * @typedef {object} IRedirectManager
+ */
+
+class CustomRedirectsAPI {
+    /**
+     * @param {object} config
+     * @param {string} config.basePath
+     *
+     * @param {IRedirectManager} redirectManager
+     */
+    constructor(config, redirectManager) {
+        /** @private */
+        this.config = config;
+        /** @private */
+        this.redirectManager = redirectManager;
+    }
+
+    async init() {
+        // NOTE: the try/catch block here is due to possible breaking change for existing misconfigured
+        //       instances in the wild. Would be a good idea to remove it during v5 migration to enforce
+        //       fail-fast initialization.
+        try {
+            const filePath = await this.getRedirectsFilePath();
+
+            if (filePath !== null) {
+                const content = await readRedirectsFile(filePath);
+                const ext = path.extname(filePath);
+                const redirects = parseRedirectsFile(content, ext);
+                validation.validate(redirects);
+
+                this.redirectManager.removeAllRedirects();
+                for (const redirect of redirects) {
+                    this.redirectManager.addRedirect(redirect.from, redirect.to, {permanent: redirect.permanent});
+                }
+            }
+        } catch (err) {
+            if (errors.utils.isIgnitionError(err)) {
+                logging.error(err);
+            } else {
+                logging.error(new errors.IncorrectUsageError({
+                    message: tpl(messages.redirectsRegister),
+                    context: err.message,
+                    help: tpl(messages.redirectsHelp),
+                    err
+                }));
+            }
+        }
+    }
+
+    /**
+     * @private
+     * @param {'.yaml'|'.json'} ext
+     *
+     * @returns {string}
+     */
+    createRedirectsFilePath(ext) {
+        return path.join(this.config.basePath, `redirects${ext}`);
+    }
+
+    /**
+     * @returns {Promise<string>}
+     */
+    async getRedirectsFilePath() {
+        const yamlPath = this.createRedirectsFilePath('.yaml');
+        const jsonPath = this.createRedirectsFilePath('.json');
+
+        const yamlExists = await fs.pathExists(yamlPath);
+
+        if (yamlExists) {
+            return yamlPath;
+        }
+
+        const jsonExist = await fs.pathExists(jsonPath);
+
+        if (jsonExist) {
+            return jsonPath;
+        }
+
+        return null;
+    }
+
+    /**
+     * @param {string} filePath
+     * @param {'.yaml'|'.json'} [ext]
+     *
+     * @returns {Promise<>}
+     */
+    async setFromFilePath(filePath, ext = '.json') {
+        const redirectsFilePath = await this.getRedirectsFilePath();
+
+        if (redirectsFilePath) {
+            const backupRedirectsPath = getBackupRedirectsFilePath(redirectsFilePath);
+
+            const backupExists = await fs.pathExists(backupRedirectsPath);
+            if (backupExists) {
+                await fs.unlink(backupRedirectsPath);
+            }
+
+            await fs.move(redirectsFilePath, backupRedirectsPath);
+        }
+
+        const content = await readRedirectsFile(filePath);
+        const parsed = parseRedirectsFile(content, ext);
+        validation.validate(parsed);
+
+        if (ext === '.json') {
+            await fs.writeFile(this.createRedirectsFilePath('.json'), JSON.stringify(content), 'utf-8');
+        } else if (ext === '.yaml') {
+            await fs.copy(filePath, this.createRedirectsFilePath('.yaml'));
+        }
+
+        this.redirectManager.removeAllRedirects();
+        for (const redirect of parsed) {
+            this.redirectManager.addRedirect(redirect.from, redirect.to, {permanent: redirect.permanent});
+        }
+    }
+
+    /**
+     * @returns {Promise<RedirectConfig[]>}
+     */
+    async get() {
+        const filePath = await this.getRedirectsFilePath();
+        if (filePath === null) {
+            return [];
+        }
+
+        const content = await readRedirectsFile(filePath);
+
+        if (path.extname(filePath) === '.json') {
+            return parseRedirectsFile(content, '.json');
+        }
+
+        return content;
+    }
+}
+
+module.exports = CustomRedirectsAPI;

package/core/server/services/redirects/index.js

@@ -1,15 +1,30 @@
-const settings = require('./settings');
-const validation = require('./validation');
+const config = require('../../../shared/config');
+const urlUtils = require('../../../shared/url-utils');
 
