ghost 4.21.0 → 4.22.3

package/core/server/services/redirects/index.js

@@ -1,15 +1,30 @@
-const settings = require('./settings');
-const validation = require('./validation');
+const config = require('../../../shared/config');
+const urlUtils = require('../../../shared/url-utils');
 
-module.exports = {
-    loadRedirectsFile: settings.loadRedirectsFile,
-    validate: validation.validate,
-    /**
-     * Methods used in the API
-     */
-    api: {
-        getRedirectsFilePath: settings.getRedirectsFilePath,
-        get: settings.get,
-        setFromFilePath: settings.setFromFilePath
+const DynamicRedirectManager = require('@tryghost/express-dynamic-redirects');
+const CustomRedirectsAPI = require('./api');
+
+const redirectManager = new DynamicRedirectManager({
+    permanentMaxAge: config.get('caching:customRedirects:maxAge'),
+    getSubdirectoryURL: (pathname) => {
+        return urlUtils.urlJoin(urlUtils.getSubdir(), pathname);
     }
+});
+
+let customRedirectsAPI;
+
+module.exports = {
+    init() {
+        customRedirectsAPI = new CustomRedirectsAPI({
+            basePath: config.getContentPath('data')
+        }, redirectManager);
+
+        return customRedirectsAPI.init();
+    },
+
+    get api() {
+        return customRedirectsAPI;
+    },
+
+    middleware: redirectManager.handleRequest
 };

package/core/server/services/stripe/index.js

@@ -27,7 +27,10 @@ function configureApi() {
     }
 }
 
-const debouncedConfigureApi = _.debounce(configureApi, 600);
+const debouncedConfigureApi = _.debounce(() => {
+    configureApi();
+    events.emit('services.stripe.reconfigured');
+}, 600);
 
 module.exports = {
     async init() {
@@ -37,7 +40,6 @@ module.exports = {
                 return;
             }
             debouncedConfigureApi();
-            events.emit('services.stripe.reconfigured');
         });
     },
 

package/core/server/services/themes/ThemeStorage.js

@@ -4,16 +4,16 @@ const path = require('path');
 const config = require('../../../shared/config');
 const security = require('@tryghost/security');
 const {compress} = require('@tryghost/zip');
-const LocalFileStorage = require('../../adapters/storage/LocalFileStorage');
+const LocalStorageBase = require('../../adapters/storage/LocalStorageBase');
 
 /**
  * @TODO: combine with loader.js?
  */
-class ThemeStorage extends LocalFileStorage {
+class ThemeStorage extends LocalStorageBase {
     constructor() {
-        super();
-
-        this.storagePath = config.getContentPath('themes');
+        super({
+            storagePath: config.getContentPath('themes')
+        });
     }
 
     getTargetDir() {

package/core/server/services/url/Resource.js

@@ -8,7 +8,7 @@ const errors = require('@tryghost/errors');
 class Resource extends EventEmitter {
     /**
      * @param {('posts'|'pages'|'tags'|'authors')} type - of the resource
-     * @param {Object} obj - object data to sotre
+     * @param {Object} obj - object data to store
      */
     constructor(type, obj) {
         super();

package/core/server/services/url/Resources.js

@@ -43,38 +43,57 @@ class Resources {
     }
 
     /**
-     * @description Initialise the resource config. We currently fetch the data straight via the the model layer,
+     * @description Initialize the resource config. We currently fetch the data straight via the the model layer,
      *              but because Ghost supports multiple API versions, we have to ensure we load the correct data.
      *
      * @TODO: https://github.com/TryGhost/Ghost/issues/10360
-     * @private
      */
-    _initResourceConfig() {
+    initResourceConfig() {
         if (!_.isEmpty(this.resourcesConfig)) {
             return;
         }
 
         const bridge = require('../../../bridge');
-        this.resourcesAPIVersion = bridge.getFrontendApiVersion();
-        this.resourcesConfig = require(`./configs/${this.resourcesAPIVersion}`);
+        const resourcesAPIVersion = bridge.getFrontendApiVersion();
+        this.resourcesConfig = require(`./configs/${resourcesAPIVersion}`);
     }
 
