ghost 5.111.0 → 5.113.0

package/core/server/models/post.js

@@ -21,6 +21,7 @@ const {BadRequestError} = require('@tryghost/errors');
 const {PostRevisions} = require('@tryghost/post-revisions');
 const {mobiledocToLexical} = require('@tryghost/kg-converters');
 const labs = require('../../shared/labs');
+const {setIsRoles} = require('./role-utils');
 
 const messages = {
     isAlreadyPublished: 'Your post is already published, please reload your page.',
@@ -1478,10 +1479,7 @@ Post = ghostBookshelf.Model.extend({
 
     // NOTE: the `authors` extension is the parent of the post model. It also has a permissible function.
     permissible: async function permissible(postModel, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasApiKeyPermission) {
-        let isContributor;
-        let isOwner;
-        let isAdmin;
-        let isEditor;
+        let {isContributor, isOwner, isAdmin, isEitherEditor} = setIsRoles(loadedPermissions);
         let isIntegration;
         let isEdit;
         let isAdd;
@@ -1499,10 +1497,6 @@ Post = ghostBookshelf.Model.extend({
             return postModel.get('status') === 'draft';
         }
 
-        isContributor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Contributor'});
-        isOwner = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'});
-        isAdmin = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Administrator'});
-        isEditor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Editor'});
         isIntegration = loadedPermissions.apiKey && _.some(loadedPermissions.apiKey.roles, {name: 'Admin Integration'});
 
         isEdit = (action === 'edit');
@@ -1525,7 +1519,7 @@ Post = ghostBookshelf.Model.extend({
         } else if (isContributor && isDestroy) {
             // If destroying, only allow contributor to destroy their own draft posts
             hasUserPermission = isDraft();
-        } else if (!(isOwner || isAdmin || isEditor || isIntegration)) {
+        } else if (!(isOwner || isAdmin || isEitherEditor || isIntegration)) {
             hasUserPermission = !isChanging('visibility');
         }
 

package/core/server/models/relations/authors.js

@@ -2,6 +2,7 @@ const _ = require('lodash');
 const tpl = require('@tryghost/tpl');
 const errors = require('@tryghost/errors');
 const {sequence} = require('@tryghost/promise');
+const {setIsRoles} = require('../role-utils');
 
 const messages = {
     noUserFound: 'No user found',
@@ -305,8 +306,7 @@ module.exports.extendModel = function extendModel(Post, Posts, ghostBookshelf) {
             const self = this;
             const postModel = postModelOrId;
             let origArgs;
-            let isContributor;
-            let isAuthor;
+            const {isContributor, isAuthor} = setIsRoles(loadedPermissions);
             let isEdit;
             let isAdd;
             let isDestroy;
@@ -332,8 +332,6 @@ module.exports.extendModel = function extendModel(Post, Posts, ghostBookshelf) {
                     });
             }
 
-            isContributor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Contributor'});
-            isAuthor = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Author'});
             isEdit = (action === 'edit');
             isAdd = (action === 'add');
             isDestroy = (action === 'destroy');