-module.exports = {
-    loadRedirectsFile: settings.loadRedirectsFile,
-    validate: validation.validate,
-    /**
-     * Methods used in the API
-     */
-    api: {
-        getRedirectsFilePath: settings.getRedirectsFilePath,
-        get: settings.get,
-        setFromFilePath: settings.setFromFilePath
+const DynamicRedirectManager = require('@tryghost/express-dynamic-redirects');
+const CustomRedirectsAPI = require('./api');
+
+const redirectManager = new DynamicRedirectManager({
+    permanentMaxAge: config.get('caching:customRedirects:maxAge'),
+    getSubdirectoryURL: (pathname) => {
+        return urlUtils.urlJoin(urlUtils.getSubdir(), pathname);
     }
+});
+
+let customRedirectsAPI;
+
+module.exports = {
+    init() {
+        customRedirectsAPI = new CustomRedirectsAPI({
+            basePath: config.getContentPath('data')
+        }, redirectManager);
+
+        return customRedirectsAPI.init();
+    },
+
+    get api() {
+        return customRedirectsAPI;
+    },
+
+    middleware: redirectManager.handleRequest
 };

package/core/server/services/themes/ThemeStorage.js

@@ -4,16 +4,16 @@ const path = require('path');
 const config = require('../../../shared/config');
 const security = require('@tryghost/security');
 const {compress} = require('@tryghost/zip');
-const LocalFileStorage = require('../../adapters/storage/LocalFileStorage');
+const LocalStorageBase = require('../../adapters/storage/LocalStorageBase');
 
 /**
  * @TODO: combine with loader.js?
  */
-class ThemeStorage extends LocalFileStorage {
+class ThemeStorage extends LocalStorageBase {
     constructor() {
-        super();
-
-        this.storagePath = config.getContentPath('themes');
+        super({
+            storagePath: config.getContentPath('themes')
+        });
     }
 
     getTargetDir() {

package/core/server/web/admin/views/default-prod.html

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.21%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.22%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
 
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -41,7 +41,7 @@
 
     
                 <link rel="stylesheet" href="assets/vendor.min-987af30228885bce50f05c4723fe6f53.css">
-                <link rel="stylesheet" href="assets/ghost.min-5abc69c04ad1d5301a857e01009b9c05.css" title="light">
+                <link rel="stylesheet" href="assets/ghost.min-66e08535f8bb797a8c40e0a2b31f1e9e.css" title="light">
             
 
     
@@ -59,8 +59,8 @@
 <div id="ember-basic-dropdown-wormhole"></div>
 
 
-                <script src="assets/vendor.min-c6ef90bfd7eff256e10b85583bfe9a74.js"></script>
-                <script src="assets/ghost.min-6c546c322127ae6d1d1b0ddbf34be75b.js"></script>
+                <script src="assets/vendor.min-7c8fdd90f7ecd2e94328a07ea3b64608.js"></script>
+                <script src="assets/ghost.min-efbfb823467b66f4acc66537d033aa55.js"></script>
             
 </body>
 </html>

package/core/server/web/admin/views/default.html

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.21%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.22%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
 
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -41,7 +41,7 @@
 
     
                 <link rel="stylesheet" href="assets/vendor.min-987af30228885bce50f05c4723fe6f53.css">
-                <link rel="stylesheet" href="assets/ghost.min-5abc69c04ad1d5301a857e01009b9c05.css" title="light">
+                <link rel="stylesheet" href="assets/ghost.min-66e08535f8bb797a8c40e0a2b31f1e9e.css" title="light">
             