     /**
-     * @description Helper function to initialise data fetching. Each resource type needs to register resource/model
-     *              events to get notified about updates/deletions/inserts.
+     * @description Helper function to initialize data fetching.
      */
     fetchResources() {
         const ops = [];
         debug('fetchResources');
 
-        this._initResourceConfig();
-
         // NOTE: Iterate over all resource types (posts, users etc..) and call `_fetch`.
         _.each(this.resourcesConfig, (resourceConfig) => {
             this.data[resourceConfig.type] = [];
 
             // NOTE: We are querying knex directly, because the Bookshelf ORM overhead is too slow.
             ops.push(this._fetch(resourceConfig));
+        });
+
+        return Promise.all(ops);
+    }
+
+    /**
+     * @description Each resource type needs to register resource/model events to get notified
+     * about updates/deletions/inserts.
+     *
+     * For example for a "tag" resource type with following configuration:
+     *  events: {
+     *     add: 'tag.added',
+     *     update: ['tag.edited', 'tag.attached', 'tag.detached'],
+     *     remove: 'tag.deleted'
+     *  }
+     * there would be:
+     * 1 event listener connected to  "_onResourceAdded"   handler and it's 'tag.added' event
+     * 3 event listeners connected to "_onResourceUpdated" handler and it's 'tag.edited', 'tag.attached', 'tag.detached' events
+     * 1 event listener connected to  "_onResourceRemoved" handler and it's 'tag.deleted' event
+     */
+    initEvenListeners() {
+        _.each(this.resourcesConfig, (resourceConfig) => {
+            this.data[resourceConfig.type] = [];
 
             this._listenOn(resourceConfig.events.add, (model) => {
                 return this._onResourceAdded.bind(this)(resourceConfig.type, model);
@@ -96,16 +115,6 @@ class Resources {
                 return this._onResourceRemoved.bind(this)(resourceConfig.type, model);
             });
         });
-
-        Promise.all(ops)
-            .then(() => {
-                // CASE: all resources are fetched, start the queue
-                this.queue.start({
-                    event: 'init',
-                    tolerance: 100,
-                    requiredSubscriberCount: 1
-                });
-            });
     }
 
     /**
@@ -430,8 +439,6 @@ class Resources {
      * @description Reset this class instance.
      *
      * Is triggered if you switch API versions.
-     *
-     * @param {Object} options
      */
     reset() {
         _.each(this.listeners, (obj) => {

package/core/server/services/url/UrlService.js

@@ -1,7 +1,9 @@
+const fs = require('fs-extra');
 const _debug = require('@tryghost/debug')._base;
 const debug = _debug('ghost:services:url:service');
 const _ = require('lodash');
 const errors = require('@tryghost/errors');
+const labs = require('../../../shared/labs');
 const UrlGenerator = require('./UrlGenerator');
 const Queue = require('./Queue');
 const Urls = require('./Urls');
@@ -17,12 +19,18 @@ const events = require('../../lib/common/events');
  * It will tell you if the url generation is in progress or not.
  */
 class UrlService {
-    constructor() {
+    /**
+     *
+     * @param {Object} options
+     * @param {String} [options.urlCachePath] - path to store cached URLs at
+     */
+    constructor({urlCachePath} = {}) {
         this.utils = urlUtils;
-
+        this.urlCachePath = urlCachePath;
         this.finished = false;
         this.urlGenerators = [];
 
+        // Get urls
         this.urls = new Urls();
         this.queue = new Queue();
         this.resources = new Resources(this.queue);
@@ -281,13 +289,63 @@ class UrlService {
     }
 