package/core/server/models/role-utils.js

@@ -0,0 +1,38 @@
+// check if the user has an assigned role
+// so that we can stop writing this everywhere:
+//_.some(loadedPermissions.user.roles, {name: 'Administrator'})
+
+function checkUserPermissionsForRole(loadedPermissions, roleName) {
+    if (!loadedPermissions?.user?.roles) {
+        return false;
+    }
+
+    return loadedPermissions.user.roles.some(role => role.name === roleName);
+}
+
+function setIsRoles(loadedPermissions) {
+    // utility function to parse the permissions object and set up all the "is" variables.
+    let resultsObject = {
+        isOwner: false,
+        isAdmin: false,
+        isEditor: false,
+        isAuthor: false,
+        isContributor: false,
+        isSuperEditor: false,
+        isEitherEditor: false
+    };
+    if (!loadedPermissions?.user?.roles) {
+        return resultsObject;
+    }
+    resultsObject.isOwner = checkUserPermissionsForRole(loadedPermissions, 'Owner');
+    resultsObject.isAdmin = checkUserPermissionsForRole(loadedPermissions, 'Administrator');
+    resultsObject.isEditor = checkUserPermissionsForRole(loadedPermissions, 'Editor');
+    resultsObject.isAuthor = checkUserPermissionsForRole(loadedPermissions, 'Author');
+    resultsObject.isContributor = checkUserPermissionsForRole(loadedPermissions, 'Contributor');
+    resultsObject.isSuperEditor = checkUserPermissionsForRole(loadedPermissions, 'Super Editor');
+    resultsObject.isEitherEditor = resultsObject.isEditor || resultsObject.isSuperEditor;
+    return resultsObject;
+}
+
+exports.setIsRoles = setIsRoles;
+exports.checkUserPermissionsForRole = checkUserPermissionsForRole;

package/core/server/models/role.js

@@ -2,6 +2,7 @@ const _ = require('lodash');
 const ghostBookshelf = require('./base');
 const tpl = require('@tryghost/tpl');
 const errors = require('@tryghost/errors');
+const {setIsRoles} = require('./role-utils');
 
 const messages = {
     roleNotFound: 'Role not found',
@@ -78,12 +79,13 @@ Role = ghostBookshelf.Model.extend({
         const roleModel = roleModelOrId;
 
         if (action === 'assign' && loadedPermissions.user) {
+            const {isOwner, isAdmin, isEitherEditor} = setIsRoles(loadedPermissions);
             let checkAgainst;
-            if (_.some(loadedPermissions.user.roles, {name: 'Owner'})) {
-                checkAgainst = ['Owner', 'Administrator', 'Editor', 'Author', 'Contributor'];
-            } else if (_.some(loadedPermissions.user.roles, {name: 'Administrator'})) {
-                checkAgainst = ['Administrator', 'Editor', 'Author', 'Contributor'];
-            } else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) {
+            if (isOwner) {
+                checkAgainst = ['Owner', 'Administrator', 'Super Editor', 'Editor', 'Author', 'Contributor'];
+            } else if (isAdmin) {
+                checkAgainst = ['Administrator', 'Super Editor', 'Editor', 'Author', 'Contributor'];
+            } else if (isEitherEditor) {
                 checkAgainst = ['Author', 'Contributor'];
             }
 

package/core/server/models/user.js

@@ -1,4 +1,3 @@
-const _ = require('lodash');
 const validator = require('@tryghost/validator');
 const ObjectId = require('bson-objectid').default;
 const ghostBookshelf = require('./base');
@@ -11,8 +10,9 @@ const {pipeline} = require('@tryghost/promise');
 const validatePassword = require('../lib/validate-password');
 const permissions = require('../services/permissions');
 const urlUtils = require('../../shared/url-utils');
+const {setIsRoles} = require('./role-utils');
 const activeStates = ['active', 'warn-1', 'warn-2', 'warn-3', 'warn-4'];
-const ASSIGNABLE_ROLES = ['Administrator', 'Editor', 'Author', 'Contributor'];
+const ASSIGNABLE_ROLES = ['Administrator', 'Super Editor', 'Editor', 'Author', 'Contributor'];
 
 const messages = {
     valueCannotBeBlank: 'Value in [{tableName}.{columnKey}] cannot be blank.',
@@ -76,7 +76,7 @@ User = ghostBookshelf.Model.extend({
     },
 
     format(options) {
-        if (!_.isEmpty(options.website) &&
+        if (options.website && 
             !validator.isURL(options.website, {
                 require_protocol: true,
                 protocols: ['http', 'https']
@@ -129,7 +129,7 @@ User = ghostBookshelf.Model.extend({
     onDestroyed: function onDestroyed(model, options) {
         ghostBookshelf.Model.prototype.onDestroyed.apply(this, arguments);
 