 
     
@@ -59,8 +59,8 @@
 <div id="ember-basic-dropdown-wormhole"></div>
 
 
-                <script src="assets/vendor.min-c6ef90bfd7eff256e10b85583bfe9a74.js"></script>
-                <script src="assets/ghost.min-6c546c322127ae6d1d1b0ddbf34be75b.js"></script>
+                <script src="assets/vendor.min-7c8fdd90f7ecd2e94328a07ea3b64608.js"></script>
+                <script src="assets/ghost.min-efbfb823467b66f4acc66537d033aa55.js"></script>
             
 </body>
 </html>

package/core/server/web/api/canary/admin/routes.js

@@ -100,10 +100,10 @@ module.exports = function apiRoutes() {
     router.del('/members', mw.authAdminApi, http(api.members.bulkDestroy));
     router.put('/members/bulk', mw.authAdminApi, http(api.members.bulkEdit));
 
-    router.get('/offers', labs.enabledMiddleware('offers'), mw.authAdminApi, http(api.offers.browse));
-    router.post('/offers', labs.enabledMiddleware('offers'), mw.authAdminApi, http(api.offers.add));
-    router.get('/offers/:id', labs.enabledMiddleware('offers'), mw.authAdminApi, http(api.offers.read));
-    router.put('/offers/:id', labs.enabledMiddleware('offers'), mw.authAdminApi, http(api.offers.edit));
+    router.get('/offers', mw.authAdminApi, http(api.offers.browse));
+    router.post('/offers', mw.authAdminApi, http(api.offers.add));
+    router.get('/offers/:id', mw.authAdminApi, http(api.offers.read));
+    router.put('/offers/:id', mw.authAdminApi, http(api.offers.edit));
 
     router.get('/members/stats/count', mw.authAdminApi, http(api.members.memberStats));
     router.get('/members/stats/mrr', mw.authAdminApi, http(api.members.mrrStats));
@@ -236,6 +236,15 @@ module.exports = function apiRoutes() {
         http(api.images.upload)
     );
 
+    // ## media
+    router.post('/media/upload',
+        labs.enabledMiddleware('mediaAPI'),
+        mw.authAdminApi,
+        apiMw.upload.media('file', 'thumbnail'),
+        apiMw.upload.mediaValidation({type: 'media'}),
+        http(api.media.upload)
+    );
+
     // ## Invites
     router.get('/invites', mw.authAdminApi, http(api.invites.browse));
     router.get('/invites/:id', mw.authAdminApi, http(api.invites.read));

package/core/server/web/api/middleware/upload.js

@@ -31,23 +31,30 @@ const messages = {
     icons: {
         missingFile: 'Please select an icon.',
         invalidFile: 'Icon must be a square .ico or .png file between 60px – 1,000px, under 100kb.'
+    },
+    media: {
+        missingFile: 'Please select a media file.',
+        invalidFile: 'Please select a valid media file.'
+    },
+    thumbnail: {
+        missingFile: 'Please select a thumbnail.',
+        invalidFile: 'Please select a valid thumbnail.'
     }
 };
 
-const upload = {
-    enabledClear: config.get('uploadClear') || true,
-    multer: multer({dest: os.tmpdir()})
-};
+const enabledClear = config.get('uploadClear') || true;
+const upload = multer({dest: os.tmpdir()});
 
 const deleteSingleFile = file => fs.unlink(file.path).catch(err => logging.error(err));
 
 const single = name => (req, res, next) => {
-    const singleUpload = upload.multer.single(name);
+    const singleUpload = upload.single(name);
+
     singleUpload(req, res, (err) => {
         if (err) {
             return next(err);
         }
-        if (upload.enabledClear) {
+        if (enabledClear) {
             const deleteFiles = () => {
                 res.removeListener('finish', deleteFiles);
                 res.removeListener('close', deleteFiles);
@@ -70,6 +77,43 @@ const single = name => (req, res, next) => {
     });
 };
 