     /**
-     * @description Internal helper to re-trigger fetching resources on theme change.
-     *
-     * @TODO: Either remove this helper or rename to `_init`, because it's a little confusing,
-     *        because this service get's initalised via events.
+     * @description Initializes components needed for the URL Service to function
      */
-    init() {
-        this.resources.fetchResources();
+    async init() {
+        this.resources.initResourceConfig();
+        this.resources.initEvenListeners();
+
+        const persistedUrls = await this.fetchUrls();
+        if (persistedUrls) {
+            this.urls = new Urls({
+                urls: persistedUrls
+            });
+            this.finished = true;
+        } else {
+            await this.resources.fetchResources();
+        }
+
+        // CASE: all resources are fetched, start the queue
+        this.queue.start({
+            event: 'init',
+            tolerance: 100,
+            requiredSubscriberCount: 1
+        });
+    }
+
+    async persistUrls() {
+        if (!labs.isSet('urlCache') || !this.urlCachePath) {
+            return null;
+        }
+
+        return fs.writeFile(this.urlCachePath, JSON.stringify(this.urls.urls, null, 4));
+    }
+
+    async fetchUrls() {
+        if (!labs.isSet('urlCache') || !this.urlCachePath) {
+            return null;
+        }
+
+        let urlsCacheExists = false;
+        let urls;
+
+        try {
+            await fs.stat(this.urlCachePath);
+            urlsCacheExists = true;
+        } catch (e) {
+            urlsCacheExists = false;
+        }
+
+        if (urlsCacheExists) {
+            try {
+                const urlsFile = await fs.readFile(this.urlCachePath, 'utf8');
+                urls = JSON.parse(urlsFile);
+            } catch (e) {
+                //noop as we'd start a long boot process if there are any errors in the file
+            }
+        }
+
+        return urls;
     }
 
     /**

package/core/server/services/url/Urls.js

@@ -20,8 +20,13 @@ const events = require('../../lib/common/events');
  * You can easily ask `this.urls[resourceId]`.
  */
 class Urls {
-    constructor() {
-        this.urls = {};
+    /**
+     *
+     * @param {Object} [options]
+     * @param {Object} [options.urls] map of available URLs with their resources
+     */
+    constructor({urls = {}} = {}) {
+        this.urls = urls;
     }
 
     /**

package/core/server/services/url/index.js

@@ -1,5 +1,12 @@
+const path = require('path');
+const config = require('../../../shared/config');
 const UrlService = require('./UrlService');
-const urlService = new UrlService();
+
+// NOTE: instead of a path we could give UrlService a "data-resolver" of some sort
+//       so it doesn't have to contain the logic to read data at all. This would be
+//       a possible improvement in the future
+const urlCachePath = path.join(config.getContentPath('data'), 'urls.json');
+const urlService = new UrlService({urlCachePath});
 
 // Singleton
 module.exports = urlService;

package/core/server/web/admin/views/default-prod.html

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.21%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.22%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
 
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -41,7 +41,7 @@
 
     
                 <link rel="stylesheet" href="assets/vendor.min-987af30228885bce50f05c4723fe6f53.css">
-                <link rel="stylesheet" href="assets/ghost.min-5abc69c04ad1d5301a857e01009b9c05.css" title="light">
+                <link rel="stylesheet" href="assets/ghost.min-4207edfc1ae0a3f9f6505ca00d20b0c0.css" title="light">
             
 
     
@@ -59,8 +59,8 @@
 <div id="ember-basic-dropdown-wormhole"></div>
 
 
-                <script src="assets/vendor.min-c6ef90bfd7eff256e10b85583bfe9a74.js"></script>
-                <script src="assets/ghost.min-6c546c322127ae6d1d1b0ddbf34be75b.js"></script>
+                <script src="assets/vendor.min-413f887176a041e6dbf88214ca9a7481.js"></script>
+                <script src="assets/ghost.min-7da921f6c6cac3fe10da1ba104575440.js"></script>
             
