ghost 6.0.5 → 6.0.7

package/core/server/services/members/members-ssr.js

@@ -156,12 +156,13 @@ class MembersSSR {
      * @method _getMemberDataFromToken
      *
      * @param {JWT} token
+     * @param {string} [otcVerification]
      *
      * @returns {Promise<Member>} member
      */
-    async _getMemberDataFromToken(token) {
+    async _getMemberDataFromToken(token, otcVerification) {
         const api = await this._getMembersApi();
-        return api.getMemberDataFromMagicLinkToken(token);
+        return api.getMemberDataFromMagicLinkToken(token, otcVerification);
     }
 
     /**
@@ -234,7 +235,8 @@ class MembersSSR {
         }
 
         const token = Array.isArray(query.token) ? query.token[0] : query.token;
-        const member = await this._getMemberDataFromToken(token);
+        const otcVerification = Array.isArray(query.otc_verification) ? query.otc_verification[0] : query.otc_verification;
+        const member = await this._getMemberDataFromToken(token, otcVerification);
 
         if (!member) {
             // The member doesn't exist any longer (could be a sign in token for a member that was deleted)

package/core/server/services/members/middleware.js

@@ -332,8 +332,8 @@ const createSessionFromMagicLink = async function createSessionFromMagicLink(req
     // req.query is a plain object, copy it to a URLSearchParams object so we can call toString()
     const searchParams = new URLSearchParams('');
     Object.keys(req.query).forEach((param) => {
-        // don't copy the "token" or "r" params
-        if (param !== 'token' && param !== 'r') {
+        // don't copy the "token", "r", or "otc_verification" params
+        if (param !== 'token' && param !== 'r' && param !== 'otc_verification') {
             searchParams.set(param, req.query[param]);
         }
     });

package/core/server/services/stats/PostsStatsService.js

@@ -74,7 +74,7 @@ const {getDateBoundaries, applyDateFilter} = require('./utils/date-utils');
 /**
  * @typedef {Object} NewsletterSubscriberStats
  * @property {number} total - Total current subscriber count
- * @property {Array<{date: string, value: number}>} deltas - Daily subscription deltas
+ * @property {Array<{date: string, value: number}>} values - Daily subscription cumulative values
  */
 
 class PostsStatsService {
@@ -932,7 +932,7 @@ class PostsStatsService {
      * @param {string} [options.date_from] - Optional start date filter (YYYY-MM-DD)
      * @param {string} [options.date_to] - Optional end date filter (YYYY-MM-DD)
      * @param {string} [options.timezone] - Timezone to use for date interpretation
-     * @returns {Promise<{data: Array<{total: number, deltas: Array<{date: string, value: number}>}>}>} The newsletter subscriber stats
+     * @returns {Promise<{data: Array<{total: number, values: Array<{date: string, value: number}>}>}>} The newsletter subscriber stats with cumulative values
      */
     async getNewsletterSubscriberStats(newsletterId, options = {}) {
         try {
@@ -956,25 +956,42 @@ class PostsStatsService {
             const totalValue = totalResult[0] ? totalResult[0].total : 0;
             const total = parseInt(String(totalValue), 10);
 
-            // Transform raw database results to properly typed objects
-            const deltas = [];
+            // Transform raw database results (daily changes) to cumulative values
+            const values = [];
+            let cumulativeTotal = 0;
+            
+            // First pass: collect all daily changes from database
+            const dailyChanges = [];
             for (const row of rawDeltas) {
                 if (row) {
                     // @ts-ignore
                     const dateValue = row.date || '';
                     // @ts-ignore
-                    const deltaValue = row.value || 0;
-                    deltas.push({
+                    const changeValue = row.value || 0;
+                    dailyChanges.push({
                         date: String(dateValue),
-                        value: parseInt(String(deltaValue), 10)
+                        change: parseInt(String(changeValue), 10)
                     });
                 }
             }
+            
+            // Calculate the starting point by working backwards from the current total
+            const totalChange = dailyChanges.reduce((sum, item) => sum + item.change, 0);
+            cumulativeTotal = total - totalChange;
+            
+            // Second pass: build cumulative values from daily changes
+            for (const dayData of dailyChanges) {
+                cumulativeTotal += dayData.change;
+                values.push({
+                    date: dayData.date,
+                    value: cumulativeTotal
+                });
+            }
 
             return {
                 data: [{
                     total,
-                    deltas
+                    values
                 }]
             };
         } catch (error) {
@@ -982,7 +999,7 @@ class PostsStatsService {
             return {
                 data: [{
                     total: 0,
-                    deltas: []
+                    values: []
                 }]
             };
         }

package/core/server/services/stats/StatsService.js

@@ -156,7 +156,7 @@ class StatsService {
         
         // If no newsletterId is provided, we can't get specific stats
         if (!newsletterId) {
-            return {data: [{total: 0, deltas: []}]};
+            return {data: [{total: 0, values: []}]};
         }
         
         const result = await this.posts.getNewsletterSubscriberStats(newsletterId, otherOptions);

package/core/server/web/members/app.js

@@ -41,7 +41,7 @@ module.exports = function setupMembersApp() {
     // We don't want to add global bodyParser middleware as that interferes with stripe webhook requests on - `/webhooks`.
 