+const media = (fileName, thumbName) => (req, res, next) => {
+    const mediaUpload = upload.fields([{
+        name: fileName,
+        maxCount: 1
+    }, {
+        name: thumbName,
+        maxCount: 1
+    }]);
+
+    mediaUpload(req, res, (err) => {
+        if (err) {
+            return next(err);
+        }
+
+        if (enabledClear) {
+            const deleteFiles = () => {
+                res.removeListener('finish', deleteFiles);
+                res.removeListener('close', deleteFiles);
+                if (!req.disableUploadClear) {
+                    if (req.files.file) {
+                        return req.files.file.forEach(deleteSingleFile);
+                    }
+                    if (req.files.thumbnail) {
+                        return req.files.thumbnail.forEach(deleteSingleFile);
+                    }
+                }
+            };
+            if (!req.disableUploadClear) {
+                res.on('finish', deleteFiles);
+                res.on('close', deleteFiles);
+            }
+        }
+
+        next();
+    });
+};
+
 const checkFileExists = (fileData) => {
     return !!(fileData.mimetype && fileData.path);
 };
@@ -84,9 +128,13 @@ const checkFileIsValid = (fileData, types, extensions) => {
     return false;
 };
 
-const validation = function (options) {
-    const type = options.type;
-
+/**
+ *
+ * @param {Object} options
+ * @param {String} options.type - type of the file
+ * @returns {Function}
+ */
+const validation = function ({type}) {
     // if we finish the data/importer logic, we forward the request to the specified importer
     return function uploadValidation(req, res, next) {
         const extensions = (config.get('uploads')[type] && config.get('uploads')[type].extensions) || [];
@@ -116,9 +164,68 @@ const validation = function (options) {
     };
 };
 
+/**
+ *
+ * @param {Object} options
+ * @param {String} options.type - type of the file
+ * @returns {Function}
+ */
+const mediaValidation = function ({type}) {
+    return function mediaUploadValidation(req, res, next) {
+        const extensions = (config.get('uploads')[type] && config.get('uploads')[type].extensions) || [];
+        const contentTypes = (config.get('uploads')[type] && config.get('uploads')[type].contentTypes) || [];
+
+        const thumbnailExtensions = (config.get('uploads').thumbnails && config.get('uploads').thumbnails.extensions) || [];
+        const thumbnailContentTypes = (config.get('uploads').thumbnails && config.get('uploads').thumbnails.contentTypes) || [];
+
+        const {file: [file] = []} = req.files;
+        if (!file || !checkFileExists(file)) {
+            return next(new errors.ValidationError({
+                message: tpl(messages[type].missingFile)
+            }));
+        }
+
+        req.file = file;
+        req.file.name = req.file.originalname;
+        req.file.type = req.file.mimetype;
+        req.file.ext = path.extname(req.file.name).toLowerCase();
+
+        if (!checkFileIsValid(req.file, contentTypes, extensions)) {
+            return next(new errors.UnsupportedMediaTypeError({
+                message: tpl(messages[type].invalidFile, {extensions: extensions})
+            }));
+        }
+
+        const {thumbnail: [thumbnailFile] = []} = req.files;
+
+        if (thumbnailFile) {
+            if (!checkFileExists(thumbnailFile)) {
+                return next(new errors.ValidationError({
+                    message: tpl(messages.thumbnail.missingFile)
+                }));
+            }
+
+            req.thumbnail = thumbnailFile;
+            req.thumbnail.ext = path.extname(thumbnailFile.originalname).toLowerCase();
+            req.thumbnail.name = `${path.basename(req.file.name, path.extname(req.file.name))}_thumb${req.thumbnail.ext}`;
+            req.thumbnail.type = req.thumbnail.mimetype;
+
+            if (!checkFileIsValid(req.thumbnail, thumbnailContentTypes, thumbnailExtensions)) {
+                return next(new errors.UnsupportedMediaTypeError({
+                    message: tpl(messages.thumbnail.invalidFile, {extensions: thumbnailExtensions})
+                }));
+            }
+        }
+
+        next();
+    };
+};
+
 module.exports = {
     single,
-    validation
+    media,
+    validation,
+    mediaValidation
 };
 