-        if (_.includes(activeStates, model.previous('status'))) {
+        if (activeStates.includes(model.previous('status'))) {
             model.emitChange('deactivated', options);
         }
 
@@ -142,7 +142,7 @@ User = ghostBookshelf.Model.extend({
         model.emitChange('added', options);
 
         // active is the default state, so if status isn't provided, this will be an active user
-        if (!model.get('status') || _.includes(activeStates, model.get('status'))) {
+        if (!model.get('status') || activeStates.includes(model.get('status'))) {
             model.emitChange('activated', options);
         }
     },
@@ -151,7 +151,7 @@ User = ghostBookshelf.Model.extend({
         ghostBookshelf.Model.prototype.onUpdated.apply(this, arguments);
 
         model.statusChanging = model.get('status') !== model.previous('status');
-        model.isActive = _.includes(activeStates, model.get('status'));
+        model.isActive = activeStates.includes(model.get('status'));
 
         if (model.statusChanging) {
             model.emitChange(model.isActive ? 'activated' : 'deactivated', options);
@@ -455,18 +455,16 @@ User = ghostBookshelf.Model.extend({
         const options = this.filterOptions(unfilteredOptions, 'findOne');
         let query;
         let status;
-        let data = _.cloneDeep(dataToClone);
+        let data = JSON.parse(JSON.stringify(dataToClone));
         const lookupRole = data.role;
 
         // Ensure only valid fields/columns are added to query
         if (options.columns) {
-            options.columns = _.intersection(options.columns, this.prototype.permittedAttributes());
+            options.columns = options.columns.filter(col => this.prototype.permittedAttributes().includes(col));
         }
 
         delete data.role;
-        data = _.defaults(data || {}, {
-            status: 'all'
-        });
+        data = Object.assign({}, {status: 'all'}, data || {});
 
         status = data.status;
         delete data.status;
@@ -475,7 +473,7 @@ User = ghostBookshelf.Model.extend({
 
         // Support finding by role
         if (lookupRole) {
-            options.withRelated = _.union(options.withRelated, ['roles']);
+            options.withRelated = [...new Set([...(options.withRelated || []), 'roles'])];
             query = this.forge(data);
 
             query.query('join', 'roles_users', 'users.id', '=', 'roles_users.user_id');
@@ -519,7 +517,7 @@ User = ghostBookshelf.Model.extend({
         } else if (type === 'recommendation-received') {
             filter += '+recommendation_notifications:true';
         }
-        const updatedOptions = _.merge({}, options, {filter, withRelated: ['roles']});
+        const updatedOptions = Object.assign({}, options, {filter, withRelated: ['roles']});
         return this.findAll(updatedOptions).then((users) => {
             return users.toJSON().filter((user) => {
                 return user?.roles?.some((role) => {
@@ -640,7 +638,7 @@ User = ghostBookshelf.Model.extend({
     add: function add(dataToClone, unfilteredOptions) {
         const options = this.filterOptions(unfilteredOptions, 'add');
         const self = this;
-        const data = _.cloneDeep(dataToClone);
+        const data = JSON.parse(JSON.stringify(dataToClone));
         let userData = this.filterData(data);
         let roles;
 
@@ -652,7 +650,7 @@ User = ghostBookshelf.Model.extend({
         }
 
         function getAuthorRole() {
-            return ghostBookshelf.model('Role').findOne({name: 'Author'}, _.pick(options, 'transacting'))
+            return ghostBookshelf.model('Role').findOne({name: 'Author'}, {transacting: options.transacting})
                 .then(function then(authorRole) {
                     return [authorRole.get('id')];
                 });
@@ -683,7 +681,7 @@ User = ghostBookshelf.Model.extend({
                 roles = _roles;
 
                 // CASE: it is possible to add roles by name, by id or by object
-                if (_.isString(roles[0]) && !ObjectId.isValid(roles[0])) {
+                if (typeof roles[0] === 'string' && !ObjectId.isValid(roles[0])) {
                     const rolePromises = roles.map((roleName) => {
                         return ghostBookshelf.model('Role').findOne({
                             name: roleName
@@ -780,19 +778,37 @@ User = ghostBookshelf.Model.extend({
         });
     },
 
