ghost 5.80.1 → 5.80.3

package/core/server/services/auth/api-key/admin.js

@@ -17,6 +17,7 @@ const messages = {
 };
 
 let JWT_OPTIONS_DEFAULTS = {
+    /** @type import('jsonwebtoken').Algorithm[] */
     algorithms: ['HS256'],
     maxAge: '5m'
 };
@@ -60,7 +61,7 @@ const authenticate = function apiKeyAdminAuth(req, res, next) {
         }));
     }
 
-    return authenticateWithToken(req, res, next, {token, JWT_OPTIONS: JWT_OPTIONS_DEFAULTS});
+    return wrappedAuthenticateWithToken(req, res, next, {token});
 };
 
 const authenticateWithUrl = function apiKeyAuthenticateWithUrl(req, res, next) {
@@ -72,9 +73,20 @@ const authenticateWithUrl = function apiKeyAuthenticateWithUrl(req, res, next) {
         }));
     }
     // CASE: Scheduler publish URLs can have long maxAge but controllerd by expiry and neverBefore
-    return authenticateWithToken(req, res, next, {token, JWT_OPTIONS: _.omit(JWT_OPTIONS_DEFAULTS, 'maxAge')});
+    return wrappedAuthenticateWithToken(req, res, next, {token, ignoreMaxAge: true});
 };
 
+async function wrappedAuthenticateWithToken(req, res, next, options) {
+    try {
+        const {apiKey, user} = await authenticateWithToken(req.originalUrl, options.token, options.ignoreMaxAge);
+        req.api_key = apiKey;
+        req.user = user;
+        next();
+    } catch (err) {
+        next(err);
+    }
+}
+
 /**
  * Admin API key authentication flow:
  * 1. extract the JWT token from the `Authorization: Ghost xxxx` header or from URL(for schedules)
@@ -89,114 +101,104 @@ const authenticateWithUrl = function apiKeyAuthenticateWithUrl(req, res, next) {
  * - the "Audience" claim should match the requested API path
  *   https://tools.ietf.org/html/rfc7519#section-4.1.3
  */
-const authenticateWithToken = async function apiKeyAuthenticateWithToken(req, res, next, {token, JWT_OPTIONS}) {
+const authenticateWithToken = async function apiKeyAuthenticateWithToken(originalUrl, token, ignoreMaxAge) {
     const decoded = jwt.decode(token, {complete: true});
+    const jwtValidationOptions = ignoreMaxAge ? _.omit(JWT_OPTIONS_DEFAULTS, 'maxAge') : JWT_OPTIONS_DEFAULTS;
 
     if (!decoded || !decoded.header) {
-        return next(new errors.BadRequestError({
+        throw new errors.BadRequestError({
             message: tpl(messages.invalidToken),
             code: 'INVALID_JWT'
-        }));
+        });
     }
 
     const apiKeyId = decoded.header.kid;
 
     if (!apiKeyId) {
-        return next(new errors.BadRequestError({
+        throw new errors.BadRequestError({
             message: tpl(messages.adminApiKidMissing),
             code: 'MISSING_ADMIN_API_KID'
-        }));
+        });
     }
 
