ghost 6.2.0 → 6.3.0

package/core/server/services/stats/ReferrersStatsService.js

@@ -1,4 +1,5 @@
 const moment = require('moment');
+const errors = require('@tryghost/errors');
 
 // Import centralized date utilities
 const {getDateBoundaries, applyDateFilter} = require('./utils/date-utils');
@@ -455,6 +456,138 @@ class ReferrersStatsService {
             meta: {}
         };
     }
+
+    /**
+     * Get UTM growth stats broken down by UTM parameter (fixture data for now)
+     * @param {Object} options
+     * @param {string} [options.utm_type='utm_source'] - Which UTM field to group by ('utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content')
+     * @param {string} [options.order='free_members desc'] - Sort order
+     * @param {number} [options.limit=50] - Maximum number of results
+     * @param {string} [options.post_id] - Optional filter by post ID
+     * @returns {Promise<{data: UtmGrowthStat[], meta: {}}>}
+     */
+    async getUtmGrowthStats(options = {}) {
+        const utmField = options.utm_type || 'utm_source';
+        const limit = options.limit || 50;
+        const postId = options.post_id;
+
+        // Validate utm_type is a valid UTM field
+        const validUtmFields = ['utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content'];
+        if (!validUtmFields.includes(utmField)) {
+            throw new errors.BadRequestError({
+                message: `Invalid utm_type: ${utmField}. Must be one of: ${validUtmFields.join(', ')}`
+            });
+        }
+
+        // Fixture data; will replace with real data once members service is wired up fully
+        let fixtureData = this._getUtmFixtureData(utmField);
+
+        // If filtering by post, scale down the data
+        if (postId) {
+            fixtureData = fixtureData.map(item => ({
+                ...item,
+                free_members: Math.floor(item.free_members * 0.3), // 30% of global
+                paid_members: Math.floor(item.paid_members * 0.25), // 25% of global
+                mrr: Math.floor(item.mrr * 0.25) // 25% of global
+            })).filter(item => item.free_members > 0 || item.paid_members > 0); // Only include items with data
+        }
+
+        const sortedData = this._sortUtmData(fixtureData, options.order);
+        const limitedData = postId ? sortedData : (limit > 0 ? sortedData.slice(0, limit) : sortedData);
+
+        return {
+            data: limitedData,
+            meta: {}
+        };
+    }
+
+    /**
+     * Generate fixture data for UTM parameters
+     * @private
+     * @param {string} utmField - The UTM field ('utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content')
+     * @returns {UtmGrowthStat[]}
+     */
+    _getUtmFixtureData(utmField) {
+        const fixtures = {
+            utm_source: [
+                {utm_value: 'google', utm_type: 'utm_source', free_members: 100, paid_members: 20, mrr: 10000},
+                {utm_value: 'facebook', utm_type: 'utm_source', free_members: 80, paid_members: 15, mrr: 7500},
+                {utm_value: 'twitter', utm_type: 'utm_source', free_members: 60, paid_members: 10, mrr: 5000},
+                {utm_value: 'newsletter', utm_type: 'utm_source', free_members: 40, paid_members: 25, mrr: 12500},
+                {utm_value: 'linkedin', utm_type: 'utm_source', free_members: 35, paid_members: 12, mrr: 6000},
+                {utm_value: 'reddit', utm_type: 'utm_source', free_members: 25, paid_members: 5, mrr: 2500},
+                {utm_value: 'youtube', utm_type: 'utm_source', free_members: 20, paid_members: 8, mrr: 4000},
+                {utm_value: 'instagram', utm_type: 'utm_source', free_members: 18, paid_members: 6, mrr: 3000}
+            ],
+            utm_medium: [
+                {utm_value: 'organic', utm_type: 'utm_medium', free_members: 150, paid_members: 30, mrr: 15000},
+                {utm_value: 'cpc', utm_type: 'utm_medium', free_members: 90, paid_members: 20, mrr: 10000},
