ghost 6.0.6 → 6.0.7

package/core/server/data/tinybird/tests/api_top_utm_terms.yaml

@@ -0,0 +1,108 @@
+
+- name: Date range
+  description: All fixture data
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC
+  expected_result: |
+    {"utm_term":"ghost cms","visits":6}
+    {"utm_term":"blog software","visits":3}
+    {"utm_term":"content management","visits":3}
+    {"utm_term":"newsletter platform","visits":3}
+    {"utm_term":"membership site","visits":1}
+
+- name: Filtered by browser - Chrome
+  description: Filtered by browser - Chrome
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&browser=chrome
+  expected_result: |
+    {"utm_term":"ghost cms","visits":4}
+    {"utm_term":"blog software","visits":1}
+    {"utm_term":"content management","visits":1}
+    {"utm_term":"newsletter platform","visits":1}
+
+- name: Filtered by device - desktop
+  description: Filtered by device - desktop
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&device=desktop
+  expected_result: |
+    {"utm_term":"ghost cms","visits":6}
+    {"utm_term":"blog software","visits":3}
+    {"utm_term":"content management","visits":3}
+    {"utm_term":"newsletter platform","visits":2}
+    {"utm_term":"membership site","visits":1}
+
+- name: Filtered by location - UK
+  description: Filtered by location - UK
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&location=GB
+  expected_result: |
+    {"utm_term":"ghost cms","visits":3}
+    {"utm_term":"blog software","visits":2}
+    {"utm_term":"newsletter platform","visits":2}
+    {"utm_term":"content management","visits":1}
+
+- name: Filtered by OS - Windows
+  description: Filtered by OS - Windows
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&os=windows
+  expected_result: |
+    {"utm_term":"ghost cms","visits":5}
+    {"utm_term":"blog software","visits":3}
+    {"utm_term":"content management","visits":3}
+    {"utm_term":"newsletter platform","visits":2}
+    {"utm_term":"membership site","visits":1}
+
+- name: Filtered by pathname - /about/
+  description: Filtered by pathname - /about/
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&pathname=%2Fabout%2F
+  expected_result: |
+    {"utm_term":"ghost cms","visits":4}
+    {"utm_term":"content management","visits":2}
+    {"utm_term":"blog software","visits":1}
+    {"utm_term":"newsletter platform","visits":1}
+
+- name: Filtered by post_uuid - 06b1b0c9-fb53-4a15-a060-3db3fde7b1fc (/about/)
+  description: Filtered by post_uuid - 06b1b0c9-fb53-4a15-a060-3db3fde7b1fc (/about/)
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&post_uuid=06b1b0c9-fb53-4a15-a060-3db3fde7b1fc
+  expected_result: |
+    {"utm_term":"ghost cms","visits":4}
+    {"utm_term":"content management","visits":2}
+    {"utm_term":"blog software","visits":1}
+    {"utm_term":"newsletter platform","visits":1}
+
+- name: Filtered by source - bing.com
+  description: Filtered by source - bing.com
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&source=bing.com
+  expected_result: |
+    {"utm_term":"content management","visits":2}
+
+- name: Filtered by member status - paid
+  description: Filtered by member status - paid
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&member_status=paid
+  expected_result: |
+    {"utm_term":"blog software","visits":2}
+    {"utm_term":"ghost cms","visits":2}
+    {"utm_term":"content management","visits":1}
+
+- name: Filtered by member status - undefined
+  description: Filtered by member status - undefined
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&member_status=undefined
+  expected_result: |
+    {"utm_term":"newsletter platform","visits":3}
+    {"utm_term":"blog software","visits":1}
+    {"utm_term":"membership site","visits":1}
+    {"utm_term":"ghost cms","visits":1}
+
+- name: Filtered by timezone - America/Los_Angeles
+  description: Filtered by timezone - America/Los_Angeles
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=America/Los_Angeles
+  expected_result: |
+    {"utm_term":"ghost cms","visits":5}
+    {"utm_term":"blog software","visits":3}
+    {"utm_term":"content management","visits":2}
+    {"utm_term":"newsletter platform","visits":2}
+    {"utm_term":"membership site","visits":1}
+
+- name: Test with multiple filters combined
+  description: Test with multiple filters combined
+  parameters: site_uuid=mock_site_uuid&date_from=2100-01-01&date_to=2100-01-07&timezone=Etc/UTC&device=desktop&browser=firefox
+  expected_result: |
+    {"utm_term":"blog software","visits":2}
+    {"utm_term":"membership site","visits":1}
+    {"utm_term":"content management","visits":1}
+    {"utm_term":"newsletter platform","visits":1}