+    /**
+     * Checks if a user has permission to perform an action on another user
+     * 
+     * @param {Object|string|number} userModelOrId - The user model or ID being acted upon
+     * @param {'edit'|'destroy'} action - The action being performed:
+     *                                     - 'edit': Edit user details, status, or role
+     *                                     - 'destroy': Delete a user (Owner cannot be deleted)
+     * @param {Object} context - The context of the request, containing the current user's ID
+     * @param {Object} unsafeAttrs - The attributes being modified in the action
+     * @param {Object} loadedPermissions - The permissions of the user making the request
+     * @param {boolean} hasUserPermission - Whether the user has permission based on user roles
+     * @param {boolean} hasApiKeyPermission - Whether the user has permission based on API key
+     * @returns {Promise<boolean>} Resolves if the action is permitted, rejects with NoPermissionError if not
+     * @throws {errors.NotFoundError} When the target user is not found
+     * @throws {errors.NoPermissionError} When the action is not permitted
+     * @throws {errors.ValidationError} When role changes are invalid
+     */
     permissible: async function permissible(userModelOrId, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasApiKeyPermission) {
         const self = this;
         const userModel = userModelOrId;
         let origArgs;
+        const {isOwner, isEitherEditor} = setIsRoles(loadedPermissions);
 
         // If we passed in a model without its related roles, we need to fetch it again
-        if (_.isObject(userModelOrId) && !_.isObject(userModelOrId.related('roles'))) {
+        if (typeof userModelOrId === 'object' && !(typeof userModelOrId.related('roles') === 'object')) {
             userModelOrId = userModelOrId.id;
         }
         // If we passed in an id instead of a model get the model first
-        if (_.isNumber(userModelOrId) || _.isString(userModelOrId)) {
+        if (typeof userModelOrId === 'number' || typeof userModelOrId === 'string') {
             // Grab the original args without the first one
-            origArgs = _.toArray(arguments).slice(1);
+            origArgs = Array.from(arguments).slice(1);
 
             // Get the actual user model
             return this.findOne({
@@ -820,16 +836,13 @@ User = ghostBookshelf.Model.extend({
         }
 
         if (action === 'edit') {
-            // Users with the role 'Editor', 'Author', and 'Contributor' have complex permissions when the action === 'edit'
-            // We now have all the info we need to construct the permissions
-
             if (context.user === userModel.get('id')) {
                 // If this is the same user that requests the operation allow it.
                 hasUserPermission = true;
             } else if (loadedPermissions.user && userModel.hasRole('Owner')) {
                 // Owner can only be edited by owner
-                hasUserPermission = loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Owner'});
-            } else if (loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Editor'})) {
+                hasUserPermission = isOwner;
+            } else if (isEitherEditor) {
                 // If the user we are trying to edit is an Author or Contributor, allow it
                 hasUserPermission = userModel.hasRole('Author') || userModel.hasRole('Contributor');
             }
@@ -844,7 +857,7 @@ User = ghostBookshelf.Model.extend({
             }
 
             // Users with the role 'Editor' have complex permissions when the action === 'destroy'
-            if (loadedPermissions.user && _.some(loadedPermissions.user.roles, {name: 'Editor'})) {
+            if (isEitherEditor) {
                 // Alternatively, if the user we are trying to edit is an Author, allow it
                 hasUserPermission = context.user === userModel.get('id') || userModel.hasRole('Author') || userModel.hasRole('Contributor');
             }
@@ -1056,7 +1069,7 @@ User = ghostBookshelf.Model.extend({
 