-    try {
-        const apiKey = await models.ApiKey.findOne({id: apiKeyId}, {withRelated: ['integration']});
-
-        if (!apiKey) {
-            return next(new errors.UnauthorizedError({
-                message: tpl(messages.unknownAdminApiKey),
-                code: 'UNKNOWN_ADMIN_API_KEY'
-            }));
-        }
-
-        if (apiKey.get('type') !== 'admin') {
-            return next(new errors.UnauthorizedError({
-                message: tpl(messages.invalidApiKeyType),
-                code: 'INVALID_API_KEY_TYPE'
-            }));
-        }
-
-        // CASE: blocking all non-internal: "custom" and "builtin" integration requests when the limit is reached
-        if (limitService.isLimited('customIntegrations')
+    const apiKey = await models.ApiKey.findOne({id: apiKeyId}, {withRelated: ['integration']});
+
+    if (!apiKey) {
+        throw new errors.UnauthorizedError({
+            message: tpl(messages.unknownAdminApiKey),
+            code: 'UNKNOWN_ADMIN_API_KEY'
+        });
+    }
+
+    if (apiKey.get('type') !== 'admin') {
+        throw new errors.UnauthorizedError({
+            message: tpl(messages.invalidApiKeyType),
+            code: 'INVALID_API_KEY_TYPE'
+        });
+    }
+
+    // CASE: blocking all non-internal: "custom" and "builtin" integration requests when the limit is reached
+    if (limitService.isLimited('customIntegrations')
             && (apiKey.relations.integration && !['internal', 'core'].includes(apiKey.relations.integration.get('type')))) {
-            // NOTE: using "checkWouldGoOverLimit" instead of "checkIsOverLimit" here because flag limits don't have
-            //       a concept of measuring if the limit has been surpassed
-            await limitService.errorIfWouldGoOverLimit('customIntegrations');
-        }
-
-        // Decoding from hex and transforming into bytes is here to
-        // keep comparison of the bytes that are stored in the secret.
-        // Useful context:
-        // https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138
-        const secret = Buffer.from(apiKey.get('secret'), 'hex');
-
-        // Using req.originalUrl means we get the right url even if version-rewrites have happened
-        const {version, api} = legacyApiPathMatch(req.originalUrl);
-
-        // ensure the token was meant for this api
-        let options;
-
-        if (version) {
-            // CASE: legacy versioned api request
-            options = Object.assign({
-                audience: new RegExp(`/?${version}/${api}/?$`)
-            }, JWT_OPTIONS);
-        } else {
-            options = Object.assign({
-                audience: new RegExp(`/?${api}/?$`)
-            }, JWT_OPTIONS);
-        }
-
-        try {
-            jwt.verify(token, secret, options);
-        } catch (err) {
-            if (err.name === 'TokenExpiredError' || err.name === 'JsonWebTokenError') {
-                return next(new errors.UnauthorizedError({
-                    message: tpl(messages.invalidTokenWithMessage, {message: err.message}),
-                    code: 'INVALID_JWT',
-                    err
-                }));
-            }
-
-            // unknown error
-            return next(new errors.InternalServerError({err}));
-        }
-
-        // authenticated OK
-
-        if (apiKey.get('user_id')) {
-            // fetch the user and store it on the request for later checks and logging
-            const user = await models.User.findOne(
-                {id: apiKey.get('user_id'), status: 'active'},
-                {require: true}
-            );
-
-            req.user = user;
-        }
-
-        // store the api key on the request for later checks and logging
-        req.api_key = apiKey;
+        // NOTE: using "checkWouldGoOverLimit" instead of "checkIsOverLimit" here because flag limits don't have
+        //       a concept of measuring if the limit has been surpassed
+        await limitService.errorIfWouldGoOverLimit('customIntegrations');
+    }
 
-        next();
+    // Decoding from hex and transforming into bytes is here to
+    // keep comparison of the bytes that are stored in the secret.
+    // Useful context:
+    // https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138
+    const secret = Buffer.from(apiKey.get('secret'), 'hex');
+
+    // Using req.originalUrl means we get the right url even if version-rewrites have happened
+    const {version, api} = legacyApiPathMatch(originalUrl);
+
+    // ensure the token was meant for this api
+    let options;
+
+    if (version) {
+        // CASE: legacy versioned api request
+        options = Object.assign({
+            audience: new RegExp(`/?${version}/${api}/?$`)
+        }, jwtValidationOptions);
+    } else {
+        options = Object.assign({
+            audience: new RegExp(`/?${api}/?$`)
+        }, jwtValidationOptions);
+    }
+
+    try {
+        jwt.verify(token, secret, options);
     } catch (err) {
-        if (err instanceof errors.HostLimitError) {
-            next(err);
-        } else {
-            next(new errors.InternalServerError({err}));
-        }
+        throw new errors.UnauthorizedError({
+            message: tpl(messages.invalidTokenWithMessage, {message: err.message}),
+            code: 'INVALID_JWT',
+            err
+        });
+    }
+
+    // authenticated OK
+    let result = {
+        user: null,
+        apiKey: apiKey
+    };
+
+    if (apiKey.get('user_id')) {
+        // fetch the user and store it on the request for later checks and logging
+        const user = await models.User.findOne(
+            {id: apiKey.get('user_id'), status: 'active'},
+            {require: true}
+        );
+
+        result.user = user;
     }
+
+    return result;
 };
 
 module.exports = {
     authenticate,
-    authenticateWithUrl
+    authenticateWithUrl,
+    authenticateWithToken
 };

package/core/server/services/members/service.js

@@ -55,7 +55,9 @@ const initMembersCSVImporter = ({stripeAPIService}) => {
         },
         getTierByName: async (name) => {
             const tiers = await tiersService.api.browse({
-                filter: `name:'${name}'`
+                filter: {
+                    name
+                }
             });
 
