ghost 5.97.3 → 5.98.1

package/core/built/admin/index.html

@@ -8,7 +8,7 @@
     <title>Ghost Admin</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.97%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%22ee37f0b9eb%22%2C%22adminXDemoFilename%22%3A%22admin-x-demo.js%22%2C%22adminXDemoHash%22%3A%2224d6ef8fbd%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%22b1e0cd5a92%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%229368ade858%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.98%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%22ee37f0b9eb%22%2C%22adminXDemoFilename%22%3A%22admin-x-demo.js%22%2C%22adminXDemoHash%22%3A%221b17317b1f%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%22a887193dcd%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%22ad0a25d390%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
 
     <meta name="HandheldFriendly" content="True" />
     <meta name="MobileOptimized" content="320" />
@@ -58,7 +58,7 @@
 
     <script src="assets/vendor-88cd9f5cf5eba65221e2d2a636531eaa.js"></script>
 <script src="assets/chunk.874.5eb920d19e75683234c2.js"></script>
-<script src="assets/chunk.524.b095de8463657e362a7a.js"></script>
-    <script src="assets/ghost-b7702081322ac2a966ad205b1d07416c.js"></script>
+<script src="assets/chunk.524.61222a4a218eee1d5708.js"></script>
+    <script src="assets/ghost-7a6db87f125f7ea41beb7a88d500e8dc.js"></script>
 </body>
 </html>

package/core/frontend/apps/amp/lib/views/amp.hbs

@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html ⚡>
+<html ⚡ lang="{{@site.locale}}">
 <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1">

package/core/frontend/helpers/body_class.js

@@ -2,8 +2,14 @@
 // Usage: `{{body_class}}`
 //
 // Output classes for the body element
+const {labs, settingsCache} = require('../services/proxy');
+const {generateCustomFontBodyClass, isValidCustomFont, isValidCustomHeadingFont} = require('@tryghost/custom-fonts');
 const {SafeString} = require('../services/handlebars');
 
+/**
+ * @typedef {import('@tryghost/custom-fonts').FontSelection} FontSelection
+ */
+
 // We use the name body_class to match the helper for consistency
 module.exports = function body_class(options) { // eslint-disable-line camelcase
     let classes = [];
@@ -39,6 +45,32 @@ module.exports = function body_class(options) { // eslint-disable-line camelcase
         classes.push('paged');
     }
 
+    if (labs.isSet('customFonts')) {
+        // Check if if the request is for a site preview, in which case we **always** use the custom font values
+        // from the passed in data, even when they're empty strings or settings cache has values.
+        const isSitePreview = options.data.site._preview;
+        // Taking the fonts straight from the passed in data, as they can't be used from the
+        // settings cache for the theme preview until the settings are saved. Once saved,
+        // we need to use the settings cache to provide the correct CSS injection.
+        const headingFont = isSitePreview ? options.data.site.heading_font : settingsCache.get('heading_font');
+        const bodyFont = isSitePreview ? options.data.site.body_font : settingsCache.get('body_font');
+
+        if ((typeof headingFont === 'string' && isValidCustomHeadingFont(headingFont)) ||
+            (typeof bodyFont === 'string' && isValidCustomFont(bodyFont))) {
+            /** @type FontSelection */
+            const fontSelection = {};
+
+            if (headingFont) {
+                fontSelection.heading = headingFont;
+            }
+            if (bodyFont) {
+                fontSelection.body = bodyFont;
+            }
+            const customBodyClasses = generateCustomFontBodyClass(fontSelection);
+            classes.push(new SafeString(customBodyClasses));
+        }
+    }
+
     classes = classes.join(' ').trim();
 
     return new SafeString(classes);