 </body>
 </html>

package/core/server/web/admin/views/default.html

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.21%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22rootURL%22%3A%22%2F%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%224.22%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22moment%22%3A%7B%22includeTimezone%22%3A%22all%22%7D%2C%22emberKeyboard%22%3A%7B%22disableInputsInitializer%22%3Atrue%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%7D" />
 
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -41,7 +41,7 @@
 
     
                 <link rel="stylesheet" href="assets/vendor.min-987af30228885bce50f05c4723fe6f53.css">
-                <link rel="stylesheet" href="assets/ghost.min-5abc69c04ad1d5301a857e01009b9c05.css" title="light">
+                <link rel="stylesheet" href="assets/ghost.min-4207edfc1ae0a3f9f6505ca00d20b0c0.css" title="light">
             
 
     
@@ -59,8 +59,8 @@
 <div id="ember-basic-dropdown-wormhole"></div>
 
 
-                <script src="assets/vendor.min-c6ef90bfd7eff256e10b85583bfe9a74.js"></script>
-                <script src="assets/ghost.min-6c546c322127ae6d1d1b0ddbf34be75b.js"></script>
+                <script src="assets/vendor.min-413f887176a041e6dbf88214ca9a7481.js"></script>
+                <script src="assets/ghost.min-7da921f6c6cac3fe10da1ba104575440.js"></script>
             
 </body>
 </html>

package/core/server/web/api/canary/admin/routes.js

@@ -100,10 +100,10 @@ module.exports = function apiRoutes() {
     router.del('/members', mw.authAdminApi, http(api.members.bulkDestroy));
     router.put('/members/bulk', mw.authAdminApi, http(api.members.bulkEdit));
 
-    router.get('/offers', labs.enabledMiddleware('offers'), mw.authAdminApi, http(api.offers.browse));
-    router.post('/offers', labs.enabledMiddleware('offers'), mw.authAdminApi, http(api.offers.add));
-    router.get('/offers/:id', labs.enabledMiddleware('offers'), mw.authAdminApi, http(api.offers.read));
-    router.put('/offers/:id', labs.enabledMiddleware('offers'), mw.authAdminApi, http(api.offers.edit));
+    router.get('/offers', mw.authAdminApi, http(api.offers.browse));
+    router.post('/offers', mw.authAdminApi, http(api.offers.add));
+    router.get('/offers/:id', mw.authAdminApi, http(api.offers.read));
+    router.put('/offers/:id', mw.authAdminApi, http(api.offers.edit));
 
     router.get('/members/stats/count', mw.authAdminApi, http(api.members.memberStats));
     router.get('/members/stats/mrr', mw.authAdminApi, http(api.members.mrrStats));
@@ -236,6 +236,30 @@ module.exports = function apiRoutes() {
         http(api.images.upload)
     );
 
+    // ## media
+    router.post('/media/upload',
+        labs.enabledMiddleware('mediaAPI'),
+        mw.authAdminApi,
+        apiMw.upload.media('file', 'thumbnail'),
+        apiMw.upload.mediaValidation({type: 'media'}),
+        http(api.media.upload)
+    );
+    router.put('/media/thumbnail/upload',
+        labs.enabledMiddleware('mediaAPI'),
+        mw.authAdminApi,
+        apiMw.upload.single('file'),
+        apiMw.upload.validation({type: 'images'}),
+        http(api.media.uploadThumbnail)
+    );
+
+    // ## files
+    router.post('/files/upload',
+        labs.enabledMiddleware('filesAPI'),
+        mw.authAdminApi,
+        apiMw.upload.single('file'),
+        http(api.files.upload)
+    );
+
     // ## Invites
     router.get('/invites', mw.authAdminApi, http(api.invites.browse));
     router.get('/invites/:id', mw.authAdminApi, http(api.invites.read));

package/core/server/web/api/middleware/cors.js

@@ -3,7 +3,7 @@ const url = require('url');
 const os = require('os');
 const urlUtils = require('../../../../shared/url-utils');
 