             if (tiers.data.length > 0) {

package/core/server/services/slack-notifications/service.js

@@ -12,10 +12,11 @@ class SlackNotificationsServiceWrapper {
      * @param {string} deps.siteUrl
      * @param {boolean} deps.isEnabled
      * @param {URL} deps.webhookUrl
+     * @param {number} deps.minThreshold
      *
      * @returns {import('@tryghost/slack-notifications/lib/SlackNotificationsService')}
      */
-    static create({siteUrl, isEnabled, webhookUrl}) {
+    static create({siteUrl, isEnabled, webhookUrl, minThreshold}) {
         const {
             SlackNotificationsService,
             SlackNotifications
@@ -32,7 +33,8 @@ class SlackNotificationsServiceWrapper {
             logging,
             config: {
                 isEnabled,
-                webhookUrl
+                webhookUrl,
+                minThreshold
             },
             slackNotifications
         });
@@ -49,8 +51,9 @@ class SlackNotificationsServiceWrapper {
         const siteUrl = urlUtils.getSiteUrl();
         const isEnabled = !!(hostSettings?.milestones?.enabled && hostSettings?.milestones?.url);
         const webhookUrl = hostSettings?.milestones?.url;
+        const minThreshold = hostSettings?.milestones?.minThreshold ? parseInt(hostSettings.milestones.minThreshold) : 0;
 
-        this.#api = SlackNotificationsServiceWrapper.create({siteUrl, isEnabled, webhookUrl});
+        this.#api = SlackNotificationsServiceWrapper.create({siteUrl, isEnabled, webhookUrl, minThreshold});
 
         this.#api.subscribeEvents();
     }

package/core/server/services/themes/installer.js

@@ -3,7 +3,7 @@ const os = require('os');
 const path = require('path');
 const security = require('@tryghost/security');
 const request = require('@tryghost/request');
-const errors = require('@tryghost/errors/lib/errors');
+const errors = require('@tryghost/errors');
 const limitService = require('../../services/limits');
 const {setFromZip} = require('./storage');
 

package/core/server/services/tiers/TierRepository.js

@@ -86,7 +86,8 @@ module.exports = class TierRepository {
      * @returns {Promise<import('@tryghost/tiers/lib/Tier')[]>}
      */
     async getAll(options = {}) {
-        const filter = nql(options.filter, {});
+        const filter = nql();
+        filter.filter = options.filter || {};
         return Promise.all(this.#store.slice().filter((item) => {
             return filter.queryJSON(this.toPrimitive(item));
         }).map((tier) => {

package/core/server/web/admin/app.js

@@ -30,7 +30,24 @@ module.exports = function setupAdminApp() {
         }
     ));
 
-    adminApp.use('/auth-frame', serveStatic(
+    // Auth Frame renders a HTML page that loads some JS which then makes an API
+    // request to the Admin API /users/me/ endpoint to check if the user is logged in.
+    //
+    // Used by comments-ui to add moderation options to front-end comments when logged in.
+    adminApp.use('/auth-frame', (req, res, next) => {
+        // only render content when we have an Admin session cookie,
+        // otherwise return a 204 to avoid JS and API requests being made unnecessarily
+        try {
+            if (req.headers.cookie?.includes('ghost-admin-api-session')) {
+                next();
+            } else {
+                res.setHeader('Cache-Control', 'public, max-age=0');
+                res.sendStatus(204);
+            }
+        } catch (err) {
+            next(err);
+        }
+    }, serveStatic(
         path.join(config.getContentPath('public'), 'admin-auth')
     ));
 

package/core/server/web/api/endpoints/admin/app.js

@@ -4,11 +4,13 @@ const bodyParser = require('body-parser');
 const errorHandler = require('@tryghost/mw-error-handler');
 const versionMatch = require('@tryghost/mw-version-match');
 
+const labs = require('../../../../../shared/labs');
 const shared = require('../../../shared');
 const express = require('../../../../../shared/express');
 const sentry = require('../../../../../shared/sentry');
 const routes = require('./routes');
 const APIVersionCompatibilityService = require('../../../../services/api-version-compatibility');
+const GhostNestApp = require('@tryghost/ghost');
 
 module.exports = function setupApiApp() {
     debug('Admin API setup start');
@@ -33,6 +35,14 @@ module.exports = function setupApiApp() {
     // Routing
     apiApp.use(routes());
 
+    apiApp.use(async (req, res, next) => {
+        if (!labs.isSet('NestPlayground')) {
+            return next();
+        }
+        const app = await GhostNestApp.getApp();
+        app.getHttpAdapter().getInstance()(req, res, next);
+    });
+
     // API error handling
     apiApp.use(errorHandler.resourceNotFound);
     apiApp.use(APIVersionCompatibilityService.errorHandler);

package/core/shared/labs.js

@@ -36,6 +36,7 @@ const BETA_FEATURES = [
 ];
 
 const ALPHA_FEATURES = [
+    'NestPlayground',
     'urlCache',
     'lexicalMultiplayer',
     'websockets',