                 // check if user has the owner role
                 const currentRoles = contextUser.toJSON(options).roles;
-                if (!_.some(currentRoles, {id: ownerRole.id})) {
+                if (!currentRoles.some(role => role.id === ownerRole.id)) {
                     return Promise.reject(new errors.NoPermissionError({
                         message: tpl(messages.onlyOwnerCanTransferOwnerRole)
                     }));
@@ -1079,7 +1092,7 @@ User = ghostBookshelf.Model.extend({
 
                 const {roles: currentRoles, status} = user.toJSON(options);
 
-                if (!_.some(currentRoles, {id: adminRole.id})) {
+                if (!currentRoles.some(role => role.id === adminRole.id)) {
                     return Promise.reject(new errors.ValidationError({
                         message: tpl(messages.onlyAdmCanBeAssignedOwnerRole)
                     }));
@@ -1137,4 +1150,4 @@ Users = ghostBookshelf.Collection.extend({
 module.exports = {
     User: ghostBookshelf.model('User', User),
     Users: ghostBookshelf.collection('Users', Users)
-};
+};

package/core/server/services/activitypub/ActivityPubService.js

@@ -0,0 +1,116 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ActivityPubService = void 0;
+const bson_objectid_1 = __importDefault(require("bson-objectid"));
+const node_fetch_1 = __importDefault(require("node-fetch"));
+class ActivityPubService {
+    knex;
+    siteUrl;
+    logging;
+    identityTokenService;
+    constructor(knex, siteUrl, logging, identityTokenService) {
+        this.knex = knex;
+        this.siteUrl = siteUrl;
+        this.logging = logging;
+        this.identityTokenService = identityTokenService;
+    }
+    getExpectedWebhooks(secret) {
+        return [{
+                event: 'post.published',
+                target_url: new URL('.ghost/activitypub/webhooks/post/published', this.siteUrl),
+                api_version: 'v5.100.0',
+                secret
+            }, {
+                event: 'site.changed',
+                target_url: new URL('.ghost/activitypub/webhooks/site/changed', this.siteUrl),
+                api_version: 'v5.100.0',
+                secret
+            }];
+    }
+    async checkWebhookState(expectedWebhooks, integration) {
+        this.logging.info(`Checking ActivityPub Webhook state`);
+        const webhooks = await this.knex
+            .select('*')
+            .from('webhooks')
+            .where('integration_id', '=', integration.id);
+        if (webhooks.length !== expectedWebhooks.length) {
+            this.logging.warn(`Expected ${expectedWebhooks.length} webhooks for ActivityPub`);
+            return false;
+        }
+        for (const expectedWebhook of expectedWebhooks) {
+            const foundWebhook = webhooks.find((webhook) => {
+                return webhook.event === expectedWebhook.event && webhook.target_url === expectedWebhook.target_url.href && webhook.secret === expectedWebhook.secret;
+            });
+            if (!foundWebhook) {
+                this.logging.error(`Could not find webhook for ${expectedWebhook.event} ${expectedWebhook.target_url}`);
+                return false;
+            }
+        }
+        return true;
+    }
+    async getWebhookSecret() {
+        try {
+            const ownerUser = await this.knex.select('*').from('users').where('id', '=', '1').first();
+            const token = await this.identityTokenService.getTokenForUser(ownerUser.email, 'Owner');
+            const res = await (0, node_fetch_1.default)(new URL('.ghost/activitypub/site', this.siteUrl), {
+                headers: {
+                    Authorization: `Bearer ${token}`
+                }
+            });
+            const body = await res.json();
+            return body.webhook_secret;
+        }
+        catch (err) {
+            this.logging.error(`Could not get webhook secret for ActivityPub ${err}`);
+            return null;
+        }
+    }
+    async initialiseWebhooks() {
+        const integration = await this.knex
+            .select('*')
+            .from('integrations')
+            .where('slug', '=', 'ghost-activitypub')
+            .andWhere('type', '=', 'internal')
+            .first();
+        if (!integration) {
+            this.logging.error('No ActivityPub integration found - cannot initialise');
+            return;
+        }
+        const secret = await this.getWebhookSecret();
+        if (!secret) {
+            this.logging.error('No webhook secret found - cannot initialise');
+            return;
+        }
+        const expectedWebhooks = this.getExpectedWebhooks(secret);
+        const isInCorrectState = await this.checkWebhookState(expectedWebhooks, integration);
+        if (isInCorrectState) {
+            this.logging.info(`ActivityPub webhooks in correct state`);
+            return;
+        }
+        this.logging.info(`ActivityPub webhooks in incorrect state, deleting all of them and starting fresh`);
+        await this.knex
+            .del()
+            .from('webhooks')
+            .where('integration_id', '=', integration.id);
+        const webhooksToInsert = expectedWebhooks.map((expectedWebhook) => {
+            return {
+                id: (new bson_objectid_1.default).toHexString(),
+                event: expectedWebhook.event,
+                target_url: expectedWebhook.target_url.href,
+                api_version: expectedWebhook.api_version,
+                name: `ActivityPub ${expectedWebhook.event} Webhook`,
+                secret: secret,
+                integration_id: integration.id,
+                created_at: this.knex.raw('current_timestamp'),
+                created_by: '1'
+            };
+        });
+        await this.knex
+            .insert(webhooksToInsert)
+            .into('webhooks');
+    }
+}
+exports.ActivityPubService = ActivityPubService;

