ghost 5.33.8 → 5.34.1

package/core/server/services/mentions/BookshelfMentionRepository.js

@@ -54,7 +54,7 @@ module.exports = class BookshelfMentionRepository {
             sourceAuthor: model.get('source_author'),
             sourceExcerpt: model.get('source_excerpt'),
             sourceFavicon: model.get('source_favicon'),
-            sourceFeaturedImaged: model.get('source_featured_image')
+            sourceFeaturedImage: model.get('source_featured_image')
         });
     }
 
@@ -106,7 +106,8 @@ module.exports = class BookshelfMentionRepository {
             target: mention.target.href,
             resource_id: mention.resourceId?.toHexString(),
             resource_type: mention.resourceId ? 'post' : null,
-            payload: mention.payload ? JSON.stringify(mention.payload) : null
+            payload: mention.payload ? JSON.stringify(mention.payload) : null,
+            deleted: Mention.isDeleted(mention)
         };
 
         const existing = await this.#MentionModel.findOne({id: data.id}, {require: false});

package/core/server/services/mentions/MentionController.js

@@ -10,17 +10,53 @@ const logging = require('@tryghost/logging');
  * @typedef {import('@tryghost/webmentions/lib/MentionsAPI').Page} Page<Model>
  */
 
+/**
+ * @typedef {object} MentionResource
+ * @prop {ObjectID} id
+ * @prop {string} type
+ * @prop {string} name
+ */
+
+/**
+ * @typedef {Mention} MentionDTO
+ * @prop {Resource} resource
+ */
+
+/**
+ * @typedef {object} IJobService
+ * @prop {(name: string, fn: Function) => void} addJob
+ */
+
+/**
+ * @typedef {object} IMentionResourceService
+ * @prop {(id: ObjectID)  => Promise<MentionResource>} getByID
+ */
+
 module.exports = class MentionController {
     /** @type {import('@tryghost/webmentions/lib/MentionsAPI')} */
     #api;
 
+    /** @type {IJobService} */
+    #jobService;
+
+    /** @type {IMentionResourceService} */
+    #mentionResourceService;
+
+    /**
+     * @param {object} deps
+     * @param {import('@tryghost/webmentions/lib/MentionsAPI')} deps.api
+     * @param {IJobService} deps.jobService
+     * @param {IMentionResourceService} deps.mentionResourceService
+     */
     async init(deps) {
         this.#api = deps.api;
+        this.#jobService = deps.jobService;
+        this.#mentionResourceService = deps.mentionResourceService;
     }
 
     /**
      * @param {import('@tryghost/api-framework').Frame} frame
-     * @returns {Promise<Page<Mention>>}
+     * @returns {Promise<Page<MentionDTO>>}
      */
     async browse(frame) {
         let limit;
@@ -37,13 +73,41 @@ module.exports = class MentionController {
             page = 1;
         }
 
-        const results = await this.#api.listMentions({
+        let order;
+        if (frame.options.order && frame.options.order === 'created_at desc') {
+            order = 'created_at desc';
+        } else {
+            order = 'created_at asc';
+        }
+
+        const mentions = await this.#api.listMentions({
             filter: frame.options.filter,
+            order,
             limit,
             page
         });
 
-        return results;
+        const resources = await Promise.all(mentions.data.map((mention) => {
+            return this.#mentionResourceService.getByID(mention.resourceId);
+        }));
+
+        /** @type {Page<MentionDTO>} */
+        const result = {
+            data: mentions.data.map((mention, index) => {
+                const mentionDTO = {
+                    ...mention.toJSON(),
+                    resource: resources[index],
+                    toJSON() {
+                        return mentionDTO;
+                    }
+                };
+                delete mentionDTO.resourceId;
+                return mentionDTO;
+            }),
+            meta: mentions.meta
+        };
+
+        return result;
     }
 
     /**
@@ -52,15 +116,17 @@ module.exports = class MentionController {
      */
     async receive(frame) {
         logging.info('[Webmention] ' + JSON.stringify(frame.data));
-        const {source, target, ...payload} = frame.data;
-        const result = this.#api.processWebmention({
-            source: new URL(source),
-            target: new URL(target),
-            payload
-        });
-
-        result.catch(function rejected(err) {
-            logging.error(err);
+        this.#jobService.addJob('processWebmention', async () => {
+            const {source, target, ...payload} = frame.data;
+            try {
+                await this.#api.processWebmention({
+                    source: new URL(source),
+                    target: new URL(target),
+                    payload
+                });
+            } catch (err) {
+                logging.error(err);
+            }
         });
     }
 };

package/core/server/services/mentions/service.js

@@ -13,9 +13,10 @@ const events = require('../../lib/common/events');
 const externalRequest = require('../../../server/lib/request-external.js');
 const urlUtils = require('../../../shared/url-utils');
 const outputSerializerUrlUtil = require('../../../server/api/endpoints/utils/serializers/output/utils/url');
-const labs = require('../../../shared/labs');
 const urlService = require('../url');
+const settingsCache = require('../../../shared/settings-cache');
 const DomainEvents = require('@tryghost/domain-events');
+const jobsService = require('../jobs');
 
 function getPostUrl(post) {
     const jsonModel = {};
@@ -50,14 +51,53 @@ module.exports = {
             routingService
         });
 