package/core/frontend/helpers/content_api_url.js

@@ -0,0 +1,28 @@
+const {SafeString} = require('../services/handlebars');
+const logging = require('@tryghost/logging');
+const {urlUtils} = require('../services/proxy');
+
+module.exports = function content_api_url(options) { // eslint-disable-line camelcase
+    let result;
+    const absoluteUrlRequested = getAbsoluteOption(options);
+
+    try {
+        let path = urlUtils.urlFor('api', {type: 'content'}, absoluteUrlRequested);
+        result = new SafeString(path);
+    } catch (error) {
+        logging.error(error);
+        result = '';
+    }
+
+    return result;
+};
+
+function getAbsoluteOption(options) {
+    const absoluteOption = options && options.hash && options.hash.absolute;
+    if (absoluteOption === undefined || absoluteOption === 'true' || absoluteOption === true || absoluteOption === null) {
+        return true;
+    } else {
+        return false;
+    }
+}
+

package/core/frontend/helpers/ghost_head.js

@@ -4,7 +4,7 @@
 // Outputs scripts and other assets at the top of a Ghost theme
 const {labs, metaData, settingsCache, config, blogIcon, urlUtils, getFrontendKey} = require('../services/proxy');
 const {escapeExpression, SafeString} = require('../services/handlebars');
-
+const {generateCustomFontCss, isValidCustomFont, isValidCustomHeadingFont} = require('@tryghost/custom-fonts');
 // BAD REQUIRE
 // @TODO fix this require
 const {cardAssets} = require('../services/assets-minification');
@@ -15,6 +15,10 @@ const debug = require('@tryghost/debug')('ghost_head');
 const templateStyles = require('./tpl/styles');
 const {getFrontendAppConfig, getDataAttributes} = require('../utils/frontend-apps');
 
+/**
+ * @typedef {import('@tryghost/custom-fonts').FontSelection} FontSelection
+ */
+
 const {get: getMetaData, getAssetUrl} = metaData;
 
 function writeMetaTag(property, content, type) {
@@ -45,8 +49,8 @@ function finaliseStructuredData(meta) {
 }
 
 function getMembersHelper(data, frontendKey) {
-    // Do not load Portal if both Memberships and Tips & Donations are disabled
-    if (!settingsCache.get('members_enabled') && !settingsCache.get('donations_enabled')) {
+    // Do not load Portal if both Memberships and Tips & Donations and Recommendations are disabled
+    if (!settingsCache.get('members_enabled') && !settingsCache.get('donations_enabled') && !settingsCache.get('recommendations_enabled')) {
         return '';
     }
 
@@ -339,6 +343,31 @@ module.exports = async function ghost_head(options) { // eslint-disable-line cam
             if (config.get('tinybird') && config.get('tinybird:tracker') && config.get('tinybird:tracker:scriptUrl')) {
                 head.push(getTinybirdTrackerScript(dataRoot));
             }
+
+            if (labs.isSet('customFonts')) {
+                // Check if if the request is for a site preview, in which case we **always** use the custom font values
+                // from the passed in data, even when they're empty strings or settings cache has values.
+                const isSitePreview = options.data.site._preview;
+                // Taking the fonts straight from the passed in data, as they can't be used from the
+                // settings cache for the theme preview until the settings are saved. Once saved,
+                // we need to use the settings cache to provide the correct CSS injection.
+                const headingFont = isSitePreview ? options.data.site.heading_font : settingsCache.get('heading_font');
+                const bodyFont = isSitePreview ? options.data.site.body_font : settingsCache.get('body_font');
+                if ((typeof headingFont === 'string' && isValidCustomHeadingFont(headingFont)) ||
+                    (typeof bodyFont === 'string' && isValidCustomFont(bodyFont))) {
+                    /** @type FontSelection */
+                    const fontSelection = {};
+
+                    if (headingFont) {
+                        fontSelection.heading = headingFont;
+                    }
+                    if (bodyFont) {
+                        fontSelection.body = bodyFont;
+                    }
+                    const customCSS = generateCustomFontCss(fontSelection);
+                    head.push(new SafeString(customCSS));
+                }
+            }
         }
 
         debug('end');

package/core/frontend/meta/schema.js

@@ -119,6 +119,7 @@ function getHomeSchema(metaData) {
         '@type': 'WebSite',
         publisher: schemaPublisherObject(metaData),
         url: metaData.url,
+        name: metaData.site.title,
         image: schemaImageObject(metaData.coverImage),
         mainEntityOfPage: metaData.url,
         description: metaData.metaDescription ?

