ghost 4.48.3 → 4.48.5

package/core/frontend/web/middleware/error-handler.js

@@ -7,7 +7,7 @@ const config = require('../../../shared/config');
 const renderer = require('../../services/rendering');
 
 // @TODO: make this properly shared code
-const {prepareError, prepareStack} = require('@tryghost/mw-error-handler');
+const {prepareError, prepareErrorCacheControl, prepareStack} = require('@tryghost/mw-error-handler');
 
 const messages = {
     oopsErrorTemplateHasError: 'Oops, seems there is an error in the error template.',
@@ -86,6 +86,8 @@ const themeErrorRenderer = (err, req, res, next) => {
 module.exports.handleThemeResponse = [
     // Make sure the error can be served
     prepareError,
+    // Add cache-control header
+    prepareErrorCacheControl(),
     // Handle the error in Sentry
     sentry.errorHandler,
     // Format the stack for the user

package/core/frontend/web/site.js

@@ -82,7 +82,7 @@ module.exports = function setupSiteApp(options = {}) {
     // /member/.well-known/* serves files (e.g. jwks.json) so it needs to be mounted before the prettyUrl mw to avoid trailing slashes
     siteApp.use(
         '/members/.well-known',
-        shared.middleware.cacheControl('public', {maxAge: 60 * 60 * 24}),
+        shared.middleware.cacheControl('public', {maxAge: constants.ONE_DAY_S}),
         (req, res, next) => membersService.api.middleware.wellKnown(req, res, next)
     );
 

package/core/server/services/api-version-compatibility/index.js

@@ -37,6 +37,8 @@ module.exports.contentVersion = (req, res, next) => {
     if (req.header('accept-version')) {
         res.header('Content-Version', `v${ghostVersion.safe}`);
     }
+
+    res.vary('Accept-Version');
     next();
 };
 

package/core/server/web/admin/app.js

@@ -16,9 +16,15 @@ module.exports = function setupAdminApp() {
     // Admin assets
     // @TODO ensure this gets a local 404 error handler
     const configMaxAge = config.get('caching:admin:maxAge');
+    // @NOTE: when we start working on HTTP/3 optimizations the immutable headers
+    //        produced below should be split into separate 'Cache-Control' entry.
+    //        For reference see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#validation_2
     adminApp.use('/assets', serveStatic(
-        config.get('paths').clientAssets,
-        {maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : constants.ONE_YEAR_MS, fallthrough: false}
+        config.get('paths').clientAssets, {
+            maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : constants.ONE_YEAR_MS,
+            immutable: true,
+            fallthrough: false
+        }
     ));
 
     // Ember CLI's live-reload script

package/core/server/web/api/canary/content/app.js

@@ -21,8 +21,10 @@ module.exports = function setupApiApp() {
     // Query parsing
     apiApp.use(boolParser());
 
-    // API shouldn't be cached
-    apiApp.use(shared.middleware.cacheControl('private'));
+    // Content API should allow public caching
+    apiApp.use(shared.middleware.cacheControl('public', {
+        maxAge: 0
+    }));
 
     // Routing
     apiApp.use(routes());

package/core/server/web/api/v2/content/app.js

@@ -21,8 +21,10 @@ module.exports = function setupApiApp() {
     // Query parsing
     apiApp.use(boolParser());
 
-    // API shouldn't be cached
-    apiApp.use(shared.middleware.cacheControl('private'));
+    // Content API should allow public caching
+    apiApp.use(shared.middleware.cacheControl('public', {
+        maxAge: 0
+    }));
 
     // Routing
     apiApp.use(routes());

package/core/server/web/api/v3/content/app.js

@@ -21,8 +21,10 @@ module.exports = function setupApiApp() {
     // Query parsing
     apiApp.use(boolParser());
 
-    // API shouldn't be cached
-    apiApp.use(shared.middleware.cacheControl('private'));
+    // Content API should allow public caching
+    apiApp.use(shared.middleware.cacheControl('public', {
+        maxAge: 0
+    }));
 
     // Routing
     apiApp.use(routes());

package/core/server/web/members/app.js

@@ -44,7 +44,7 @@ module.exports = function setupMembersApp() {
     membersApp.get('/api/session', middleware.getIdentityToken);
     membersApp.get('/api/offers/:id', middleware.getOfferData);
     membersApp.delete('/api/session', middleware.deleteSession);
-    membersApp.get('/api/site', middleware.getMemberSiteData);
+    membersApp.get('/api/site', shared.middleware.cacheControl('noCacheDynamic'), middleware.getMemberSiteData);
 