-        this.controller.init({api});
+        this.controller.init({
+            api,
+            jobService: {
+                async addJob(name, fn) {
+                    jobsService.addJob({
+                        name,
+                        job: fn,
+                        offloaded: false
+                    });
+                }
+            },
+            mentionResourceService: {
+                async getByID(id) {
+                    if (!id) {
+                        return null;
+                    }
+
+                    const post = await models.Post.findOne({id: id.toHexString()});
+
+                    if (!post) {
+                        return null;
+                    }
+
+                    return {
+                        id: id,
+                        name: post.get('title'),
+                        type: 'post'
+                    };
+                }
+            }
+        });
 
         const sendingService = new MentionSendingService({
             discoveryService,
             externalRequest,
             getSiteUrl: () => urlUtils.urlFor('home', true),
             getPostUrl: post => getPostUrl(post),
-            isEnabled: () => labs.isSet('webmentions')
+            isEnabled: () => !settingsCache.get('is_private'),
+            jobService: {
+                async addJob(name, fn) {
+                    jobsService.addJob({
+                        name,
+                        job: fn,
+                        offloaded: false
+                    });
+                }
+            }
         });
         sendingService.listen(events);
     }

package/core/server/services/milestone-emails/MilestoneQueries.js

@@ -0,0 +1,58 @@
+const MIN_DAYS_SINCE_IMPORTED = 7;
+
+module.exports = class MilestoneQueries {
+    #db;
+
+    constructor(deps) {
+        this.#db = deps.db;
+    }
+
+    /**
+     * @returns {Promise<number>}
+     */
+    async getMembersCount() {
+        const [membersCount] = await this.#db.knex('members').count('id as count');
+
+        return membersCount?.count || 0;
+    }
+
+    /**
+     * @returns {Promise<Array>}
+     */
+    async getARR() {
+        const currentARR = await this.#db.knex('members_paid_subscription_events as stripe')
+            .select(this.#db.knex.raw('ROUND(SUM(stripe.mrr_delta) * 12) / 100 AS arr, stripe.currency as currency'))
+            .groupBy('stripe.currency');
+
+        return currentARR;
+    }
+
+    /**
+     * @returns {Promise<boolean>}
+     */
+    async hasImportedMembersInPeriod() {
+        const [hasImportedMembers] = await this.#db.knex('members_subscribe_events')
+            .count('id as count')
+            .where('source', '=', 'import')
+            .where('created_at', '>=', MIN_DAYS_SINCE_IMPORTED);
+
+        return hasImportedMembers?.count > 0;
+    }
+
+    /**
+     * @returns {Promise<string>}
+     */
+    async getDefaultCurrency() {
+        const currentARR = await this.getARR();
+
+        // Set the default currency as the one with the highest value
+        if (currentARR.length > 1) {
+            const highestValues = currentARR.sort((a, b) => b.arr - a.arr);
+            return highestValues?.[0]?.currency;
+        } else if (currentARR?.[0]?.currency) {
+            return currentARR[0].currency;
+        } else {
+            return 'usd';
+        }
+    }
+};

package/core/server/services/milestone-emails/index.js

@@ -0,0 +1 @@
+module.exports = require('./service');

