npm - ghost - Versions diffs - 6.1.0 → 6.3.0 - Mend

ghost 6.1.0 → 6.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

package/core/server/services/stats/StatsService.js CHANGED Viewed

@@ -244,6 +244,23 @@ class StatsService {
         return this.referrers.getTopSourcesWithRange(options);
     }
+    /**
+     * Get UTM growth stats broken down by UTM field (fixture data)
+     * Can be filtered by post using post_id parameter
+     * @param {Object} options
+     * @param {string} [options.utm_type='utm_source'] - Which UTM field to group by ('utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content')
+     * @param {string} [options.order='free_members desc'] - Sort order
+     * @param {number} [options.limit=50] - Maximum number of results (ignored when filtering by post)
+     * @param {string} [options.date_from] - Start date in YYYY-MM-DD format (not yet implemented for fixtures)
+     * @param {string} [options.date_to] - End date in YYYY-MM-DD format (not yet implemented for fixtures)
+     * @param {string} [options.timezone] - Timezone to use for date interpretation (not yet implemented for fixtures)
+     * @param {string} [options.post_id] - Optional filter by post ID
+     * @returns {Promise<{data: import('./ReferrersStatsService').UtmGrowthStat[], meta: {}}>}
+     */
+    async getUtmGrowthStats(options = {}) {
+        return this.referrers.getUtmGrowthStats(options);
+    }
     /**
      * @param {object} deps
      *

package/core/server/services/stripe/StripeAPI.js CHANGED Viewed

@@ -526,13 +526,18 @@ module.exports = class StripeAPI {
             items: [{
                 plan: priceId
             }],
-            metadata: {
+            metadata: {
                 attribution_id: metadata?.attribution_id,
                 attribution_url: metadata?.attribution_url,
                 attribution_type: metadata?.attribution_type,
                 referrer_source: metadata?.referrer_source,
                 referrer_medium: metadata?.referrer_medium,
-                referrer_url: metadata?.referrer_url
+                referrer_url: metadata?.referrer_url,
+                utm_source: metadata?.utm_source,
+                utm_medium: metadata?.utm_medium,
+                utm_campaign: metadata?.utm_campaign,
+                utm_term: metadata?.utm_term,
+                utm_content: metadata?.utm_content
             }
         };

package/core/server/services/stripe/services/webhook/CheckoutSessionEventService.js CHANGED Viewed

@@ -75,7 +75,12 @@ module.exports = class CheckoutSessionEventService {
             attributionType: session.metadata?.attribution_type ?? null,
             referrerSource: session.metadata?.referrer_source ?? null,
             referrerMedium: session.metadata?.referrer_medium ?? null,
-            referrerUrl: session.metadata?.referrer_url ?? null
+            referrerUrl: session.metadata?.referrer_url ?? null,
+            utmSource: session.metadata?.utm_source ?? null,
+            utmMedium: session.metadata?.utm_medium ?? null,
+            utmCampaign: session.metadata?.utm_campaign ?? null,
+            utmTerm: session.metadata?.utm_term ?? null,
+            utmContent: session.metadata?.utm_content ?? null
         });
         const donationRepository = this.deps.donationRepository;

package/core/server/web/api/endpoints/admin/routes.js CHANGED Viewed

@@ -165,6 +165,7 @@ module.exports = function apiRoutes() {
     router.get('/stats/posts/:id/top-referrers', mw.authAdminApi, http(api.stats.postReferrersAlpha));
     router.get('/stats/posts/:id/growth', mw.authAdminApi, http(api.stats.postGrowthStats));
     router.get('/stats/top-sources-growth', mw.authAdminApi, http(api.stats.topSourcesGrowth));
+    router.get('/stats/utm-growth', mw.authAdminApi, http(api.stats.utmGrowth));
     router.post('/stats/posts-visitor-counts', mw.authAdminApi, http(api.stats.postsVisitorCounts));
     router.post('/stats/posts-member-counts', mw.authAdminApi, http(api.stats.postsMemberCounts));

package/core/server/web/members/app.js CHANGED Viewed

@@ -89,6 +89,8 @@ module.exports = function setupMembersApp() {
         '/api/verify-otc',
         bodyParser.json(),
         middleware.verifyIntegrityToken,
+        shared.middleware.brute.otcVerificationEnumeration,
+        shared.middleware.brute.otcVerification,
         // NOTE: this is wrapped in a function to ensure we always go via the getter
         function lazyVerifyOTCMw(req, res, next) {
             return membersService.api.middleware.verifyOTC(req, res, next);