     // NOTE: this is wrapped in a function to ensure we always go via the getter
     membersApp.post('/api/send-magic-link', bodyParser.json(), shared.middleware.brute.membersAuth, (req, res, next) => membersService.api.middleware.sendMagicLink(req, res, next));

package/core/server/web/shared/middleware/brute.js

@@ -29,26 +29,13 @@ module.exports = {
         })(req, res, next);
     },
     /**
-     * block per user
-     * username === email!
+     * block per ip
      */
     userLogin(req, res, next) {
         return spamPrevention.userLogin().getMiddleware({
             ignoreIP: false,
             key(_req, _res, _next) {
-                if (_req.body.username) {
-                    return _next(`${_req.body.username}login`);
-                }
-
-                if (_req.body.authorizationCode) {
-                    return _next(`${_req.body.authorizationCode}login`);
-                }
-
-                if (_req.body.refresh_token) {
-                    return _next(`${_req.body.refresh_token}login`);
-                }
-
-                return _next();
+                return _next('user_login');
             }
         })(req, res, next);
     },

package/core/server/web/shared/middleware/cache-control.js

@@ -7,16 +7,18 @@
 // Allows each app to declare its own default caching rules
 
 const isString = require('lodash/isString');
+const {cacheControlValues} = require('@tryghost/http-cache-utils');
 
 /**
- * @param {'public'|'private'} profile Use "private" if you do not want caching
+ * @param {'public'|'private'|'noCacheDynamic'} profile Use "private" if you do not want caching
  * @param {object} [options]
  * @param {number} [options.maxAge] The max-age in seconds to use when profile is "public"
  */
 const cacheControl = (profile, options = {maxAge: 0}) => {
     const profiles = {
         public: `public, max-age=${options.maxAge}`,
-        private: 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
+        private: 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0',
+        noCacheDynamic: cacheControlValues.noCacheDynamic
     };
 
     let output;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "4.48.3",
+  "version": "4.48.5",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -73,6 +73,7 @@
     "@tryghost/errors": "1.2.12",
     "@tryghost/express-dynamic-redirects": "0.2.11",
     "@tryghost/helpers": "1.1.64",
+    "@tryghost/http-cache-utils": "0.1.3",
     "@tryghost/image-transform": "1.0.30",
     "@tryghost/job-manager": "0.8.22",
     "@tryghost/kg-card-factory": "3.1.3",
@@ -93,7 +94,7 @@
     "@tryghost/metrics": "1.0.11",
     "@tryghost/minifier": "0.1.13",
     "@tryghost/mw-api-version-mismatch": "0.1.1",
-    "@tryghost/mw-error-handler": "0.2.2",
+    "@tryghost/mw-error-handler": "0.2.5",
     "@tryghost/mw-session-from-token": "0.1.30",
     "@tryghost/nodemailer": "0.3.22",
     "@tryghost/nql": "0.9.2",

package/yarn.lock

@@ -1983,6 +1983,11 @@
     "@tryghost/mobiledoc-kit" "^0.12.4-ghost.1"
     jsdom "^18.0.0"
 
+"@tryghost/http-cache-utils@0.1.3":
+  version "0.1.3"
+  resolved "https://registry.yarnpkg.com/@tryghost/http-cache-utils/-/http-cache-utils-0.1.3.tgz#a3a07e55dbe3a62b7d51e98f19c063d03a1ef804"
+  integrity sha512-QganheP/zhcpFnDLPJYlQ4gBIhd+lAEMh8byx7ocCPM37nuEQ3zlmcM6KzDfUmKYwU+5oI/ya/0Wn0kmnyZ37A==
+
 "@tryghost/http-stream@^0.1.8":
   version "0.1.8"
   resolved "https://registry.yarnpkg.com/@tryghost/http-stream/-/http-stream-0.1.8.tgz#a50bea2eff582c86aba08ecfa1c32b24902d8cfb"
@@ -2299,13 +2304,14 @@
   resolved "https://registry.yarnpkg.com/@tryghost/mw-api-version-mismatch/-/mw-api-version-mismatch-0.1.1.tgz#913c8941ebe274eac4c3ac872fbe6268534f0003"
   integrity sha512-N1H3P/ua7MCJTQrhFd6RjBFL95pjB+y3Ih1ZyKToBzicU3RShLUsgVlBC7YNaJVGFG/RYCImzlm09QCV8qwgpg==
 
-"@tryghost/mw-error-handler@0.2.2":
-  version "0.2.2"
-  resolved "https://registry.yarnpkg.com/@tryghost/mw-error-handler/-/mw-error-handler-0.2.2.tgz#ab507e8b9079b6cbcbef2ac3fee4266342188165"
-  integrity sha512-9J6d1gce+PzdLkSGxap5oWjG3INb3J9QLoC4NHXOqIGZ+7GERlao3q6AFVBo5xUBoUzkd+Q7+3ZQfeLarNEwUA==
+"@tryghost/mw-error-handler@0.2.5":
+  version "0.2.5"
+  resolved "https://registry.yarnpkg.com/@tryghost/mw-error-handler/-/mw-error-handler-0.2.5.tgz#2a67fe0d8c5402e9261d270c47c76cfcdc71974d"
+  integrity sha512-jl/CLpVFQygXGbjfuznQYe+VF6xT0YPixcT4LfFKN+H/Kpm+8/MIDLzfAAnxJDlIM4w5Ux1YQYAQMtsbU0rxqg==
   dependencies:
     "@tryghost/debug" "^0.1.9"
     "@tryghost/errors" "1.2.12"
+    "@tryghost/http-cache-utils" "0.1.3"
     "@tryghost/tpl" "^0.1.8"
     lodash "^4.17.21"
     semver "^7.3.6"