npm - ghost - Versions diffs - 5.82.10 → 5.82.12 - Mend

ghost 5.82.10 → 5.82.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

package/core/frontend/web/site.js CHANGED Viewed

@@ -22,6 +22,7 @@ const shared = require('../../server/web/shared');
 const errorHandler = require('@tryghost/mw-error-handler');
 const mw = require('./middleware');
 const labs = require('../../shared/labs');
+const bodyParser = require('body-parser');
 const STATIC_IMAGE_URL_PREFIX = `/${urlUtils.STATIC_IMAGE_URL_PREFIX}`;
 const STATIC_MEDIA_URL_PREFIX = `/${constants.STATIC_MEDIA_URL_PREFIX}`;
@@ -50,6 +51,21 @@ module.exports = function setupSiteApp(routerConfig) {
     // enable CORS headers (allows admin client to hit front-end when configured on separate URLs)
     siteApp.use(mw.cors);
+    const jsonParser = bodyParser.json({
+        type: ['application/activity+json', 'application/ld+json', 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"'],
+        // TODO: The @RawBody decorator in nest isn't working without this atm...
+        verify: function (req, res, buf) {
+            req.rawBody = buf;
+        }
+    });
+    siteApp.use(async function nestBodyParser(req, res, next) {
+        if (labs.isSet('NestPlayground') || labs.isSet('ActivityPub')) {
+            jsonParser(req, res, next);
+            return;
+        }
+        return next();
+    });
     siteApp.use(async function nestApp(req, res, next) {
         if (labs.isSet('NestPlayground') || labs.isSet('ActivityPub')) {
             const originalExpressApp = req.app;
@@ -105,9 +121,6 @@ module.exports = function setupSiteApp(routerConfig) {
     // Serve site files using the storage adapter
     siteApp.use(STATIC_FILES_URL_PREFIX, storage.getStorage('files').serve());
-    // Global handling for member session, ensures a member is logged in to the frontend
-    siteApp.use(membersService.middleware.loadMemberSession);
     // /member/.well-known/* serves files (e.g. jwks.json) so it needs to be mounted before the prettyUrl mw to avoid trailing slashes
     siteApp.use(
         '/members/.well-known',
@@ -132,18 +145,23 @@ module.exports = function setupSiteApp(routerConfig) {
     // Theme static assets/files
     siteApp.use(mw.staticTheme());
+    // Serve robots.txt if not found in theme
+    siteApp.use(mw.servePublicFile('static', 'robots.txt', 'text/plain', config.get('caching:robotstxt:maxAge')));
     debug('Static content done');
+    // site map - this should probably be refactored to be an internal app
+    sitemapHandler(siteApp);
+    // Global handling for member session, ensures a member is logged in to the frontend
+    siteApp.use(membersService.middleware.loadMemberSession);
     // Theme middleware
     // This should happen AFTER any shared assets are served, as it only changes things to do with templates
     siteApp.use(themeMiddleware);
     debug('Themes done');
-    // Serve robots.txt if not found in theme
-    siteApp.use(mw.servePublicFile('static', 'robots.txt', 'text/plain', config.get('caching:robotstxt:maxAge')));
-    // site map - this should probably be refactored to be an internal app
-    sitemapHandler(siteApp);
     debug('Internal apps done');
     // Add in all trailing slashes & remove uppercase
@@ -151,12 +169,12 @@ module.exports = function setupSiteApp(routerConfig) {
     siteApp.use(shared.middleware.prettyUrls);
     // ### Caching
-    siteApp.use(function frontendCaching(req, res, next) {
-        // Site frontend is cacheable UNLESS request made by a member or site is in private mode
-        if (req.member || res.isPrivateBlog) {
-            return shared.middleware.cacheControl('private')(req, res, next);
-        } else {
-            return shared.middleware.cacheControl('public', {maxAge: config.get('caching:frontend:maxAge')})(req, res, next);
+    siteApp.use(async function frontendCaching(req, res, next) {
+        try {
+            const middleware = await mw.frontendCaching.getMiddleware();
+            return middleware(req, res, next);
+        } catch {
+            return next();
         }
     });

package/core/server/api/endpoints/utils/serializers/input/posts.js CHANGED Viewed