package/core/frontend/services/theme-engine/preview.js

@@ -22,7 +22,9 @@ function getPreviewData(previewHeader, customThemeSettingKeys = []) {
         logo: 'logo',
         cover: 'cover_image',
         custom: 'custom',
-        d: 'description'
+        d: 'description',
+        bf: 'body_font',
+        hf: 'heading_font'
     };
 
     let opts = new URLSearchParams(previewHeader);

package/core/server/api/endpoints/session.js

@@ -61,8 +61,18 @@ const controller = {
         });
     },
     delete() {
-        return Promise.resolve(function destroySessionMw(req, res, next) {
-            auth.session.destroySession(req, res, next);
+        return Promise.resolve(function logoutSessionMw(req, res, next) {
+            auth.session.logout(req, res, next);
+        });
+    },
+    sendVerification() {
+        return Promise.resolve(function sendAuthCodeMw(req, res, next) {
+            auth.session.sendAuthCode(req, res, next);
+        });
+    },
+    verify() {
+        return Promise.resolve(function verifyAuthCodeMw(req, res, next) {
+            auth.session.verifyAuthCode(req, res, next);
         });
     }
 };

package/core/server/data/migrations/versions/5.97/2024-10-09-14-04-10-add-session-verification-field.js

@@ -0,0 +1,25 @@
+const logging = require('@tryghost/logging');
+
+const {createTransactionalMigration} = require('../../utils');
+
+module.exports = createTransactionalMigration(
+    async function up(knex) {
+        logging.info('Adding verified property to sessions');
+
+        await knex.raw(`
+            UPDATE sessions
+            SET session_data = JSON_SET(session_data, '$.verified', 'true')
+            WHERE JSON_VALID(session_data);
+        `);
+    },
+
+    async function down(knex) {
+        logging.info('Removing verified property from sessions');
+
+        await knex.raw(`
+            UPDATE sessions
+            SET session_data = JSON_REMOVE(session_data, '$.verified')
+            WHERE JSON_VALID(session_data);
+        `);
+    }
+);

package/core/server/models/comment.js

@@ -202,6 +202,21 @@ const Comment = ghostBookshelf.Model.extend({
         return options;
     },
 
+    async findMostLikedComment(options = {}) {
+        let query = ghostBookshelf.knex('comments')
+            .select('comments.*')
+            .count('comment_likes.id as count__likes') // Counting likes for sorting
+            .leftJoin('comment_likes', 'comments.id', 'comment_likes.comment_id')
+            .groupBy('comments.id') // Group by comment ID to aggregate likes count
+            .orderBy('count__likes', 'desc') // Order by likes in descending order (most likes first)
+            .limit(1); // Limit to just 1 result
+        // Execute the query and get the result
+        const result = await query.first(); // Fetch the single top comment
+        const id = result && result.id;
+        // Fetch the comment model by ID
+        return this.findOne({id}, options);
+    },
+
     async findPage(options) {
         const {withRelated} = this.defaultRelations('findPage', options);
 
@@ -218,6 +233,16 @@ const Comment = ghostBookshelf.Model.extend({
             await model.load(relationsToLoadIndividually, _.omit(options, 'withRelated'));
         }
 