 // Exports for testing only

package/core/server/web/members/app.js

@@ -37,7 +37,7 @@ module.exports = function setupMembersApp() {
     membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData);
     membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res));
     membersApp.get('/api/session', middleware.getIdentityToken);
-    membersApp.get('/api/offers/:id', labs.enabledMiddleware('offers'), middleware.getOfferData);
+    membersApp.get('/api/offers/:id', middleware.getOfferData);
     membersApp.delete('/api/session', middleware.deleteSession);
     membersApp.get('/api/site', middleware.getMemberSiteData);
 

package/core/server/web/shared/middlewares/index.js

@@ -11,10 +11,6 @@ module.exports = {
         return require('./cache-control');
     },
 
-    get customRedirects() {
-        return require('./custom-redirects');
-    },
-
     get errorHandler() {
         return require('./error-handler');
     },

package/core/shared/config/defaults.json

@@ -23,7 +23,9 @@
         }
     },
     "storage": {
-        "active": "LocalFileStorage"
+        "active": "LocalImagesStorage",
+        "media": "LocalMediaStorage",
+        "LocalMediaStorage": {}
     },
     "scheduling": {
         "active": "SchedulingDefault"

package/core/shared/config/helpers.js

@@ -32,6 +32,8 @@ const getContentPath = function getContentPath(type) {
     switch (type) {
     case 'images':
         return path.join(this.get('paths:contentPath'), 'images/');
+    case 'media':
+        return path.join(this.get('paths:contentPath'), 'media/');
     case 'themes':
         return path.join(this.get('paths:contentPath'), 'themes/');
     case 'adapters':

package/core/shared/config/overrides.json

@@ -30,6 +30,14 @@
             "extensions": [".jpg", ".jpeg", ".gif", ".png", ".svg", ".svgz", ".ico", ".webp"],
             "contentTypes": ["image/jpeg", "image/png", "image/gif", "image/svg+xml", "image/x-icon", "image/vnd.microsoft.icon", "image/webp"]
         },
+        "media": {
+            "extensions": [".mp4",".webm", ".ogv"],
+            "contentTypes": ["video/mp4", "video/webm", "video/ogg"]
+        },
+        "thumbnails": {
+            "extensions": [".jpg", ".jpeg", ".gif", ".png", ".svg", ".svgz", ".ico", ".webp"],
+            "contentTypes": ["image/jpeg", "image/png", "image/gif", "image/svg+xml", "image/x-icon", "image/vnd.microsoft.icon", "image/webp"]
+        },
         "icons": {
             "extensions": [".png", ".ico"],
             "contentTypes": ["image/png", "image/x-icon", "image/vnd.microsoft.icon"]

package/core/shared/labs.js

@@ -15,8 +15,7 @@ const messages = {
 
 // flags in this list always return `true`, allows quick global enable prior to full flag removal
 const GA_FEATURES = [
-    'customThemeSettings',
-    'offers'
+    'customThemeSettings'
 ];
 
 // NOTE: this allowlist is meant to be used to filter out any unexpected
@@ -28,7 +27,10 @@ const BETA_FEATURES = [
 
 const ALPHA_FEATURES = [
     'oauthLogin',
-    'membersActivity'
+    'membersActivity',
+    'cardSettingsPanel',
+    'mediaAPI',
+    'membersAutoLogin'
 ];
 
 module.exports.GA_KEYS = [...GA_FEATURES];