-let whitelist = [];
+let allowlist = [];
 const ENABLE_CORS = {origin: true, maxAge: 86400};
 const DISABLE_CORS = {origin: false};
 
@@ -46,16 +46,16 @@ function getUrls() {
     return urls;
 }
 
-function getWhitelist() {
+function getAllowlist() {
     // This needs doing just one time after init
-    if (whitelist.length === 0) {
+    if (allowlist.length === 0) {
         // origins that always match: localhost, local IPs, etc.
-        whitelist = whitelist.concat(getIPs());
+        allowlist = allowlist.concat(getIPs());
         // Trusted urls from config.js
-        whitelist = whitelist.concat(getUrls());
+        allowlist = allowlist.concat(getUrls());
     }
 
-    return whitelist;
+    return allowlist;
 }
 
 /**
@@ -73,7 +73,7 @@ function handleCORS(req, cb) {
     }
 
     // Origin matches whitelist
-    if (getWhitelist().indexOf(url.parse(origin).hostname) > -1) {
+    if (getAllowlist().indexOf(url.parse(origin).hostname) > -1) {
         return cb(null, ENABLE_CORS);
     }
 

package/core/server/web/api/middleware/upload.js

@@ -31,23 +31,30 @@ const messages = {
     icons: {
         missingFile: 'Please select an icon.',
         invalidFile: 'Icon must be a square .ico or .png file between 60px – 1,000px, under 100kb.'
+    },
+    media: {
+        missingFile: 'Please select a media file.',
+        invalidFile: 'Please select a valid media file.'
+    },
+    thumbnail: {
+        missingFile: 'Please select a thumbnail.',
+        invalidFile: 'Please select a valid thumbnail.'
     }
 };
 
-const upload = {
-    enabledClear: config.get('uploadClear') || true,
-    multer: multer({dest: os.tmpdir()})
-};
+const enabledClear = config.get('uploadClear') || true;
+const upload = multer({dest: os.tmpdir()});
 
 const deleteSingleFile = file => fs.unlink(file.path).catch(err => logging.error(err));
 
 const single = name => (req, res, next) => {
-    const singleUpload = upload.multer.single(name);
+    const singleUpload = upload.single(name);
+
     singleUpload(req, res, (err) => {
         if (err) {
             return next(err);
         }
-        if (upload.enabledClear) {
+        if (enabledClear) {
             const deleteFiles = () => {
                 res.removeListener('finish', deleteFiles);
                 res.removeListener('close', deleteFiles);
@@ -70,6 +77,43 @@ const single = name => (req, res, next) => {
     });
 };
 
+const media = (fileName, thumbName) => (req, res, next) => {
+    const mediaUpload = upload.fields([{
+        name: fileName,
+        maxCount: 1
+    }, {
+        name: thumbName,
+        maxCount: 1
+    }]);
+
+    mediaUpload(req, res, (err) => {
+        if (err) {
+            return next(err);
+        }
+
+        if (enabledClear) {
+            const deleteFiles = () => {
+                res.removeListener('finish', deleteFiles);
+                res.removeListener('close', deleteFiles);
+                if (!req.disableUploadClear) {
+                    if (req.files.file) {
+                        return req.files.file.forEach(deleteSingleFile);
+                    }
+                    if (req.files.thumbnail) {
+                        return req.files.thumbnail.forEach(deleteSingleFile);
+                    }
+                }
+            };
+            if (!req.disableUploadClear) {
+                res.on('finish', deleteFiles);
+                res.on('close', deleteFiles);
+            }
+        }
+
+        next();
+    });
+};
+
 const checkFileExists = (fileData) => {
     return !!(fileData.mimetype && fileData.path);
 };
@@ -84,9 +128,13 @@ const checkFileIsValid = (fileData, types, extensions) => {
     return false;
 };
 