+        // if options.order === 'best', we findMostLikedComment
+        // then we remove it from the result set and add it as the first element
+        if (options.order === 'best' && options.page === '1') {
+            const mostLikedComment = await this.findMostLikedComment(options);
+            if (mostLikedComment) {
+                result.data = result.data.filter(comment => comment.id !== mostLikedComment.id);
+                result.data.unshift(mostLikedComment);
+            }
+        }
+
         return result;
     },
 

package/core/server/services/auth/session/SessionStore.js

@@ -1,5 +1,4 @@
 const {Store} = require('express-session');
-const {InternalServerError} = require('@tryghost/errors');
 
 module.exports = class SessionStore extends Store {
     constructor(SessionModel) {
@@ -29,11 +28,6 @@ module.exports = class SessionStore extends Store {
     }
 
     set(sid, sessionData, callback) {
-        if (!sessionData.user_id) {
-            return callback(new InternalServerError({
-                message: 'Cannot create a session with no user_id'
-            }));
-        }
         this.SessionModel
             .upsert({session_data: sessionData}, {session_id: sid})
             .then(() => {

package/core/server/services/auth/session/index.js

@@ -2,13 +2,21 @@ const adapterManager = require('../../adapter-manager');
 const createSessionService = require('@tryghost/session-service');
 const sessionFromToken = require('@tryghost/mw-session-from-token');
 const createSessionMiddleware = require('./middleware');
+const settingsCache = require('../../../../shared/settings-cache');
+const {GhostMailer} = require('../../mail');
+const {t} = require('../../i18n');
+const labs = require('../../../../shared/labs');
 
 const expressSession = require('./express-session');
 
 const models = require('../../../models');
 const urlUtils = require('../../../../shared/url-utils');
+const {blogIcon} = require('../../../lib/image');
 const url = require('url');
 
+// TODO: We have too many lines here, should move functions out into a utils module
+/* eslint-disable max-lines */
+
 function getOriginOfRequest(req) {
     const origin = req.get('origin');
     const referrer = req.get('referrer') || urlUtils.getAdminUrl() || urlUtils.getSiteUrl();
@@ -28,12 +36,25 @@ function getOriginOfRequest(req) {
     return null;
 }
 
+const mailer = new GhostMailer();
+
 const sessionService = createSessionService({
     getOriginOfRequest,
     getSession: expressSession.getSession,
     findUserById({id}) {
         return models.User.findOne({id, status: 'active'});
-    }
+    },
+    getSettingsCache(key) {
+        return settingsCache.get(key);
+    },
+    getBlogLogo() {
+        return blogIcon.getIconUrl({absolute: true, fallbackToDefault: false})
+            || 'https://static.ghost.org/v4.0.0/images/ghost-orb-1.png';
+    },
+    mailer,
+    urlUtils,
+    labs,
+    t
 });
 
 module.exports = createSessionMiddleware({sessionService});

package/core/server/services/auth/session/middleware.js

@@ -1,19 +1,36 @@
+const errors = require('@tryghost/errors');
+
 function SessionMiddleware({sessionService}) {
     async function createSession(req, res, next) {
         try {
             await sessionService.createSessionForUser(req, res, req.user);
-            res.sendStatus(201);
+
+            const isVerified = await sessionService.isVerifiedSession(req, res);
+            if (isVerified) {
+                res.sendStatus(201);
+            } else {
+                await sessionService.sendAuthCodeToUser(req, res);
+                throw new errors.NoPermissionError({
+                    code: '2FA_TOKEN_REQUIRED',
+                    errorType: 'Needs2FAError',
+                    message: 'User must verify session to login.'
+                });
+            }
         } catch (err) {
             next(err);
         }
     }
 
-    async function destroySession(req, res, next) {
+    async function logout(req, res, next) {
         try {
-            await sessionService.destroyCurrentSession(req);
+            await sessionService.removeUserForSession(req, res);
             res.sendStatus(204);
         } catch (err) {
-            next(err);
+            if (errors.utils.isGhostError(err)) {
+                next(err);
+            } else {
+                next(new errors.InternalServerError({err}));
+            }
         }
     }
 
@@ -21,6 +38,11 @@ function SessionMiddleware({sessionService}) {
         try {
             const user = await sessionService.getUserForSession(req, res);
             if (user) {
+                const isVerified = await sessionService.isVerifiedSession(req, res);
+                if (!isVerified) {
+                    return next();
+                }
+
                 // Do not nullify `req.user` as it might have been already set
                 // in a previous middleware (authorize middleware).
                 req.user = user;
@@ -31,10 +53,37 @@ function SessionMiddleware({sessionService}) {
         }
     }
 