package/core/server/services/lib/magic-link/MagicLink.js

@@ -12,14 +12,19 @@ const messages = {
  * @typedef { string } URL
  */
 
+/**
+ * @typedef {Object} TokenValidateOptions
+ * @prop {string} [otcVerification] - "timestamp:hash" string used to verify an OTC-bound token
+ */
+
 /**
  * @template T
  * @template D
  * @typedef {Object} TokenProvider<T, D>
  * @prop {(data: D) => Promise<T>} create
- * @prop {(token: T) => Promise<D>} validate
+ * @prop {(token: T, options?: TokenValidateOptions) => Promise<D>} validate
  * @prop {(token: T) => Promise<string | null>} [getIdByToken]
- * @prop {(tokenId: string, tokenValue: T) => string} [deriveOTC]
+ * @prop {(otcRef: string, tokenValue: T) => string} [deriveOTC]
  */
 
 /**
@@ -32,7 +37,7 @@ class MagicLink {
      * @param {object} options
      * @param {MailTransporter} options.transporter
      * @param {TokenProvider<Token, TokenData>} options.tokenProvider
-     * @param {(token: Token, type: string, referrer?: string) => URL} options.getSigninURL
+     * @param {(token: Token, type: string, referrer?: string, otcVerification?: string) => URL} options.getSigninURL
      * @param {typeof defaultGetText} [options.getText]
      * @param {typeof defaultGetHTML} [options.getHTML]
      * @param {typeof defaultGetSubject} [options.getSubject]
@@ -62,7 +67,7 @@ class MagicLink {
      * @param {string} [options.type='signin'] - The type to be passed to the url and content generator functions
      * @param {string} [options.referrer=null] - The referrer of the request, if exists. The member will be redirected back to this URL after signin.
      * @param {boolean} [options.includeOTC=false] - Whether to send a one-time-code in the email.
-     * @returns {Promise<{token: Token, tokenId: string | null, info: SentMessageInfo}>}
+     * @returns {Promise<{token: Token, otcRef: string | null, info: SentMessageInfo}>}
      */
     async sendMagicLink(options) {
         this.sentry?.captureMessage?.(`[Magic Link] Generating magic link`, {extra: options});
@@ -96,21 +101,21 @@ class MagicLink {
             html: this.getHTML(url, type, options.email, otc)
         });
 
-        // return tokenId so we can pass it as a reference to the client so it
+        // return otcRef so we can pass it as a reference to the client so it
         // can pass it back as a reference when verifying the OTC. We only do
         // this if we've successfully generated an OTC to avoid clients showing
         // a token input field when the email doesn't contain an OTC
-        let tokenId = null;
+        let otcRef = null;
         if (this.labsService?.isSet('membersSigninOTC') && otc) {
             try {
-                tokenId = await this.getIdFromToken(token);
+                otcRef = await this.getIdFromToken(token);
             } catch (err) {
                 this.sentry?.captureException?.(err);
-                tokenId = null;
+                otcRef = null;
             }
         }
 
-        return {token, tokenId, info};
+        return {token, otcRef, info};
     }
 