-const validation = function (options) {
-    const type = options.type;
-
+/**
+ *
+ * @param {Object} options
+ * @param {String} options.type - type of the file
+ * @returns {Function}
+ */
+const validation = function ({type}) {
     // if we finish the data/importer logic, we forward the request to the specified importer
     return function uploadValidation(req, res, next) {
         const extensions = (config.get('uploads')[type] && config.get('uploads')[type].extensions) || [];
@@ -116,9 +164,68 @@ const validation = function (options) {
     };
 };
 
+/**
+ *
+ * @param {Object} options
+ * @param {String} options.type - type of the file
+ * @returns {Function}
+ */
+const mediaValidation = function ({type}) {
+    return function mediaUploadValidation(req, res, next) {
+        const extensions = (config.get('uploads')[type] && config.get('uploads')[type].extensions) || [];
+        const contentTypes = (config.get('uploads')[type] && config.get('uploads')[type].contentTypes) || [];
+
+        const thumbnailExtensions = (config.get('uploads').thumbnails && config.get('uploads').thumbnails.extensions) || [];
+        const thumbnailContentTypes = (config.get('uploads').thumbnails && config.get('uploads').thumbnails.contentTypes) || [];
+
+        const {file: [file] = []} = req.files;
+        if (!file || !checkFileExists(file)) {
+            return next(new errors.ValidationError({
+                message: tpl(messages[type].missingFile)
+            }));
+        }
+
+        req.file = file;
+        req.file.name = req.file.originalname;
+        req.file.type = req.file.mimetype;
+        req.file.ext = path.extname(req.file.name).toLowerCase();
+
+        if (!checkFileIsValid(req.file, contentTypes, extensions)) {
+            return next(new errors.UnsupportedMediaTypeError({
+                message: tpl(messages[type].invalidFile, {extensions: extensions})
+            }));
+        }
+
+        const {thumbnail: [thumbnailFile] = []} = req.files;
+
+        if (thumbnailFile) {
+            if (!checkFileExists(thumbnailFile)) {
+                return next(new errors.ValidationError({
+                    message: tpl(messages.thumbnail.missingFile)
+                }));
+            }
+
+            req.thumbnail = thumbnailFile;
+            req.thumbnail.ext = path.extname(thumbnailFile.originalname).toLowerCase();
+            req.thumbnail.name = `${path.basename(req.file.name, path.extname(req.file.name))}_thumb${req.thumbnail.ext}`;
+            req.thumbnail.type = req.thumbnail.mimetype;
+
+            if (!checkFileIsValid(req.thumbnail, thumbnailContentTypes, thumbnailExtensions)) {
+                return next(new errors.UnsupportedMediaTypeError({
+                    message: tpl(messages.thumbnail.invalidFile, {extensions: thumbnailExtensions})
+                }));
+            }
+        }
+
+        next();
+    };
+};
+
 module.exports = {
     single,
-    validation
+    media,
+    validation,
+    mediaValidation
 };
 
 // Exports for testing only

package/core/server/web/members/app.js

@@ -37,7 +37,7 @@ module.exports = function setupMembersApp() {
     membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData);
     membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res));
     membersApp.get('/api/session', middleware.getIdentityToken);
-    membersApp.get('/api/offers/:id', labs.enabledMiddleware('offers'), middleware.getOfferData);
+    membersApp.get('/api/offers/:id', middleware.getOfferData);
     membersApp.delete('/api/session', middleware.deleteSession);
     membersApp.get('/api/site', middleware.getMemberSiteData);
 

package/core/server/web/shared/middlewares/index.js

@@ -11,10 +11,6 @@ module.exports = {
         return require('./cache-control');
     },
 
-    get customRedirects() {
-        return require('./custom-redirects');
-    },
-
     get errorHandler() {
         return require('./error-handler');
     },