+                {utm_value: 'email', utm_type: 'utm_medium', free_members: 70, paid_members: 20, mrr: 10000},
+                {utm_value: 'social', utm_type: 'utm_medium', free_members: 30, paid_members: 10, mrr: 5000},
+                {utm_value: 'referral', utm_type: 'utm_medium', free_members: 25, paid_members: 8, mrr: 4000},
+                {utm_value: 'display', utm_type: 'utm_medium', free_members: 15, paid_members: 3, mrr: 1500}
+            ],
+            utm_campaign: [
+                {utm_value: 'spring-sale', utm_type: 'utm_campaign', free_members: 120, paid_members: 35, mrr: 17500},
+                {utm_value: 'product-launch', utm_type: 'utm_campaign', free_members: 80, paid_members: 20, mrr: 10000},
+                {utm_value: 'webinar-series', utm_type: 'utm_campaign', free_members: 60, paid_members: 15, mrr: 7500},
+                {utm_value: 'holiday-promo', utm_type: 'utm_campaign', free_members: 45, paid_members: 18, mrr: 9000},
+                {utm_value: 'content-upgrade', utm_type: 'utm_campaign', free_members: 30, paid_members: 8, mrr: 4000},
+                {utm_value: 'partner-collab', utm_type: 'utm_campaign', free_members: 25, paid_members: 12, mrr: 6000}
+            ],
+            utm_term: [
+                {utm_value: 'best-email-marketing', utm_type: 'utm_term', free_members: 85, paid_members: 22, mrr: 11000},
+                {utm_value: 'ghost-cms', utm_type: 'utm_term', free_members: 70, paid_members: 18, mrr: 9000},
+                {utm_value: 'newsletter-platform', utm_type: 'utm_term', free_members: 55, paid_members: 15, mrr: 7500},
+                {utm_value: 'content-management', utm_type: 'utm_term', free_members: 40, paid_members: 10, mrr: 5000},
+                {utm_value: 'publishing-platform', utm_type: 'utm_term', free_members: 30, paid_members: 8, mrr: 4000},
+                {utm_value: 'membership-software', utm_type: 'utm_term', free_members: 20, paid_members: 5, mrr: 2500}
+            ],
+            utm_content: [
+                {utm_value: 'hero-cta', utm_type: 'utm_content', free_members: 95, paid_members: 25, mrr: 12500},
+                {utm_value: 'sidebar-banner', utm_type: 'utm_content', free_members: 75, paid_members: 18, mrr: 9000},
+                {utm_value: 'footer-link', utm_type: 'utm_content', free_members: 50, paid_members: 12, mrr: 6000},
+                {utm_value: 'email-button', utm_type: 'utm_content', free_members: 45, paid_members: 15, mrr: 7500},
+                {utm_value: 'popup-form', utm_type: 'utm_content', free_members: 35, paid_members: 8, mrr: 4000},
+                {utm_value: 'text-link', utm_type: 'utm_content', free_members: 25, paid_members: 6, mrr: 3000}
+            ]
+        };
+
+        return fixtures[utmField] || fixtures.utm_source;
+    }
+
+    /**
+     * Sort UTM data by the specified order
+     * @private
+     * @param {UtmGrowthStat[]} data
+     * @param {string} [order='free_members desc']
+     * @returns {UtmGrowthStat[]}
+     */
+    _sortUtmData(data, order = 'free_members desc') {
+        const [field, direction] = order.split(' ');
+        const validFields = ['free_members', 'paid_members', 'mrr', 'utm_value'];
+
+        if (!validFields.includes(field)) {
+            return data;
+        }
+
+        return [...data].sort((a, b) => {
+            let valueA = a[field];
+            let valueB = b[field];
+
+            // Handle string sorting for utm_value
+            if (field === 'utm_value') {
+                valueA = String(valueA).toLowerCase();
+                valueB = String(valueB).toLowerCase();
+            }
+
+            if (direction === 'asc') {
+                return valueA < valueB ? -1 : valueA > valueB ? 1 : 0;
+            }
+            // Default to desc
+            return valueA < valueB ? 1 : valueA > valueB ? -1 : 0;
+        });
+    }
 }
 