     // Manage newsletter subscription via unsubscribe link - these should be authenticated by uuid and hashed key
-    membersApp.get('/api/member/newsletters', 
+    membersApp.get('/api/member/newsletters',
         middleware.authMemberByUuid,
         middleware.getMemberNewsletters
     );
@@ -59,7 +59,7 @@ module.exports = function setupMembersApp() {
     } else {
         membersApp.get('/api/member', middleware.getMemberData);
     }
-    
+
     membersApp.put('/api/member', bodyParser.json({limit: '50mb'}), middleware.updateMemberData);
     membersApp.post('/api/member/email', bodyParser.json({limit: '50mb'}), (req, res, next) => membersService.api.middleware.updateEmailAddress(req, res, next));
 
@@ -72,7 +72,6 @@ module.exports = function setupMembersApp() {
 
     membersApp.get('/api/integrity-token', middleware.createIntegrityToken);
 
-    // NOTE: this is wrapped in a function to ensure we always go via the getter
     membersApp.post(
         '/api/send-magic-link',
         bodyParser.json(),
@@ -81,10 +80,20 @@ module.exports = function setupMembersApp() {
         shared.middleware.brute.membersAuthEnumeration,
         // Prevent brute forcing passwords for the same email address
         shared.middleware.brute.membersAuth,
+        // NOTE: this is wrapped in a function to ensure we always go via the getter
         function lazySendMagicLinkMw(req, res, next) {
             return membersService.api.middleware.sendMagicLink(req, res, next);
         }
     );
+    membersApp.post(
+        '/api/verify-otc',
+        bodyParser.json(),
+        middleware.verifyIntegrityToken,
+        // NOTE: this is wrapped in a function to ensure we always go via the getter
+        function lazyVerifyOTCMw(req, res, next) {
+            return membersService.api.middleware.verifyOTC(req, res, next);
+        }
+    );
     membersApp.post('/api/create-stripe-checkout-session', function lazyCreateCheckoutSessionMw(req, res, next) {
         return membersService.api.middleware.createCheckoutSession(req, res, next);
     });

package/core/shared/config/defaults.json

@@ -212,7 +212,7 @@
     },
     "portal": {
         "url": "https://cdn.jsdelivr.net/ghost/portal@~{version}/umd/portal.min.js",
-        "version": "2.52"
+        "version": "2.53"
     },
     "sodoSearch": {
         "url": "https://cdn.jsdelivr.net/ghost/sodo-search@~{version}/umd/sodo-search.min.js",

package/core/shared/labs.js

@@ -47,7 +47,9 @@ const PRIVATE_FEATURES = [
     'lexicalIndicators',
     'contentVisibilityAlpha',
     'emailCustomization',
-    'membersSigninOTC'
+    'membersSigninOTC',
+    'tagsX',
+    'utmTracking'
 ];
 
 module.exports.GA_KEYS = [...GA_FEATURES];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "6.0.5",
+  "version": "6.0.7",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.5.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.7.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -181,7 +181,7 @@
     "knex-migrator": "5.3.2",
     "leaky-bucket": "2.2.0",
     "lodash": "4.17.21",
-    "luxon": "3.7.1",
+    "luxon": "3.7.2",
     "mailgun.js": "10.4.0",
     "metascraper": "5.45.15",
     "metascraper-author": "5.45.10",
@@ -232,14 +232,14 @@
     "@types/bookshelf": "1.2.9",
     "@types/common-tags": "1.8.4",
     "@types/jsonwebtoken": "9.0.10",
-    "@types/node": "22.17.2",
+    "@types/node": "22.18.1",
     "@types/node-jose": "1.1.13",
     "@types/nodemailer": "6.4.19",
     "@types/sinon": "17.0.4",
     "@types/supertest": "6.0.3",
     "c8": "10.1.3",
     "cli-progress": "3.12.0",
-    "cssnano": "7.1.0",
+    "cssnano": "7.1.1",
     "detect-indent": "6.1.0",
     "detect-newline": "3.1.0",
     "expect": "29.7.0",
@@ -250,7 +250,7 @@
     "inquirer": "8.2.7",
     "jwk-to-pem": "2.0.7",
     "jwks-rsa": "3.2.0",
-    "mocha": "11.7.1",
+    "mocha": "11.7.2",
     "mocha-slow-test-reporter": "0.1.2",
     "mock-knex": "TryGhost/mock-knex#68948e11b0ea4fe63456098dfdc169bea7f62009",
     "nock": "13.5.6",
@@ -258,13 +258,13 @@
     "parse-prometheus-text-format": "1.1.1",
     "postcss": "8.5.6",
     "postcss-cli": "11.0.1",
-    "rewire": "6.0.0",
+    "rewire": "8.0.0",
     "should": "13.2.3",
     "sinon": "18.0.1",
     "supertest": "6.3.4",
     "tmp": "0.2.3",
     "toml": "3.0.0",
-    "tsx": "4.20.4",
+    "tsx": "4.20.5",
     "typescript": "5.8.3"
   },
   "resolutions": {
@@ -273,7 +273,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.5.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.7.tgz"
   },
   "nx": {
     "targets": {