@@ -7,6 +7,7 @@ const slugFilterOrder = require('./utils/slug-filter-order');
 const localUtils = require('../../index');
 const mobiledoc = require('../../../../../lib/mobiledoc');
 const postsMetaSchema = require('../../../../../data/schema').tables.posts_meta;
+const postsSchema = require('../../../../../data/schema').tables.posts;
 const clean = require('./utils/clean');
 const lexical = require('../../../../../lib/lexical');
 const sentry = require('../../../../../../shared/sentry');
@@ -16,6 +17,16 @@ const messages = {
     failedHtmlToLexical: 'Failed to convert HTML to Lexical'
 };
+/**
+ * Selects all allowed columns for the given frame.
+ *
+ * NOTE: This doesn't stop them from being FETCHED, just returned in the response. This causes
+ *   the output serializer to remove them from the data object before returning.
+ *
+ * NOTE: This is only intended for the Content API. We need these fields within Admin API responses.
+ *
+ * @param {Object} frame - The frame object.
+ */
 function removeSourceFormats(frame) {
     if (frame.options.formats?.includes('mobiledoc') || frame.options.formats?.includes('lexical')) {
         frame.options.formats = frame.options.formats.filter((format) => {
@@ -24,6 +35,33 @@ function removeSourceFormats(frame) {
     }
 }
+/**
+ * Selects all allowed columns for the given frame.
+ *
+ * This removes the lexical and mobiledoc columns from the query. This is a performance improvement as we never intend
+ *  to expose those columns in the content API and they are very large datasets to be passing around and de/serializing.
+ *
+ * NOTE: This is only intended for the Content API. We need these fields within Admin API responses.
+ *
+ * @param {Object} frame - The frame object.
+ */
+function selectAllAllowedColumns(frame) {
+    if (!frame.options.columns && !frame.options.selectRaw) {
+        // Because we're returning columns directly from the table we need to remove info columns like @@UNIQUE_CONSTRAINTS@@
+        frame.options.selectRaw = _.keys(_.omit(postsSchema, ['lexical','mobiledoc','@@UNIQUE_CONSTRAINTS@@'])).join(',');
+    } else if (frame.options.columns) {
+        frame.options.columns = frame.options.columns.filter((column) => {
+            return !['mobiledoc', 'lexical'].includes(column);
+        });
+    } else if (frame.options.selectRaw) {
+        frame.options.selectRaw = frame.options.selectRaw.split(',').map((column) => {
+            return column.trim();
+        }).filter((column) => {
+            return !['mobiledoc', 'lexical'].includes(column);
+        }).join(',');
+    }
+}
 /**
  * Map names of relations to the internal names
  */
@@ -128,7 +166,8 @@ module.exports = {
          */
         if (localUtils.isContentAPI(frame)) {
             // CASE: the content api endpoint for posts should not return mobiledoc or lexical
-            removeSourceFormats(frame);
+            removeSourceFormats(frame); // remove from the format field
+            selectAllAllowedColumns(frame); // remove from any specified column or selectRaw options
             setDefaultOrder(frame);
             forceVisibilityColumn(frame);