+    async function sendAuthCode(req, res, next) {
+        try {
+            await sessionService.sendAuthCodeToUser(req, res);
+
+            res.sendStatus(200);
+        } catch (err) {
+            next(err);
+        }
+    }
+
+    async function verifyAuthCode(req, res, next) {
+        try {
+            const verified = await sessionService.verifyAuthCodeForUser(req, res);
+
+            if (verified) {
+                await sessionService.verifySession(req, res);
+                res.sendStatus(200);
+            } else {
+                res.sendStatus(401);
+            }
+        } catch (err) {
+            next(err);
+        }
+    }
+
     return {
         createSession: createSession,
-        destroySession: destroySession,
-        authenticate: authenticate
+        logout: logout,
+        authenticate: authenticate,
+        sendAuthCode: sendAuthCode,
+        verifyAuthCode: verifyAuthCode
     };
 }
 

package/core/server/services/url/Queue.js

@@ -93,7 +93,7 @@ class Queue extends EventEmitter {
             };
         }
 
-        debug('add', options.event, options.tolerance);
+        debug('register', options.event, options.tolerance);
 
         this.queue[options.event].subscribers.push(fn);
     }
@@ -103,19 +103,20 @@ class Queue extends EventEmitter {
      * @param {Object} options
      */
     run(options) {
-        const event = options.event;
-        const action = options.action;
-        const eventData = options.eventData;
+        const {event, action, eventData} = options;
 
         clearTimeout(this.toNotify[action].timeout);
         this.toNotify[action].timeout = null;
 
-        debug('run', action, event, this.queue[event].subscribers.length, this.toNotify[action].notified.length);
+        const subscribers = this.queue[event].subscribers;
+        const notified = this.toNotify[action].notified;
 
-        if (this.queue[event].subscribers.length && this.queue[event].subscribers.length !== this.toNotify[action].notified.length) {
-            const fn = this.queue[event].subscribers[this.toNotify[action].notified.length];
+        debug('run', action, event, subscribers.length, notified.length);
 
-            debug('execute', action, event, this.toNotify[action].notified.length);
+        if (subscribers.length && subscribers.length !== notified.length) {
+            const fn = subscribers[notified.length];
+
+            debug('run.execute', action, event, notified.length);
 
             /**
              * @NOTE: Currently no async operations happen in the subscribers functions.
@@ -124,7 +125,7 @@ class Queue extends EventEmitter {
             try {
                 fn(eventData);
 
-                debug('executed', action, event, this.toNotify[action].notified.length);
+                debug('run.executed', action, event, notified.length);
                 this.toNotify[action].notified.push(fn);
                 this.run(options);
             } catch (err) {
@@ -144,15 +145,15 @@ class Queue extends EventEmitter {
             // CASE 3: wait for more subscribers, i am still tolerant
             if (this.queue[event].tolerance === 0) {
                 delete this.toNotify[action];
-                debug('ended (1)', event, action);
+                debug('run.ended (1)', event, action);
                 this.emit('ended', event);
-            } else if (this.queue[options.event].subscribers.length >= this.queue[options.event].requiredSubscriberCount &&
+            } else if (subscribers.length >= this.queue[event].requiredSubscriberCount &&
                 this.toNotify[action].timeoutInMS > this.queue[event].tolerance) {
                 delete this.toNotify[action];
-                debug('ended (2)', event, action);
+                debug('run.ended (2)', event, action);
                 this.emit('ended', event);
             } else {
-                debug('retry', event, action, this.toNotify[action].timeoutInMS);
+                debug('run.retry', event, action, this.toNotify[action].timeoutInMS);
 
                 this.toNotify[action].timeoutInMS = this.toNotify[action].timeoutInMS * 1.1;
 

package/core/server/services/url/Resources.js

@@ -128,12 +128,13 @@ class Resources {
             modelOptions.limit = options.limit;
         }
 
