npm - ghost - Versions diffs - 6.0.6 → 6.0.8 - Mend

ghost 6.0.6 → 6.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

package/core/server/services/members/members-api/controllers/RouterController.js CHANGED Viewed

@@ -25,9 +25,31 @@ const messages = {
     invalidType: 'Invalid checkout type.',
     notConfigured: 'This site is not accepting payments at the moment.',
     invalidNewsletters: 'Cannot subscribe to invalid newsletters {newsletters}',
-    archivedNewsletters: 'Cannot subscribe to archived newsletters {newsletters}'
+    archivedNewsletters: 'Cannot subscribe to archived newsletters {newsletters}',
+    otcNotSupported: 'OTC verification not supported.',
+    invalidCode: 'Invalid verification code.',
+    failedToVerifyCode: 'Failed to verify code, please try again.'
 };
+// helper utility for logic shared between sendMagicLink and verifyOTC
+function extractRefererOrRedirect(req) {
+    const {autoRedirect, redirect} = req.body;
+    if (autoRedirect === false) {
+        return null;
+    }
+    if (redirect) {
+        try {
+            return new URL(redirect).href;
+        } catch (e) {
+            logging.warn(e);
+        }
+    }
+    return req.get('referer') || null;
+}
 module.exports = class RouterController {
     /**
      * RouterController
@@ -558,21 +580,10 @@ module.exports = class RouterController {
     }
     async sendMagicLink(req, res) {
-        const {email, honeypot, autoRedirect} = req.body;
-        let {emailType, redirect} = req.body;
+        const {email, honeypot} = req.body;
+        let {emailType} = req.body;
-        let referrer = req.get('referer');
-        if (autoRedirect === false){
-            referrer = null;
-        }
-        if (redirect) {
-            try {
-                // Validate URL
-                referrer = new URL(redirect).href;
-            } catch (e) {
-                logging.warn(e);
-            }
-        }
+        const referrer = extractRefererOrRedirect(req);
         if (!email) {
             throw new errors.BadRequestError({
@@ -628,9 +639,9 @@ module.exports = class RouterController {
             } else {
                 const signIn = await this._handleSignin(req, normalizedEmail, referrer);
-                if (this.labsService.isSet('membersSigninOTC') && signIn.tokenId) {
+                if (this.labsService.isSet('membersSigninOTC') && signIn.otcRef) {
                     res.writeHead(201, {'Content-Type': 'application/json'});
-                    return res.end(JSON.stringify({otc_ref: signIn.tokenId}));
+                    return res.end(JSON.stringify({otc_ref: signIn.otcRef}));
                 }
             }
@@ -649,6 +660,71 @@ module.exports = class RouterController {
         }
     }
+    async verifyOTC(req, res) {
+        const {otc, otcRef} = req.body;
+        if (!otc || !otcRef) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.badRequest),
+                context: 'otc and otcRef are required',
+                code: 'OTC_VERIFICATION_MISSING_PARAMS'
+            });
+        }
+        const tokenProvider = this._magicLinkService.tokenProvider;
+        if (!tokenProvider || typeof tokenProvider.verifyOTC !== 'function') {
+            throw new errors.BadRequestError({
+                message: tpl(messages.otcNotSupported),
+                code: 'OTC_NOT_SUPPORTED'
+            });
+        }
+        const isValidOTC = await tokenProvider.verifyOTC(otcRef, otc);
+        if (!isValidOTC) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidCode),
+                code: 'INVALID_OTC'
+            });
+        }
+        const tokenValue = await tokenProvider.getTokenByRef(otcRef);
+        if (!tokenValue) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidCode),
+                code: 'INVALID_OTC_REF'
+            });
+        }
+        const otcVerificationHash = await this._createHashFromOTCAndToken(otc, tokenValue);
+        if (!otcVerificationHash) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.failedToVerifyCode),
+                code: 'OTC_VERIFICATION_FAILED'
+            });
+        }
+        const referrer = extractRefererOrRedirect(req);
+        const redirectUrl = this._magicLinkService.getSigninURL(tokenValue, 'signin', referrer, otcVerificationHash);
+        if (!redirectUrl) {
+            throw new errors.BadRequestError({
+                message: tpl(messages.failedToVerifyCode),
+                code: 'OTC_VERIFICATION_FAILED'
+            });
+        }
+        return res.json({redirectUrl});
+    }
+    async _createHashFromOTCAndToken(otc, token) {
+        // timestamp for anti-replay protection (5 minute window)
+        const timestamp = Math.floor(Date.now() / 1000);
+        const hash = this._magicLinkService.tokenProvider.createOTCVerificationHash(otc, token, timestamp);
+        return `${timestamp}:${hash}`;
+    }
     async _handleSignup(req, normalizedEmail, referrer = null) {
         if (!this._allowSelfSignup()) {
             if (this._settingsCache.get('members_signup_access') === 'paid') {
@@ -684,11 +760,11 @@ module.exports = class RouterController {
     }
     async _handleSignin(req, normalizedEmail, referrer = null) {
-        const {emailType, otc} = req.body;
+        const {emailType, includeOTC: reqIncludeOTC} = req.body;
         let includeOTC = false;
-        if (this.labsService.isSet('membersSigninOTC') && (otc === true || otc === 'true')) {
+        if (this.labsService.isSet('membersSigninOTC') && (reqIncludeOTC === true || reqIncludeOTC === 'true')) {
             includeOTC = true;
         }