package/core/server/web/shared/middleware/api/spam-prevention.js CHANGED Viewed

@@ -21,6 +21,10 @@ const messages = {
         context: 'Too many login attempts.'
     },
     tooManyAttempts: 'Too many attempts.',
+    tooManyOTCVerificationAttempts: {
+        error: 'Too many attempts for this verification code.',
+        context: 'Too many verification code attempts.'
+    },
     webmentionsBlock: 'Too many mention attempts',
     emailPreviewBlock: 'Only 10 test emails can be sent per hour'
 };
@@ -35,6 +39,8 @@ let spamMemberLogin = spam.member_login || {};
 let spamContentApiKey = spam.content_api_key || {};
 let spamWebmentionsBlock = spam.webmentions_block || {};
 let spamEmailPreviewBlock = spam.email_preview_block || {};
+let spamOtcVerificationEnumeration = spam.otc_verification_enumeration || {};
+let spamOtcVerification = spam.otc_verification || {};
 let store;
 let memoryStore;
@@ -50,6 +56,8 @@ let sendVerificationCodeInstance;
 let userVerificationInstance;
 let contentApiKeyInstance;
 let emailPreviewBlockInstance;
+let otcVerificationEnumerationInstance;
+let otcVerificationInstance;
 const spamConfigKeys = ['freeRetries', 'minWait', 'maxWait', 'lifetime'];
@@ -248,6 +256,68 @@ const membersAuthEnumeration = () => {
     return membersAuthEnumerationInstance;
 };
+const otcVerificationEnumeration = () => {
+    const ExpressBrute = require('express-brute');
+    const BruteKnex = require('brute-knex');
+    const db = require('../../../../data/db');
+    store = store || new BruteKnex({
+        tablename: 'brute',
+        createTable: false,
+        knex: db.knex
+    });
+    if (!otcVerificationEnumerationInstance) {
+        otcVerificationEnumerationInstance = new ExpressBrute(store,
+            extend({
+                attachResetToRequest: false,
+                failCallback(req, res, next, nextValidRequestDate) {
+                    return next(new errors.TooManyRequestsError({
+                        message: `Too many verification attempts across multiple codes, try again in ${moment(nextValidRequestDate).fromNow(true)}`,
+                        context: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        help: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        code: 'OTC_TOTAL_ATTEMPTS_RATE_LIMITED'
+                    }));
+                },
+                handleStoreError: handleStoreError
+            }, pick(spamOtcVerificationEnumeration, spamConfigKeys))
+        );
+    }
+    return otcVerificationEnumerationInstance;
+};
+const otcVerification = () => {
+    const ExpressBrute = require('express-brute');
+    const BruteKnex = require('brute-knex');
+    const db = require('../../../../data/db');
+    store = store || new BruteKnex({
+        tablename: 'brute',
+        createTable: false,
+        knex: db.knex
+    });
+    if (!otcVerificationInstance) {
+        otcVerificationInstance = new ExpressBrute(store,
+            extend({
+                attachResetToRequest: false,
+                failCallback(req, res, next, nextValidRequestDate) {
+                    return next(new errors.TooManyRequestsError({
+                        message: `Too many attempts for this verification code, try again in ${moment(nextValidRequestDate).fromNow(true)}`,
+                        context: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        help: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        code: 'OTC_CODE_ATTEMPTS_RATE_LIMITED'
+                    }));
+                },
+                handleStoreError: handleStoreError
+            }, pick(spamOtcVerification, spamConfigKeys))
+        );
+    }
+    return otcVerificationInstance;
+};
 // Stops login attempts for a user+IP pair with an increasing time period starting from 10 minutes
 // and rising to a week in a fibonnaci sequence
 // The user+IP count is reset when on successful login
@@ -432,6 +502,8 @@ module.exports = {
     userVerification: userVerification,
     membersAuth: membersAuth,
     membersAuthEnumeration: membersAuthEnumeration,
+    otcVerification: otcVerification,
+    otcVerificationEnumeration: otcVerificationEnumeration,
     userReset: userReset,
     privateBlog: privateBlog,
     contentApiKey: contentApiKey,
@@ -450,6 +522,8 @@ module.exports = {
         sendVerificationCodeInstance = undefined;
         userVerificationInstance = undefined;
         contentApiKeyInstance = undefined;
+        otcVerificationEnumerationInstance = undefined;
+        otcVerificationInstance = undefined;
         spam = config.get('spam') || {};
         spamPrivateBlock = spam.private_block || {};
@@ -461,5 +535,7 @@ module.exports = {
         spamUserVerification = spam.user_verification || {};
         spamMemberLogin = spam.member_login || {};
         spamContentApiKey = spam.content_api_key || {};
+        spamOtcVerificationEnumeration = spam.otc_verification_enumeration || {};
+        spamOtcVerification = spam.otc_verification || {};
     }
 };