+        const now = Date.now();
         const objects = await models.Base.Model.raw_knex.fetchAll(modelOptions);
-        debug('fetched', resourceConfig.type, objects.length);
+        debug('_fetch.fetched', resourceConfig.type, objects.length, `${Date.now() - now}ms`);
 
-        _.each(objects, (object) => {
+        for (const object of objects) {
             this.data[resourceConfig.type].push(new Resource(resourceConfig.type, object));
-        });
+        }
 
         if (objects.length && isSQLite) {
             options.offset = options.offset + options.limit;

package/core/server/services/url/UrlGenerator.js

@@ -1,4 +1,3 @@
-const _ = require('lodash');
 const nql = require('@tryghost/nql');
 const debug = require('@tryghost/debug')('services:url:generator');
 const localUtils = require('../../../shared/url-utils');
@@ -121,16 +120,14 @@ class UrlGenerator {
      * @private
      */
     _onInit() {
-        debug('_onInit', this.resourceType);
-
         // @NOTE: get the resources of my type e.g. posts.
         const resources = this.resources.getAllByType(this.resourceType);
 
-        debug(resources.length);
+        debug('_onInit', this.resourceType, resources.length);
 
-        _.each(resources, (resource) => {
+        for (const resource of resources) {
             this._try(resource);
-        });
+        }
     }
 
     /**
@@ -141,7 +138,7 @@ class UrlGenerator {
      * @private
      */
     _onAdded(event) {
-        debug('onAdded', this.toString());
+        debug('_onAdded', this.toString());
 
         // CASE: you are type "pages", but the incoming type is "users"
         if (event.type !== this.resourceType) {
@@ -149,7 +146,6 @@ class UrlGenerator {
         }
 
         const resource = this.resources.getByIdAndType(event.type, event.id);
-
         this._try(resource);
     }
 

package/core/server/services/url/UrlService.js

@@ -1,5 +1,4 @@
-const _debug = require('@tryghost/debug')._base;
-const debug = _debug('ghost:services:url:service');
+const debug = require('@tryghost/debug')('services:url:service');
 const _ = require('lodash');
 const errors = require('@tryghost/errors');
 const labs = require('../../../shared/labs');
@@ -92,7 +91,7 @@ class UrlService {
      * @param {String} permalink
      */
     onRouterAddedType(identifier, filter, resourceType, permalink) {
-        debug('Registering route: ', filter, resourceType, permalink);
+        debug('Registering route:', filter, resourceType, permalink);
 
         let urlGenerator = new UrlGenerator({
             identifier,

package/core/server/services/url/Urls.js

@@ -37,11 +37,8 @@ class Urls {
      * @param {string} options.url
      */
     add(options) {
-        const url = options.url;
-        const generatorId = options.generatorId;
-        const resource = options.resource;
-
-        debug('cache', url);
+        const {url, generatorId, resource} = options;
+        debug('add', resource.data.id, url);
 
         if (this.urls[resource.data.id]) {
             const error = new errors.InternalServerError({
@@ -131,7 +128,7 @@ class Urls {
             return;
         }
 
-        debug('removed', this.urls[id].url, this.urls[id].generatorId);
+        debug('removeResourceId', this.urls[id].url, this.urls[id].generatorId);
 
         events.emit('url.removed', {
             url: this.urls[id].url,

package/core/server/web/api/endpoints/admin/routes.js

@@ -243,6 +243,8 @@ module.exports = function apiRoutes() {
         http(api.session.add)
     );
     router.del('/session', mw.authAdminApi, http(api.session.delete));
+    router.post('/session/verify', shared.middleware.brute.sendVerificationCode, http(api.session.sendVerification));
+    router.put('/session/verify', shared.middleware.brute.userVerification, http(api.session.verify));
 
     // ## Identity
     router.get('/identities', mw.authAdminApi, http(api.identities.read));