     /**
@@ -165,10 +170,11 @@ class MagicLink {
      * getDataFromToken
      *
      * @param {Token} token - The token to decode
+     * @param {string} [otcVerification] - Optional "timestamp:hash" to bind token usage to an OTC verification window
      * @returns {Promise<TokenData>} data - The data object associated with the magic link
      */
-    async getDataFromToken(token) {
-        const tokenData = await this.tokenProvider.validate(token);
+    async getDataFromToken(token, otcVerification) {
+        const tokenData = await this.tokenProvider.validate(token, {otcVerification});
         return tokenData;
     }
 }

package/core/server/services/members/MembersConfigProvider.js

@@ -82,7 +82,14 @@ class MembersConfigProvider {
         };
     }
 
-    getSigninURL(token, type, referrer) {
+    /**
+     * @param {string} token
+     * @param {string} type - also known as "action", e.g. "signin" or "signup"
+     * @param {string} [referrer] - optional URL for redirecting to after signin
+     * @param {string} [otcVerification] - optional for verifying an OTC signin redirect
+     * @returns {string}
+     */
+    getSigninURL(token, type, referrer, otcVerification) {
         const siteUrl = this._urlUtils.urlFor({relativeUrl: '/members/'}, true);
         const signinURL = new URL(siteUrl);
         signinURL.searchParams.set('token', token);
@@ -90,6 +97,9 @@ class MembersConfigProvider {
         if (referrer) {
             signinURL.searchParams.set('r', referrer);
         }
+        if (otcVerification) {
+            signinURL.searchParams.set('otc_verification', otcVerification);
+        }
         return signinURL.toString();
     }
 }

package/core/server/services/members/SingleUseTokenProvider.js

@@ -1,8 +1,17 @@
 // @ts-check
 const {ValidationError} = require('@tryghost/errors');
+const tpl = require('@tryghost/tpl');
 const crypto = require('node:crypto');
 const {hotp} = require('otplib');
 
+const messages = {
+    OTC_SECRET_NOT_CONFIGURED: 'OTC secret not configured',
+    INVALID_OTC_VERIFICATION_HASH: 'Invalid OTC verification hash',
+    INVALID_TOKEN: 'Invalid token provided',
+    TOKEN_EXPIRED: 'Token expired',
+    DERIVE_OTC_MISSING_INPUT: 'tokenId and tokenValue are required'
+};
+
 class SingleUseTokenProvider {
     /**
      * @param {Object} dependencies
@@ -43,6 +52,9 @@ class SingleUseTokenProvider {
      * If the token is invalid the returned Promise will reject.
      *
      * @param {string} token
+     * @param {Object} [options] - Optional configuration object
+     * @param {Object} [options.transacting] - Database transaction object
+     * @param {string} [options.otcVerification] - OTC verification hash for additional validation
      *
      * @returns {Promise<Object<string, any>>}
      */
@@ -56,17 +68,29 @@ class SingleUseTokenProvider {
             });
         }
 
+        if (options.otcVerification) {
+            const isValidOTCVerification = await this._validateOTCVerificationHash(options.otcVerification, token);
+            if (!isValidOTCVerification) {
+                throw new ValidationError({
+                    message: tpl(messages.INVALID_OTC_VERIFICATION_HASH),
+                    code: 'INVALID_OTC_VERIFICATION_HASH'
+                });
+            }
+        }
+
         const model = await this.model.findOne({token}, {transacting: options.transacting, forUpdate: true});
 
         if (!model) {
             throw new ValidationError({
-                message: 'Invalid token provided'
+                message: tpl(messages.INVALID_TOKEN),
+                code: 'INVALID_TOKEN'
             });
         }
 
         if (model.get('used_count') >= this.maxUsageCount) {
             throw new ValidationError({
-                message: 'Token expired'
+                message: tpl(messages.TOKEN_EXPIRED),
+                code: 'TOKEN_EXPIRED'
             });
         }
 