package/core/server/services/members/members-api/members-api.js CHANGED Viewed

@@ -235,12 +235,12 @@ module.exports = function MembersAPI({
         });
     }
-    async function getTokenDataFromMagicLinkToken(token) {
-        return await magicLinkService.getDataFromToken(token);
+    async function getTokenDataFromMagicLinkToken(token, otcVerification) {
+        return await magicLinkService.getDataFromToken(token, otcVerification);
     }
-    async function getMemberDataFromMagicLinkToken(token) {
-        const {email, labels = [], name = '', oldEmail, newsletters, attribution, reqIp, type} = await getTokenDataFromMagicLinkToken(token);
+    async function getMemberDataFromMagicLinkToken(token, otcVerification) {
+        const {email, labels = [], name = '', oldEmail, newsletters, attribution, reqIp, type} = await getTokenDataFromMagicLinkToken(token, otcVerification);
         if (!email) {
             return null;
         }
@@ -340,6 +340,10 @@ module.exports = function MembersAPI({
             body.json(),
             forwardError((req, res) => routerController.sendMagicLink(req, res))
         ),
+        verifyOTC: Router().use(
+            body.json(),
+            forwardError((req, res) => routerController.verifyOTC(req, res))
+        ),
         createCheckoutSession: Router().use(
             body.json(),
             forwardError((req, res) => routerController.createCheckoutSession(req, res))

package/core/server/services/members/members-ssr.js CHANGED Viewed

@@ -156,12 +156,13 @@ class MembersSSR {
      * @method _getMemberDataFromToken
      *
      * @param {JWT} token
+     * @param {string} [otcVerification]
      *
      * @returns {Promise<Member>} member
      */
-    async _getMemberDataFromToken(token) {
+    async _getMemberDataFromToken(token, otcVerification) {
         const api = await this._getMembersApi();
-        return api.getMemberDataFromMagicLinkToken(token);
+        return api.getMemberDataFromMagicLinkToken(token, otcVerification);
     }
     /**
@@ -234,7 +235,8 @@ class MembersSSR {
         }
         const token = Array.isArray(query.token) ? query.token[0] : query.token;
-        const member = await this._getMemberDataFromToken(token);
+        const otcVerification = Array.isArray(query.otc_verification) ? query.otc_verification[0] : query.otc_verification;
+        const member = await this._getMemberDataFromToken(token, otcVerification);
         if (!member) {
             // The member doesn't exist any longer (could be a sign in token for a member that was deleted)

package/core/server/services/members/middleware.js CHANGED Viewed

@@ -332,8 +332,8 @@ const createSessionFromMagicLink = async function createSessionFromMagicLink(req
     // req.query is a plain object, copy it to a URLSearchParams object so we can call toString()
     const searchParams = new URLSearchParams('');
     Object.keys(req.query).forEach((param) => {
-        // don't copy the "token" or "r" params
-        if (param !== 'token' && param !== 'r') {
+        // don't copy the "token", "r", or "otc_verification" params
+        if (param !== 'token' && param !== 'r' && param !== 'otc_verification') {
             searchParams.set(param, req.query[param]);
         }
     });

package/core/server/services/tinybird/TinybirdService.js CHANGED Viewed

@@ -53,7 +53,12 @@ const TINYBIRD_PIPES = [
     'api_top_locations',
     'api_top_os',
     'api_top_pages',
-    'api_top_sources'
+    'api_top_sources',
+    'api_top_utm_sources',
+    'api_top_utm_mediums',
+    'api_top_utm_campaigns',
+    'api_top_utm_contents',
+    'api_top_utm_terms'
 ];
 /**

package/core/server/services/update-check/UpdateCheckService.js CHANGED Viewed

@@ -189,7 +189,7 @@ class UpdateCheckService {
         try {
             const response = await this.request(checkEndpoint, reqObj);
-            return response.body;
+            return JSON.parse(response.body);
         } catch (err) {
             // CASE: no notifications available, ignore
             if (err.statusCode === 404) {

