ghost 6.0.6 → 6.0.7

package/core/server/services/members/members-api/members-api.js

@@ -235,12 +235,12 @@ module.exports = function MembersAPI({
         });
     }
 
-    async function getTokenDataFromMagicLinkToken(token) {
-        return await magicLinkService.getDataFromToken(token);
+    async function getTokenDataFromMagicLinkToken(token, otcVerification) {
+        return await magicLinkService.getDataFromToken(token, otcVerification);
     }
 
-    async function getMemberDataFromMagicLinkToken(token) {
-        const {email, labels = [], name = '', oldEmail, newsletters, attribution, reqIp, type} = await getTokenDataFromMagicLinkToken(token);
+    async function getMemberDataFromMagicLinkToken(token, otcVerification) {
+        const {email, labels = [], name = '', oldEmail, newsletters, attribution, reqIp, type} = await getTokenDataFromMagicLinkToken(token, otcVerification);
         if (!email) {
             return null;
         }
@@ -340,6 +340,10 @@ module.exports = function MembersAPI({
             body.json(),
             forwardError((req, res) => routerController.sendMagicLink(req, res))
         ),
+        verifyOTC: Router().use(
+            body.json(),
+            forwardError((req, res) => routerController.verifyOTC(req, res))
+        ),
         createCheckoutSession: Router().use(
             body.json(),
             forwardError((req, res) => routerController.createCheckoutSession(req, res))

package/core/server/services/members/members-ssr.js

@@ -156,12 +156,13 @@ class MembersSSR {
      * @method _getMemberDataFromToken
      *
      * @param {JWT} token
+     * @param {string} [otcVerification]
      *
      * @returns {Promise<Member>} member
      */
-    async _getMemberDataFromToken(token) {
+    async _getMemberDataFromToken(token, otcVerification) {
         const api = await this._getMembersApi();
-        return api.getMemberDataFromMagicLinkToken(token);
+        return api.getMemberDataFromMagicLinkToken(token, otcVerification);
     }
 
     /**
@@ -234,7 +235,8 @@ class MembersSSR {
         }
 
         const token = Array.isArray(query.token) ? query.token[0] : query.token;
-        const member = await this._getMemberDataFromToken(token);
+        const otcVerification = Array.isArray(query.otc_verification) ? query.otc_verification[0] : query.otc_verification;
+        const member = await this._getMemberDataFromToken(token, otcVerification);
 
         if (!member) {
             // The member doesn't exist any longer (could be a sign in token for a member that was deleted)

package/core/server/services/members/middleware.js

@@ -332,8 +332,8 @@ const createSessionFromMagicLink = async function createSessionFromMagicLink(req
     // req.query is a plain object, copy it to a URLSearchParams object so we can call toString()
     const searchParams = new URLSearchParams('');
     Object.keys(req.query).forEach((param) => {
-        // don't copy the "token" or "r" params
-        if (param !== 'token' && param !== 'r') {
+        // don't copy the "token", "r", or "otc_verification" params
+        if (param !== 'token' && param !== 'r' && param !== 'otc_verification') {
             searchParams.set(param, req.query[param]);
         }
     });

package/core/server/web/members/app.js

@@ -41,7 +41,7 @@ module.exports = function setupMembersApp() {
     // We don't want to add global bodyParser middleware as that interferes with stripe webhook requests on - `/webhooks`.
 
     // Manage newsletter subscription via unsubscribe link - these should be authenticated by uuid and hashed key
-    membersApp.get('/api/member/newsletters', 
+    membersApp.get('/api/member/newsletters',
         middleware.authMemberByUuid,
         middleware.getMemberNewsletters
     );
@@ -59,7 +59,7 @@ module.exports = function setupMembersApp() {
     } else {
         membersApp.get('/api/member', middleware.getMemberData);
     }
-    
+
     membersApp.put('/api/member', bodyParser.json({limit: '50mb'}), middleware.updateMemberData);
     membersApp.post('/api/member/email', bodyParser.json({limit: '50mb'}), (req, res, next) => membersService.api.middleware.updateEmailAddress(req, res, next));
 
@@ -72,7 +72,6 @@ module.exports = function setupMembersApp() {
 
     membersApp.get('/api/integrity-token', middleware.createIntegrityToken);
 
-    // NOTE: this is wrapped in a function to ensure we always go via the getter
     membersApp.post(
         '/api/send-magic-link',
         bodyParser.json(),
@@ -81,10 +80,20 @@ module.exports = function setupMembersApp() {
         shared.middleware.brute.membersAuthEnumeration,
         // Prevent brute forcing passwords for the same email address
         shared.middleware.brute.membersAuth,
+        // NOTE: this is wrapped in a function to ensure we always go via the getter
         function lazySendMagicLinkMw(req, res, next) {
             return membersService.api.middleware.sendMagicLink(req, res, next);
         }
     );
+    membersApp.post(
+        '/api/verify-otc',
+        bodyParser.json(),
+        middleware.verifyIntegrityToken,
+        // NOTE: this is wrapped in a function to ensure we always go via the getter
+        function lazyVerifyOTCMw(req, res, next) {
+            return membersService.api.middleware.verifyOTC(req, res, next);
+        }
+    );
     membersApp.post('/api/create-stripe-checkout-session', function lazyCreateCheckoutSessionMw(req, res, next) {
         return membersService.api.middleware.createCheckoutSession(req, res, next);
     });

package/core/shared/config/defaults.json

@@ -212,7 +212,7 @@
     },
     "portal": {
         "url": "https://cdn.jsdelivr.net/ghost/portal@~{version}/umd/portal.min.js",
-        "version": "2.52"
+        "version": "2.53"
     },
     "sodoSearch": {
         "url": "https://cdn.jsdelivr.net/ghost/sodo-search@~{version}/umd/sodo-search.min.js",

package/core/shared/labs.js

@@ -47,7 +47,9 @@ const PRIVATE_FEATURES = [
     'lexicalIndicators',
     'contentVisibilityAlpha',
     'emailCustomization',
-    'membersSigninOTC'
+    'membersSigninOTC',
+    'tagsX',
+    'utmTracking'
 ];
 
 module.exports.GA_KEYS = [...GA_FEATURES];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "6.0.6",
+  "version": "6.0.7",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.6.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.7.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -181,7 +181,7 @@
     "knex-migrator": "5.3.2",
     "leaky-bucket": "2.2.0",
     "lodash": "4.17.21",
-    "luxon": "3.7.1",
+    "luxon": "3.7.2",
     "mailgun.js": "10.4.0",
     "metascraper": "5.45.15",
     "metascraper-author": "5.45.10",
@@ -232,7 +232,7 @@
     "@types/bookshelf": "1.2.9",
     "@types/common-tags": "1.8.4",
     "@types/jsonwebtoken": "9.0.10",
-    "@types/node": "22.18.0",
+    "@types/node": "22.18.1",
     "@types/node-jose": "1.1.13",
     "@types/nodemailer": "6.4.19",
     "@types/sinon": "17.0.4",
@@ -250,7 +250,7 @@
     "inquirer": "8.2.7",
     "jwk-to-pem": "2.0.7",
     "jwks-rsa": "3.2.0",
-    "mocha": "11.7.1",
+    "mocha": "11.7.2",
     "mocha-slow-test-reporter": "0.1.2",
     "mock-knex": "TryGhost/mock-knex#68948e11b0ea4fe63456098dfdc169bea7f62009",
     "nock": "13.5.6",
@@ -273,7 +273,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.6.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.7.tgz"
   },
   "nx": {
     "targets": {