@@ -79,7 +103,8 @@ class SingleUseTokenProvider {
 
             if (timeSinceFirstUsage > this.validityPeriodAfterUsage) {
                 throw new ValidationError({
-                    message: 'Token expired'
+                    message: tpl(messages.TOKEN_EXPIRED),
+                    code: 'TOKEN_EXPIRED'
                 });
             }
         }
@@ -87,7 +112,8 @@ class SingleUseTokenProvider {
 
         if (tokenLifetimeMilliseconds > this.validityPeriod) {
             throw new ValidationError({
-                message: 'Token expired'
+                message: tpl(messages.TOKEN_EXPIRED),
+                code: 'TOKEN_EXPIRED'
             });
         }
 
@@ -137,13 +163,15 @@ class SingleUseTokenProvider {
     deriveOTC(tokenId, tokenValue) {
         if (!this.secret) {
             throw new ValidationError({
-                message: 'Cannot derive OTC: secret not configured'
+                message: tpl(messages.OTC_SECRET_NOT_CONFIGURED),
+                code: 'OTC_SECRET_NOT_CONFIGURED'
             });
         }
 
         if (!tokenId || !tokenValue) {
             throw new ValidationError({
-                message: 'Cannot derive OTC: tokenId and tokenValue are required'
+                message: tpl(messages.DERIVE_OTC_MISSING_INPUT),
+                code: 'DERIVE_OTC_MISSING_INPUT'
             });
         }
 
@@ -151,6 +179,34 @@ class SingleUseTokenProvider {
         return hotp.generate(this.secret, counter);
     }
 
+    /**
+     * @method verifyOTC
+     * Verifies an OTC (one-time code) by looking up the token and performing HOTP verification
+     *
+     * @param {string} otcRef - Reference for the one-time code
+     * @param {string} otc - The one-time code to verify
+     * @returns {Promise<boolean>} Returns true if the OTC is valid, false otherwise
+     */
+    async verifyOTC(otcRef, otc) {
+        if (!this.secret || !otcRef || !otc) {
+            return false;
+        }
+
+        try {
+            const model = await this.model.findOne({id: otcRef});
+
+            if (!model) {
+                return false;
+            }
+
+            const tokenValue = model.get('token');
+            const counter = this.deriveCounter(otcRef, tokenValue);
+            return hotp.verify({token: otc, secret: this.secret, counter});
+        } catch (err) {
+            return false;
+        }
+    }
+
     /**
      * @method getIdByToken
      * Retrieves the ID associated with a given token.
@@ -166,6 +222,103 @@ class SingleUseTokenProvider {
             return null;
         }
     }
+
+    /**
+     * @method getTokenByRef
+     * Retrieves the token associated with a given reference.
+     *
+     * @param {string} ref - The reference to look up.
+     * @returns {Promise<string|null>} The token if found, or null if not found or on error.
+     */
+    async getTokenByRef(ref) {
+        try {
+            const model = await this.model.findOne({id: ref});
+            return model ? model.get('token') : null;
+        } catch (err) {
+            return null;
+        }
+    }
+
+    /**
+     * @method createOTCVerificationHash
+     * Creates an OTC verification hash for a given token and one-time code.
+     *
+     * @param {string} otc - The one-time code
+     * @param {string} token - The token value
+     * @param {number} [timestamp] - Optional timestamp to use for the hash, defaults to current time
+     * @returns {string} The OTC verification hash
+     */
+    createOTCVerificationHash(otc, token, timestamp) {
+        if (!this.secret) {
+            throw new ValidationError({
+                message: tpl(messages.OTC_SECRET_NOT_CONFIGURED),
+                code: 'OTC_SECRET_NOT_CONFIGURED'
+            });
+        }
+
+        // timestamp allows us to restrict the hash's lifetime window
+        timestamp ??= Math.floor(Date.now() / 1000);
+
+        const dataToHash = `${otc}:${token}:${timestamp}`;
+
+        const secret = Buffer.from(this.secret, 'hex');
+        const hmac = crypto.createHmac('sha256', secret);
+        hmac.update(dataToHash);
+
+        return hmac.digest('hex');
+    }
+
+    /**
+     * @private
+     * @method _validateOTCVerificationHash
+     * Validates OTC verification hash by recreating and comparing the hash.
+     * Private because it's only used internally by the public validate method.
+     *
+     * @param {string} otcVerificationHash - The hash to validate (timestamp:hash format)
+     * @param {string} token - The token value
+     * @returns {Promise<boolean>} - True if hash is valid, false otherwise
+     */
+    async _validateOTCVerificationHash(otcVerificationHash, token) {
+        try {
+            if (!this.secret || !otcVerificationHash || !token) {
+                return false;
+            }
+
+            // Parse timestamp:hash format
+            const parts = otcVerificationHash.split(':');
+            if (parts.length !== 2) {
+                return false;
+            }
+
+            const timestamp = parseInt(parts[0]);
+            const providedHash = parts[1];
+
+            // Check if hash is expired (5 minute window)
+            const now = Math.floor(Date.now() / 1000);
+            const maxAge = 5 * 60; // 5 minutes in seconds
+            if (now - timestamp > maxAge) {
+                return false;
+            }
+
+            const tokenId = await this.getIdByToken(token);
+            if (!tokenId) {
+                return false;
+            }
+
+            // Derive the original OTC that was used to create this hash
+            const otc = this.deriveOTC(tokenId, token);
+
+            const expectedHash = this.createOTCVerificationHash(otc, token, timestamp);
+
+            // Compare the hashes using constant-time comparison to prevent timing attacks
+            return crypto.timingSafeEqual(
+                Buffer.from(providedHash, 'hex'),
+                Buffer.from(expectedHash, 'hex')
+            );
+        } catch (err) {
+            return false;
+        }
+    }
 }
 