package/core/server/services/milestone-emails/service.js

@@ -0,0 +1,58 @@
+// Stubbing stripe in test was causing issues. Moved it
+// into this function to be able to rewire and stub the
+// expected return value.
+const getStripeLiveEnabled = () => {
+    const stripeService = require('../stripe');
+    // This seems to be the only true way to check if Stripe is configured in live mode
+    // settingsCache only cares if Stripe is enabled
+    return stripeService.api.configured && stripeService.api.mode === 'live';
+};
+
+/**
+ *
+ * @returns {Promise<any>}
+ */
+module.exports = {
+    async initAndRun() {
+        const labs = require('../../../shared/labs');
+
+        if (labs.isSet('milestoneEmails')) {
+            const db = require('../../data/db');
+            const MilestoneQueries = require('./MilestoneQueries');
+
+            const {
+                MilestonesEmailService,
+                InMemoryMilestoneRepository
+            } = require('@tryghost/milestone-emails');
+            const config = require('../../../shared/config');
+            const milestonesConfig = config.get('milestones');
+            const {GhostMailer} = require('../mail');
+
+            const mailer = new GhostMailer();
+            const repository = new InMemoryMilestoneRepository();
+            const queries = new MilestoneQueries({db});
+
+            const milestonesEmailService = new MilestonesEmailService({
+                mailer,
+                repository,
+                milestonesConfig, // avoid using getters and pass as JSON
+                queries
+            });
+
+            let arrResult;
+
+            // @TODO: schedule recurring jobs instead
+            const membersResult = await milestonesEmailService.checkMilestones('members');
+            const stripeLiveEnabled = getStripeLiveEnabled();
+
+            if (stripeLiveEnabled) {
+                arrResult = await milestonesEmailService.checkMilestones('arr');
+            }
+
+            return {
+                members: membersResult,
+                arr: arrResult
+            };
+        }
+    }
+};

package/core/server/services/tags-public/index.js

@@ -0,0 +1 @@
+module.exports = require('./service');

package/core/server/services/tags-public/service.js

@@ -0,0 +1,31 @@
+class TagsPublicServiceWrapper {
+    async init() {
+        if (this.api) {
+            // Already done
+            return;
+        }
+
+        // Wire up all the dependencies
+        const models = require('../../models');
+        const adapterManager = require('../adapter-manager');
+        const config = require('../../../shared/config');
+
+        let tagsCache;
+        if (config.get('hostSettings:tagsPublicCache:enabled')) {
+            tagsCache = adapterManager.getAdapter('cache:tagsPublic');
+        }
+
+        const {TagsPublicRepository} = require('@tryghost/tags-public');
+
+        this.linkRedirectRepository = new TagsPublicRepository({
+            Tag: models.TagPublic,
+            cache: tagsCache
+        });
+
+        this.api = {
+            browse: this.linkRedirectRepository.getAll.bind(this.linkRedirectRepository)
+        };
+    }
+}
+
+module.exports = new TagsPublicServiceWrapper();

package/core/server/web/api/endpoints/admin/routes.js

@@ -240,7 +240,6 @@ module.exports = function apiRoutes() {
         mw.authAdminApi,
         apiMw.upload.single('file'),
         apiMw.upload.validation({type: 'images'}),
-        apiMw.normalizeImage,
         http(api.images.upload)
     );
 

package/core/server/web/api/middleware/index.js

@@ -1,6 +1,5 @@
 module.exports = {
     cors: require('./cors'),
-    normalizeImage: require('./normalize-image'),
     updateUserLastSeen: require('./update-user-last-seen'),
     upload: require('./upload'),
     versionMatch: require('./version-match')

package/core/server/web/shared/middleware/api/spam-prevention.js

@@ -20,7 +20,8 @@ const messages = {
         error: 'Only {rateSigninAttempts} tries per IP address every {rateSigninPeriod} seconds.',
         context: 'Too many login attempts.'
     },
-    tooManyAttempts: 'Too many attempts.'
+    tooManyAttempts: 'Too many attempts.',
+    webmentionsBlock: 'Too many mention attempts'
 };
 let spamPrivateBlock = spam.private_block || {};
 let spamGlobalBlock = spam.global_block || {};
@@ -29,12 +30,14 @@ let spamUserReset = spam.user_reset || {};
 let spamUserLogin = spam.user_login || {};
 let spamMemberLogin = spam.member_login || {};
 let spamContentApiKey = spam.content_api_key || {};
+let spamWebmentionsBlock = spam.webmentions_block || {};
 
 let store;
 let memoryStore;
 let privateBlogInstance;
 let globalResetInstance;
 let globalBlockInstance;
+let webmentionsBlockInstance;
 let userLoginInstance;
 let membersAuthInstance;
 let membersAuthEnumerationInstance;
@@ -123,6 +126,32 @@ const globalReset = () => {
     return globalResetInstance;
 };
 