package/core/server/services/activitypub/ActivityPubService.ts

@@ -0,0 +1,139 @@
+import ObjectID from 'bson-objectid';
+import {Knex} from 'knex';
+import {IdentityTokenService} from '@tryghost/identity-token-service';
+import fetch from 'node-fetch';
+
+type ExpectedWebhook = {
+    event: string;
+    target_url: URL;
+    api_version: string;
+    secret: string;
+};
+
+interface Logger {
+    info(message: string): void
+    warn(message: string): void
+    error(message: string): void
+}
+
+export class ActivityPubService {
+    constructor(
+        private knex: Knex,
+        private siteUrl: URL,
+        private logging: Logger,
+        private identityTokenService: IdentityTokenService
+    ) {}
+
+    getExpectedWebhooks(secret: string): ExpectedWebhook[] {
+        return [{
+            event: 'post.published',
+            target_url: new URL('.ghost/activitypub/webhooks/post/published', this.siteUrl),
+            api_version: 'v5.100.0',
+            secret
+        }, {
+            event: 'site.changed',
+            target_url: new URL('.ghost/activitypub/webhooks/site/changed', this.siteUrl),
+            api_version: 'v5.100.0',
+            secret
+        }];
+    }
+
+    async checkWebhookState(expectedWebhooks: ExpectedWebhook[], integration: {id: string}) {
+        this.logging.info(`Checking ActivityPub Webhook state`);
+
+        const webhooks = await this.knex
+            .select('*')
+            .from('webhooks')
+            .where('integration_id', '=', integration.id);
+
+        if (webhooks.length !== expectedWebhooks.length) {
+            this.logging.warn(`Expected ${expectedWebhooks.length} webhooks for ActivityPub`);
+            return false;
+        }
+
+        for (const expectedWebhook of expectedWebhooks) {
+            const foundWebhook = webhooks.find((webhook) => {
+                return webhook.event === expectedWebhook.event && webhook.target_url === expectedWebhook.target_url.href && webhook.secret === expectedWebhook.secret;
+            });
+            if (!foundWebhook) {
+                this.logging.error(`Could not find webhook for ${expectedWebhook.event} ${expectedWebhook.target_url}`);
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    async getWebhookSecret(): Promise<string | null> {
+        try {
+            const ownerUser = await this.knex.select('*').from('users').where('id', '=', '1').first();
+            const token = await this.identityTokenService.getTokenForUser(ownerUser.email, 'Owner');
+
+            const res = await fetch(new URL('.ghost/activitypub/site', this.siteUrl), {
+                headers: {
+                    Authorization: `Bearer ${token}`
+                }
+            });
+
+            const body = await res.json();
+
+            return body.webhook_secret;
+        } catch (err: unknown) {
+            this.logging.error(`Could not get webhook secret for ActivityPub ${err}`);
+            return null;
+        }
+    }
+
+    async initialiseWebhooks() {
+        const integration = await this.knex
+            .select('*')
+            .from('integrations')
+            .where('slug', '=', 'ghost-activitypub')
+            .andWhere('type', '=', 'internal')
+            .first();
+
+        if (!integration) {
+            this.logging.error('No ActivityPub integration found - cannot initialise');
+            return;
+        }
+
+        const secret = await this.getWebhookSecret();
+
+        if (!secret) {
+            this.logging.error('No webhook secret found - cannot initialise');
+            return;
+        }
+
+        const expectedWebhooks = this.getExpectedWebhooks(secret);
+        const isInCorrectState = await this.checkWebhookState(expectedWebhooks, integration);
+
+        if (isInCorrectState) {
+            this.logging.info(`ActivityPub webhooks in correct state`);
+            return;
+        }
+
+        this.logging.info(`ActivityPub webhooks in incorrect state, deleting all of them and starting fresh`);
+        await this.knex
+            .del()
+            .from('webhooks')
+            .where('integration_id', '=', integration.id);
+
+        const webhooksToInsert = expectedWebhooks.map((expectedWebhook) => {
+            return {
+                id: (new ObjectID).toHexString(),
+                event: expectedWebhook.event,
+                target_url: expectedWebhook.target_url.href,
+                api_version: expectedWebhook.api_version,
+                name: `ActivityPub ${expectedWebhook.event} Webhook`,
+                secret: secret,
+                integration_id: integration.id,
+                created_at: this.knex.raw('current_timestamp'),
+                created_by: '1'
+            };
+        });
+
+        await this.knex
+            .insert(webhooksToInsert)
+            .into('webhooks');
+    }
+}