package/core/server/web/members/app.js CHANGED Viewed

@@ -41,7 +41,7 @@ module.exports = function setupMembersApp() {
     // We don't want to add global bodyParser middleware as that interferes with stripe webhook requests on - `/webhooks`.
     // Manage newsletter subscription via unsubscribe link - these should be authenticated by uuid and hashed key
-    membersApp.get('/api/member/newsletters',
+    membersApp.get('/api/member/newsletters',
         middleware.authMemberByUuid,
         middleware.getMemberNewsletters
     );
@@ -59,7 +59,7 @@ module.exports = function setupMembersApp() {
     } else {
         membersApp.get('/api/member', middleware.getMemberData);
     }
     membersApp.put('/api/member', bodyParser.json({limit: '50mb'}), middleware.updateMemberData);
     membersApp.post('/api/member/email', bodyParser.json({limit: '50mb'}), (req, res, next) => membersService.api.middleware.updateEmailAddress(req, res, next));
@@ -72,7 +72,6 @@ module.exports = function setupMembersApp() {
     membersApp.get('/api/integrity-token', middleware.createIntegrityToken);
-    // NOTE: this is wrapped in a function to ensure we always go via the getter
     membersApp.post(
         '/api/send-magic-link',
         bodyParser.json(),
@@ -81,10 +80,20 @@ module.exports = function setupMembersApp() {
         shared.middleware.brute.membersAuthEnumeration,
         // Prevent brute forcing passwords for the same email address
         shared.middleware.brute.membersAuth,
+        // NOTE: this is wrapped in a function to ensure we always go via the getter
         function lazySendMagicLinkMw(req, res, next) {
             return membersService.api.middleware.sendMagicLink(req, res, next);
         }
     );
+    membersApp.post(
+        '/api/verify-otc',
+        bodyParser.json(),
+        middleware.verifyIntegrityToken,
+        // NOTE: this is wrapped in a function to ensure we always go via the getter
+        function lazyVerifyOTCMw(req, res, next) {
+            return membersService.api.middleware.verifyOTC(req, res, next);
+        }
+    );
     membersApp.post('/api/create-stripe-checkout-session', function lazyCreateCheckoutSessionMw(req, res, next) {
         return membersService.api.middleware.createCheckoutSession(req, res, next);
     });

package/core/shared/config/defaults.json CHANGED Viewed

@@ -212,7 +212,7 @@
     },
     "portal": {
         "url": "https://cdn.jsdelivr.net/ghost/portal@~{version}/umd/portal.min.js",
-        "version": "2.52"
+        "version": "2.53"
     },
     "sodoSearch": {
         "url": "https://cdn.jsdelivr.net/ghost/sodo-search@~{version}/umd/sodo-search.min.js",

package/core/shared/labs.js CHANGED Viewed

@@ -47,7 +47,9 @@ const PRIVATE_FEATURES = [
     'lexicalIndicators',
     'contentVisibilityAlpha',
     'emailCustomization',
-    'membersSigninOTC'
+    'membersSigninOTC',
+    'tagsX',
+    'utmTracking'
 ];
 module.exports.GA_KEYS = [...GA_FEATURES];

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "6.0.6",
+  "version": "6.0.8",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.6.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.8.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -166,7 +166,7 @@
     "heic-convert": "2.1.0",
     "html-to-text": "5.1.1",
     "html5parser": "2.0.2",
-    "human-number": "2.0.5",
+    "human-number": "2.0.6",
     "iconv-lite": "0.6.3",
     "image-size": "1.2.1",
     "intl": "1.2.5",
@@ -181,7 +181,7 @@
     "knex-migrator": "5.3.2",
     "leaky-bucket": "2.2.0",
     "lodash": "4.17.21",
-    "luxon": "3.7.1",
+    "luxon": "3.7.2",
     "mailgun.js": "10.4.0",
     "metascraper": "5.45.15",
     "metascraper-author": "5.45.10",
@@ -232,7 +232,7 @@
     "@types/bookshelf": "1.2.9",
     "@types/common-tags": "1.8.4",
     "@types/jsonwebtoken": "9.0.10",
-    "@types/node": "22.18.0",
+    "@types/node": "22.18.3",
     "@types/node-jose": "1.1.13",
     "@types/nodemailer": "6.4.19",
     "@types/sinon": "17.0.4",
@@ -250,7 +250,7 @@
     "inquirer": "8.2.7",
     "jwk-to-pem": "2.0.7",
     "jwks-rsa": "3.2.0",
-    "mocha": "11.7.1",
+    "mocha": "11.7.2",
     "mocha-slow-test-reporter": "0.1.2",
     "mock-knex": "TryGhost/mock-knex#68948e11b0ea4fe63456098dfdc169bea7f62009",
     "nock": "13.5.6",
@@ -273,7 +273,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.6.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.0.8.tgz"
   },
   "nx": {
     "targets": {