+const webmentionsBlock = () => {
+    const ExpressBrute = require('express-brute');
+    const BruteKnex = require('brute-knex');
+    const db = require('../../../../data/db');
+
+    store = store || new BruteKnex({
+        tablename: 'brute',
+        createTable: false,
+        knex: db.knex
+    });
+
+    webmentionsBlockInstance = webmentionsBlockInstance || new ExpressBrute(store,
+        extend({
+            attachResetToRequest: false,
+            failCallback(req, res, next) {
+                return next(new errors.TooManyRequestsError({
+                    message: messages.webmentionsBlock
+                }));
+            },
+            handleStoreError: handleStoreError
+        }, pick(spamWebmentionsBlock, spamConfigKeys))
+    );
+
+    return webmentionsBlockInstance;
+};
+
 const membersAuth = () => {
     const ExpressBrute = require('express-brute');
     const BruteKnex = require('brute-knex');
@@ -319,6 +348,7 @@ module.exports = {
     userReset: userReset,
     privateBlog: privateBlog,
     contentApiKey: contentApiKey,
+    webmentionsBlock: webmentionsBlock,
     reset: () => {
         store = undefined;
         memoryStore = undefined;

package/core/server/web/shared/middleware/brute.js

@@ -104,5 +104,18 @@ module.exports = {
      */
     membersAuthEnumeration(req, res, next) {
         return spamPrevention.membersAuthEnumeration().prevent(req, res, next);
+    },
+
+    /**
+     * Blocks webmention spam
+     */
+
+    webmentionsLimiter(req, res, next) {
+        return spamPrevention.webmentionsBlock().getMiddleware({
+            ignoreIP: false,
+            key(_req, _res, _next) {
+                return _next('webmention_blocked');
+            }
+        })(req, res, next);
     }
 };

package/core/server/web/webmentions/routes.js

@@ -11,6 +11,9 @@ module.exports = function apiRoutes() {
     // shouldn't be cached
     router.use(shared.middleware.cacheControl('private'));
 
+    // rate limiter
+    router.use(shared.middleware.brute.webmentionsLimiter);
+
     // Webmentions
     router.post('/receive', bodyParser.urlencoded({extended: true, limit: '5mb'}), http(api.mentions.receive));
 

package/core/shared/config/defaults.json

@@ -102,6 +102,12 @@
             "maxWait": 43200000,
             "lifetime": 43200,
             "freeRetries": 8
+        },
+        "webmentions_block": {
+            "minWait": 10,
+            "maxWait": 100,
+            "lifetime": 1000,
+            "freeRetries": 100
         }
     },
     "caching": {
@@ -198,5 +204,15 @@
     },
     "gravatar": {
         "url": "https://www.gravatar.com/avatar/{hash}?s={size}&r={rating}&d={_default}"
-    }
+    },
+    "milestones":
+        {
+            "arr": [
+                {
+                    "currency": "usd",
+                    "values": [1000, 10000, 50000, 100000, 250000, 500000, 1000000]
+                }
+            ],
+            "members": [100, 1000, 10000, 50000, 100000, 250000, 500000, 1000000]
+        }
 }

package/core/shared/config/env/config.development.json

@@ -22,8 +22,5 @@
         "admin": {
             "maxAge": 0
         }
-    },
-    "editor": {
-        "url": "http://127.0.0.1:4173/koenig-lexical.umd.js"
     }
 }

package/core/shared/config/env/config.testing-browser.json

@@ -43,6 +43,12 @@
             "maxWait": 3600000,
             "lifetime": 3600,
             "freeRetries":99
+        },
+        "webmentions_block": {
+            "minWait": 100000,
+            "maxWait": 100000,
+            "lifetime": 3600,
+            "freeRetries": 3
         }
     },
     "privacy": {

package/core/shared/config/env/config.testing-mysql.json

@@ -44,7 +44,14 @@
             "maxWait": 3600000,
             "lifetime": 3600,
             "freeRetries":99
+        },
+        "webmentions_block": {
+            "minWait": 100000,
+            "maxWait": 100000,
+            "lifetime": 3600,
+            "freeRetries": 3
         }
+
     },
     "privacy": {
         "useTinfoil": true,

package/core/shared/config/env/config.testing.json

@@ -43,6 +43,12 @@
             "maxWait": 3600000,
             "lifetime": 3600,
             "freeRetries":99
+        },
+        "webmentions_block": {
+            "minWait": 100000,
+            "maxWait": 100000,
+            "lifetime": 3600,
+            "freeRetries": 3
         }
     },
     "privacy": {

package/core/shared/labs.js

@@ -27,6 +27,7 @@ const GA_FEATURES = [
 //       input for the "labs" setting value
 const BETA_FEATURES = [
     'activitypub',
+    'webmentions',
     'emailErrors'
 ];
 
@@ -34,9 +35,8 @@ const ALPHA_FEATURES = [
     'urlCache',
     'beforeAfterCard',
     'lexicalEditor',
-    'webmentions',
-    'webmentionEmail',
-    'outboundLinkTagging'
+    'outboundLinkTagging',
+    'milestoneEmails'
 ];
 
 module.exports.GA_KEYS = [...GA_FEATURES];