package/core/server/services/activitypub/ActivityPubServiceWrapper.js

@@ -1,4 +1,4 @@
-const {ActivityPubService} = require('@tryghost/activitypub');
+const {ActivityPubService} = require('./ActivityPubService');
 
 module.exports = class ActivityPubServiceWrapper {
     /** @type ActivityPubService */

package/core/server/services/email-analytics/jobs/update-member-email-analytics/index.js

@@ -0,0 +1,13 @@
+const queries = require('../../lib/queries');
+ 
+/**
+ * Updates email analytics for a specific member
+ * 
+ * @param {Object} options - The options object
+ * @param {string} options.memberId - The ID of the member to update analytics for
+ * @returns {Promise<Object>} The result of the aggregation query (1/0)
+ */
+module.exports = async function updateMemberEmailAnalytics({memberId}) {
+    const result = await queries.aggregateMemberStats(memberId);
+    return result;
+};

package/core/server/services/email-analytics/lib/queries.js

@@ -99,7 +99,7 @@ module.exports = {
     /**
      * Sets the timestamp of the last seen event for the specified email analytics events.
      * @param {EmailAnalyticsJobName} jobName - The name of the job to update.
-     * @param {'completed'|'started'} field - The field to update.
+     * @param {'finished'|'started'} field - The field to update.
      * @param {Date} date - The timestamp of the last seen event.
      * @returns {Promise<void>}
      * @description
@@ -110,8 +110,8 @@ module.exports = {
         // Convert string dates to Date objects for SQLite compatibility
         try {
             debug(`Setting ${field} timestamp for job ${jobName} to ${date}`);
-            const updateField = field === 'completed' ? 'finished_at' : 'started_at';
-            const status = field === 'completed' ? 'finished' : 'started';
+            const updateField = field === 'finished' ? 'finished_at' : 'started_at';
+            const status = field === 'finished' ? 'finished' : 'started';
             const result = await db.knex('jobs').update({[updateField]: date, updated_at: new Date(), status: status}).where('name', jobName);
             if (result === 0) {
                 await db.knex('jobs').insert({