 module.exports = SingleUseTokenProvider;

package/core/server/services/members/api.js

@@ -90,7 +90,7 @@ function createApiInstance(config) {
                 case 'signin':
                 default:
                     if (otc) {
-                        return `🔑 ${t('Your verification code for {siteTitle}', {siteTitle, interpolation: {escapeValue: false}})}`;
+                        return `🔑 ${t('Sign in to {siteTitle} with code {otc}', {siteTitle, otc, interpolation: {escapeValue: false}})}`;
                     } else {
                         return `🔑 ${t(`Secure sign in link for {siteTitle}`, {siteTitle, interpolation: {escapeValue: false}})}`;
                     }

package/core/server/services/members/emails/signin.js

@@ -6,7 +6,7 @@ module.exports = ({t, siteTitle, email, url, otc, accentColor = '#15212A', siteD
     <meta name="viewport" content="width=device-width">
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
     ${otc
-        ? `<title>🔑 ${t('Your verification code for {siteTitle}', {siteTitle, interpolation: {escapeValue: false}})}</title>`
+        ? `<title>🔑 ${t('Sign in to {siteTitle} with code {otc}', {siteTitle, otc, interpolation: {escapeValue: false}})}</title>`
         : `<title>🔑 ${t('Secure sign in link for {siteTitle}', {siteTitle, interpolation: {escapeValue: false}})}</title>`
     }
     <style>
@@ -111,7 +111,10 @@ module.exports = ({t, siteTitle, email, url, otc, accentColor = '#15212A', siteD
           <div class="content" style="box-sizing: border-box; display: block; Margin: 0 auto; max-width: 600px; padding: 30px 20px;">
 
             <!-- START CENTERED CONTAINER -->
-            <span class="preheader" style="color: transparent; display: none; height: 0; max-height: 0; max-width: 0; opacity: 0; overflow: hidden; mso-hide: all; visibility: hidden; width: 0;">${t('Welcome back to {siteTitle}!', {siteTitle, interpolation: {escapeValue: false}})}</span>
+            <span class="preheader" style="color: transparent; display: none; height: 0; max-height: 0; max-width: 0; opacity: 0; overflow: hidden; mso-hide: all; visibility: hidden; width: 0;">${otc ? t('Welcome back to {siteTitle}! Your verification code is {otc}.', {siteTitle, otc, interpolation: {escapeValue: false}}) : t('Welcome back to {siteTitle}!', {siteTitle, interpolation: {escapeValue: false}})}</span>
+            <div style="display:none; max-height:0; overflow:hidden; mso-hide: all;" aria-hidden="true" role="presentation">
+              &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
+            </div>
             <table class="main" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; background: #ffffff; border-radius: 8px;">
 