package/core/server/web/shared/middleware/brute.js CHANGED Viewed

@@ -128,6 +128,29 @@ module.exports = {
         return spamPrevention.membersAuthEnumeration().prevent(req, res, next);
     },
+    /**
+     * Block too many OTC verification attempts from same IP (blocks user enumeration)
+     */
+    otcVerificationEnumeration(req, res, next) {
+        return spamPrevention.otcVerificationEnumeration().prevent(req, res, next);
+    },
+    /**
+     * Block too many attempts for the same otcRef
+     */
+    otcVerification(req, res, next) {
+        return spamPrevention.otcVerification().getMiddleware({
+            // ignoring IP here blocks rotating ip attacks, only one IP should receive an otcRef so it shouldn't cause false positives
+            ignoreIP: true,
+            key(_req, _res, _next) {
+                if (_req.body.otcRef) {
+                    return _next(`${_req.body.otcRef}otc_verification`);
+                }
+                return _next();
+            }
+        })(req, res, next);
+    },
     /**
      * Blocks webmention spam
      */

package/core/shared/config/defaults.json CHANGED Viewed

@@ -130,6 +130,18 @@
             "lifetime": 3600,
             "freeRetries": 10
         },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 3600000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
+        },
         "blocked_email_domains": []
     },
     "caching": {
@@ -212,7 +224,7 @@
     },
     "portal": {
         "url": "https://cdn.jsdelivr.net/ghost/portal@~{version}/umd/portal.min.js",
-        "version": "2.53"
+        "version": "2.55"
     },
     "sodoSearch": {
         "url": "https://cdn.jsdelivr.net/ghost/sodo-search@~{version}/umd/sodo-search.min.js",

package/core/shared/config/env/config.testing-browser.json CHANGED Viewed

@@ -70,6 +70,18 @@
             "maxWait": 360000,
             "lifetime": 3600,
             "freeRetries": 10
+        },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 300000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
         }
     },
     "privacy": {

package/core/shared/config/env/config.testing-mysql.json CHANGED Viewed

@@ -74,6 +74,18 @@
             "maxWait": 360000,
             "lifetime": 3600,
             "freeRetries": 10
+        },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 300000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
         }
     },
     "privacy": {

package/core/shared/config/env/config.testing.json CHANGED Viewed

@@ -70,6 +70,18 @@
             "maxWait": 360000,
             "lifetime": 3600,
             "freeRetries": 10
+        },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 300000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
         }
     },
     "privacy": {

package/core/shared/labs.js CHANGED Viewed

@@ -48,6 +48,7 @@ const PRIVATE_FEATURES = [
     'contentVisibilityAlpha',
     'emailCustomization',
     'membersSigninOTC',
+    'membersSigninOTCAlpha',
     'tagsX',
     'utmTracking',
     'emailUniqueid'

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "6.1.0",
+  "version": "6.3.0",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.1.0.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.3.0.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -196,7 +196,7 @@
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
     "multer": "2.0.2",
-    "mysql2": "3.15.1",
+    "mysql2": "3.15.2",
     "nconf": "0.13.0",
     "node-fetch": "2.7.0",
     "node-jose": "2.2.0",
@@ -208,7 +208,7 @@
     "probe-image-size": "7.2.3",
     "rss": "1.2.2",
     "sanitize-html": "2.17.0",
-    "semver": "7.7.2",
+    "semver": "7.7.3",
     "simple-dom": "1.4.0",
     "stoppable": "1.1.0",
     "stripe": "8.222.0",
@@ -232,9 +232,9 @@
     "@types/bookshelf": "1.2.9",
     "@types/common-tags": "1.8.4",
     "@types/jsonwebtoken": "9.0.10",
-    "@types/node": "22.18.6",
+    "@types/node": "22.18.8",
     "@types/node-jose": "1.1.13",
-    "@types/nodemailer": "6.4.19",
+    "@types/nodemailer": "6.4.20",
     "@types/sinon": "17.0.4",
     "@types/supertest": "6.0.3",
     "c8": "10.1.3",
@@ -250,7 +250,7 @@
     "inquirer": "8.2.7",
     "jwk-to-pem": "2.0.7",
     "jwks-rsa": "3.2.0",
-    "mocha": "11.7.2",
+    "mocha": "11.7.3",
     "mocha-slow-test-reporter": "0.1.2",
     "mock-knex": "TryGhost/mock-knex#68948e11b0ea4fe63456098dfdc169bea7f62009",
     "nock": "13.5.6",
@@ -273,7 +273,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.1.0.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.3.0.tgz"
   },
   "nx": {
     "targets": {