package/core/server/services/members/middleware.js CHANGED Viewed

@@ -1,3 +1,4 @@
+const crypto = require('crypto');
 const _ = require('lodash');
 const logging = require('@tryghost/logging');
 const membersService = require('./service');
@@ -11,12 +12,65 @@ const {
 } = require('./utils');
 const errors = require('@tryghost/errors');
 const tpl = require('@tryghost/tpl');
+const onHeaders = require('on-headers');
+const tiersService = require('../tiers/service');
+const config = require('../../../shared/config');
 const messages = {
     missingUuid: 'Missing uuid.',
     invalidUuid: 'Invalid uuid.'
 };
+const getFreeTier = async function getFreeTier() {
+    const response = await tiersService.api.browse();
+    const freeTier = response.data.find(tier => tier.type === 'free');
+    return freeTier;
+};
+/**
+ * Sets the ghost-access and ghost-access-hmac cookies on the response object
+ * @param {object} member - The member object
+ * @param {import('express').Response} res - The express response object to set the cookies on
+ * @returns
+ */
+const setAccessCookies = function setAccessCookies(member = undefined, res, freeTier) {
+    if (!member) {
+        const accessCookie = `ghost-access=null; Max-Age=0; Path=/; HttpOnly; SameSite=Strict;`;
+        const hmacCookie = `ghost-access-hmac=null; Max-Age=0; Path=/; HttpOnly; SameSite=Strict;`;
+        const existingCookies = res.getHeader('Set-Cookie') || [];
+        const cookiesToSet = [accessCookie, hmacCookie].concat(existingCookies);
+        res.setHeader('Set-Cookie', cookiesToSet);
+        return;
+    }
+    const hmacSecret = config.get('cacheMembersContent:hmacSecret');
+    if (!hmacSecret) {
+        return;
+    }
+    const activeSubscription = member.subscriptions?.find(sub => sub.status === 'active');
+    const cookieTimestamp = Math.floor(Date.now() / 1000); // to mitigate a cookie replay attack
+    const memberTier = activeSubscription && activeSubscription.tier.id || freeTier.id;
+    const memberTierAndTimestamp = `${memberTier}:${cookieTimestamp}`;
+    const memberTierHmac = crypto.createHmac('sha256', hmacSecret).update(memberTierAndTimestamp).digest('hex');
+    const maxAge = 3600;
+    const accessCookie = `ghost-access=${memberTierAndTimestamp}; Max-Age=${maxAge}; Path=/; HttpOnly; SameSite=Strict;`;
+    const hmacCookie = `ghost-access-hmac=${memberTierHmac}; Max-Age=${maxAge}; Path=/; HttpOnly; SameSite=Strict;`;
+    const existingCookies = res.getHeader('Set-Cookie') || [];
+    const cookiesToSet = [accessCookie, hmacCookie].concat(existingCookies);
+    res.setHeader('Set-Cookie', cookiesToSet);
+};
+const accessInfoSession = async function accessInfoSession(req, res, next) {
+    const freeTier = await getFreeTier();
+    onHeaders(res, function () {
+        setAccessCookies(req.member, res, freeTier);
+    });
+    next();
+};
 // @TODO: This piece of middleware actually belongs to the frontend, not to the member app
 // Need to figure a way to separate these things (e.g. frontend actually talks to members API)
 const loadMemberSession = async function loadMemberSession(req, res, next) {
@@ -242,6 +296,16 @@ const createSessionFromMagicLink = async function createSessionFromMagicLink(req
         // Note: don't reset 'member_login', or that would give an easy way around user enumeration by logging in to a manually created account
         const subscriptions = member && member.subscriptions || [];
+        if (config.get('cacheMembersContent:enabled')) {
+            // Set the ghost-access cookies to enable tier-based caching
+            try {
+                const freeTier = await getFreeTier();
+                setAccessCookies(member, res, freeTier);
+            } catch {
+                // This is a non-critical operation, so we can safely ignore any errors
+            }
+        }
         const action = req.query.action;
         if (action === 'signup' || action === 'signup-paid' || action === 'subscribe') {
@@ -322,5 +386,6 @@ module.exports = {
     updateMemberData,
     updateMemberNewsletters,
     deleteSession,
+    accessInfoSession,
     deleteSuppression
 };

package/core/server/services/offers/OfferBookshelfRepository.js CHANGED Viewed

@@ -33,12 +33,12 @@ const mongoTransformer = flowRight(statusTransformer, rejectNonStatusTransformer
 /**
  * @typedef {object} BaseOptions
- * @prop {import('knex').Transaction} transacting
+ * @prop {import('knex').Knex.Transaction} transacting
  */
 /**
  * @typedef {object} ListOptions
- * @prop {import('knex').Transaction} transacting
+ * @prop {import('knex').Knex.Transaction} transacting
  * @prop {string} filter
  */
@@ -56,7 +56,7 @@ class OfferBookshelfRepository {
     /**
      * @template T
-     * @param {(t: import('knex').Transaction) => Promise<T>} cb
+     * @param {(t: import('knex').Knex.Transaction) => Promise<T>} cb
      * @returns {Promise<T>}
      */
     async createTransaction(cb) {

package/core/server/views/maintenance.html CHANGED Viewed

@@ -1,4 +1,5 @@
 <!DOCTYPE html>
+<html>
 <head>
 <meta charset="utf-8">
 <meta http-equiv="X-UA-Compatible" content="IE=edge">

package/core/server/web/members/app.js CHANGED Viewed

@@ -45,7 +45,14 @@ module.exports = function setupMembersApp() {
     membersApp.put('/api/member/newsletters', bodyParser.json({limit: '50mb'}), middleware.updateMemberNewsletters);
     // Get and update member data
-    membersApp.get('/api/member', middleware.getMemberData);
+    // Caching members content is an experimental feature
+    const shouldCacheMembersContent = config.get('cacheMembersContent:enabled');
+    if (shouldCacheMembersContent) {
+        membersApp.get('/api/member', middleware.loadMemberSession, middleware.accessInfoSession, middleware.getMemberData);
+    } else {
+        membersApp.get('/api/member', middleware.getMemberData);
+    }
     membersApp.put('/api/member', bodyParser.json({limit: '50mb'}), middleware.updateMemberData);
     membersApp.post('/api/member/email', bodyParser.json({limit: '50mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res));

package/core/shared/sentry.js CHANGED Viewed

@@ -115,7 +115,6 @@ if (sentryConfig && !sentryConfig.disabled) {
         release: 'ghost@' + version,
         environment: environment,
         maxValueLength: 1000,
-        includeLocalVariables: true,
         integrations: [
             Sentry.extraErrorDataIntegration()
         ],