               <!-- START MAIN CONTENT AREA -->
@@ -122,7 +125,7 @@ module.exports = ({t, siteTitle, email, url, otc, accentColor = '#15212A', siteD
                       <td style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 14px; vertical-align: top;">
                         <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 20px; color: #15212A; font-weight: bold; line-height: 24px; margin: 0; margin-bottom: 15px;">${t('Hey there,')}</p>
                         ${otc ?
-                        `<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 24px;">${t(`Welcome back! Here's your code to sign in to {siteTitle}. For your security, it's valid for 24 hours`, {siteTitle, interpolation: {escapeValue: false}})}:</p>
+                        `<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 24px;">${t(`Welcome back! Here's your code to sign in to {siteTitle}. For your security, it's only valid for 24 hours`, {siteTitle, interpolation: {escapeValue: false}})}:</p>
                         <table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; box-sizing: border-box; margin-bottom: 32px;">
                           <tbody>
                             <tr>
@@ -132,7 +135,7 @@ module.exports = ({t, siteTitle, email, url, otc, accentColor = '#15212A', siteD
                             </tr>
                           </tbody>
                         </table>
-                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 24px;">${t('Or, skip the code and log in directly')}:</p>
+                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 24px;">${t('Or, skip the code and sign in directly')}:</p>
                         <table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; box-sizing: border-box;">
                           <tbody>
                             <tr>
@@ -148,7 +151,7 @@ module.exports = ({t, siteTitle, email, url, otc, accentColor = '#15212A', siteD
                             </tr>
                           </tbody>
                         </table>
-                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 15px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px;">${t('Alternatively you can copy and paste this URL to your browser')}:</p>`
+                        <p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 15px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px;">${t('You can also copy & paste this URL into your browser:')}:</p>`
                         :
                         `<p style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; color: #3A464C; font-weight: normal; margin: 0; line-height: 24px; margin-bottom: 32px;">${t('Welcome back! Use this link to securely sign in to your {siteTitle} account:', {siteTitle, interpolation: {escapeValue: false}})}</p>
                         <table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary" style="border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; box-sizing: border-box;">

package/core/server/services/members/members-api/controllers/RouterController.js

@@ -25,9 +25,31 @@ const messages = {
     invalidType: 'Invalid checkout type.',
     notConfigured: 'This site is not accepting payments at the moment.',
     invalidNewsletters: 'Cannot subscribe to invalid newsletters {newsletters}',
-    archivedNewsletters: 'Cannot subscribe to archived newsletters {newsletters}'
+    archivedNewsletters: 'Cannot subscribe to archived newsletters {newsletters}',
+    otcNotSupported: 'OTC verification not supported.',
+    invalidCode: 'Invalid verification code.',
+    failedToVerifyCode: 'Failed to verify code, please try again.'
 };
 
+// helper utility for logic shared between sendMagicLink and verifyOTC
+function extractRefererOrRedirect(req) {
+    const {autoRedirect, redirect} = req.body;
+
+    if (autoRedirect === false) {
+        return null;
+    }
+
+    if (redirect) {
+        try {
+            return new URL(redirect).href;
+        } catch (e) {
+            logging.warn(e);
+        }
+    }
+
+    return req.get('referer') || null;
+}
+
 module.exports = class RouterController {
     /**
      * RouterController
@@ -558,21 +580,10 @@ module.exports = class RouterController {
     }
 
     async sendMagicLink(req, res) {
-        const {email, honeypot, autoRedirect} = req.body;
-        let {emailType, redirect} = req.body;
+        const {email, honeypot} = req.body;
+        let {emailType} = req.body;
 
-        let referrer = req.get('referer');
-        if (autoRedirect === false){
-            referrer = null;
-        }
-        if (redirect) {
-            try {
-                // Validate URL
-                referrer = new URL(redirect).href;
-            } catch (e) {
-                logging.warn(e);
-            }
-        }
+        const referrer = extractRefererOrRedirect(req);
 
         if (!email) {
             throw new errors.BadRequestError({
@@ -628,9 +639,9 @@ module.exports = class RouterController {
             } else {
                 const signIn = await this._handleSignin(req, normalizedEmail, referrer);
 
-                if (this.labsService.isSet('membersSigninOTC') && signIn.tokenId) {
+                if (this.labsService.isSet('membersSigninOTC') && signIn.otcRef) {
                     res.writeHead(201, {'Content-Type': 'application/json'});
-                    return res.end(JSON.stringify({otc_ref: signIn.tokenId}));
+                    return res.end(JSON.stringify({otc_ref: signIn.otcRef}));
                 }
             }
 
@@ -649,6 +660,71 @@ module.exports = class RouterController {
         }
     }
 
+    async verifyOTC(req, res) {
+        const {otc, otcRef} = req.body;
+
+        if (!otc || !otcRef) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.badRequest),
+                context: 'otc and otcRef are required',
+                code: 'OTC_VERIFICATION_MISSING_PARAMS'
+            });
+        }
+
+        const tokenProvider = this._magicLinkService.tokenProvider;
+        if (!tokenProvider || typeof tokenProvider.verifyOTC !== 'function') {
+            throw new errors.BadRequestError({
+                message: tpl(messages.otcNotSupported),
+                code: 'OTC_NOT_SUPPORTED'
+            });
+        }
+
+        const isValidOTC = await tokenProvider.verifyOTC(otcRef, otc);
+        if (!isValidOTC) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidCode),
+                code: 'INVALID_OTC'
+            });
+        }
+
+        const tokenValue = await tokenProvider.getTokenByRef(otcRef);
+        if (!tokenValue) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidCode),
+                code: 'INVALID_OTC_REF'
+            });
+        }
+
+        const otcVerificationHash = await this._createHashFromOTCAndToken(otc, tokenValue);
+        if (!otcVerificationHash) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.failedToVerifyCode),
+                code: 'OTC_VERIFICATION_FAILED'
+            });
+        }
+
+        const referrer = extractRefererOrRedirect(req);
+
+        const redirectUrl = this._magicLinkService.getSigninURL(tokenValue, 'signin', referrer, otcVerificationHash);
+        if (!redirectUrl) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.failedToVerifyCode),
+                code: 'OTC_VERIFICATION_FAILED'
+            });
+        }
+
+        return res.json({redirectUrl});
+    }
+
+    async _createHashFromOTCAndToken(otc, token) {
+        // timestamp for anti-replay protection (5 minute window)
+        const timestamp = Math.floor(Date.now() / 1000);
+
+        const hash = this._magicLinkService.tokenProvider.createOTCVerificationHash(otc, token, timestamp);
+
+        return `${timestamp}:${hash}`;
+    }
+
     async _handleSignup(req, normalizedEmail, referrer = null) {
         if (!this._allowSelfSignup()) {
             if (this._settingsCache.get('members_signup_access') === 'paid') {
@@ -684,11 +760,11 @@ module.exports = class RouterController {
     }
 
     async _handleSignin(req, normalizedEmail, referrer = null) {
-        const {emailType, otc} = req.body;
+        const {emailType, includeOTC: reqIncludeOTC} = req.body;
 
         let includeOTC = false;
 
-        if (this.labsService.isSet('membersSigninOTC') && (otc === true || otc === 'true')) {
+        if (this.labsService.isSet('membersSigninOTC') && (reqIncludeOTC === true || reqIncludeOTC === 'true')) {
             includeOTC = true;
         }