 module.exports = ReferrersStatsService;
@@ -507,3 +640,13 @@ module.exports.normalizeSource = normalizeSource;
  * @property {number} mrr Total MRR from this source (in cents)
  * @property {string} date The date (YYYY-MM-DD) on which these counts were recorded
  **/
+
+/**
+ * @typedef {object} UtmGrowthStat
+ * @type {Object}
+ * @property {string} utm_value - The UTM parameter value (e.g., 'google', 'facebook')
+ * @property {string} utm_type - The UTM parameter type ('utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content')
+ * @property {number} free_members - Count of free member signups
+ * @property {number} paid_members - Count of paid member conversions
+ * @property {number} mrr - Total MRR from this UTM parameter (in cents)
+ **/

package/core/server/services/stats/StatsService.js

@@ -244,6 +244,23 @@ class StatsService {
         return this.referrers.getTopSourcesWithRange(options);
     }
 
+    /**
+     * Get UTM growth stats broken down by UTM field (fixture data)
+     * Can be filtered by post using post_id parameter
+     * @param {Object} options
+     * @param {string} [options.utm_type='utm_source'] - Which UTM field to group by ('utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content')
+     * @param {string} [options.order='free_members desc'] - Sort order
+     * @param {number} [options.limit=50] - Maximum number of results (ignored when filtering by post)
+     * @param {string} [options.date_from] - Start date in YYYY-MM-DD format (not yet implemented for fixtures)
+     * @param {string} [options.date_to] - End date in YYYY-MM-DD format (not yet implemented for fixtures)
+     * @param {string} [options.timezone] - Timezone to use for date interpretation (not yet implemented for fixtures)
+     * @param {string} [options.post_id] - Optional filter by post ID
+     * @returns {Promise<{data: import('./ReferrersStatsService').UtmGrowthStat[], meta: {}}>}
+     */
+    async getUtmGrowthStats(options = {}) {
+        return this.referrers.getUtmGrowthStats(options);
+    }
+
     /**
      * @param {object} deps
      *

package/core/server/services/stripe/StripeAPI.js

@@ -526,13 +526,18 @@ module.exports = class StripeAPI {
             items: [{
                 plan: priceId
             }],
-            metadata: { 
+            metadata: {
                 attribution_id: metadata?.attribution_id,
                 attribution_url: metadata?.attribution_url,
                 attribution_type: metadata?.attribution_type,
                 referrer_source: metadata?.referrer_source,
                 referrer_medium: metadata?.referrer_medium,
-                referrer_url: metadata?.referrer_url
+                referrer_url: metadata?.referrer_url,
+                utm_source: metadata?.utm_source,
+                utm_medium: metadata?.utm_medium,
+                utm_campaign: metadata?.utm_campaign,
+                utm_term: metadata?.utm_term,
+                utm_content: metadata?.utm_content
             }
         };
 

package/core/server/services/stripe/services/webhook/CheckoutSessionEventService.js

@@ -75,7 +75,12 @@ module.exports = class CheckoutSessionEventService {
             attributionType: session.metadata?.attribution_type ?? null,
             referrerSource: session.metadata?.referrer_source ?? null,
             referrerMedium: session.metadata?.referrer_medium ?? null,
-            referrerUrl: session.metadata?.referrer_url ?? null
+            referrerUrl: session.metadata?.referrer_url ?? null,
+            utmSource: session.metadata?.utm_source ?? null,
+            utmMedium: session.metadata?.utm_medium ?? null,
+            utmCampaign: session.metadata?.utm_campaign ?? null,
+            utmTerm: session.metadata?.utm_term ?? null,
+            utmContent: session.metadata?.utm_content ?? null
         });
 
         const donationRepository = this.deps.donationRepository;

package/core/server/web/api/endpoints/admin/routes.js

@@ -165,6 +165,7 @@ module.exports = function apiRoutes() {
     router.get('/stats/posts/:id/top-referrers', mw.authAdminApi, http(api.stats.postReferrersAlpha));
     router.get('/stats/posts/:id/growth', mw.authAdminApi, http(api.stats.postGrowthStats));
     router.get('/stats/top-sources-growth', mw.authAdminApi, http(api.stats.topSourcesGrowth));
+    router.get('/stats/utm-growth', mw.authAdminApi, http(api.stats.utmGrowth));
     router.post('/stats/posts-visitor-counts', mw.authAdminApi, http(api.stats.postsVisitorCounts));
     router.post('/stats/posts-member-counts', mw.authAdminApi, http(api.stats.postsMemberCounts));
 

package/core/server/web/members/app.js

@@ -89,6 +89,8 @@ module.exports = function setupMembersApp() {
         '/api/verify-otc',
         bodyParser.json(),
         middleware.verifyIntegrityToken,
+        shared.middleware.brute.otcVerificationEnumeration,
+        shared.middleware.brute.otcVerification,
         // NOTE: this is wrapped in a function to ensure we always go via the getter
         function lazyVerifyOTCMw(req, res, next) {
             return membersService.api.middleware.verifyOTC(req, res, next);

package/core/server/web/shared/middleware/api/spam-prevention.js

@@ -21,6 +21,10 @@ const messages = {
         context: 'Too many login attempts.'
     },
     tooManyAttempts: 'Too many attempts.',
+    tooManyOTCVerificationAttempts: {
+        error: 'Too many attempts for this verification code.',
+        context: 'Too many verification code attempts.'
+    },
     webmentionsBlock: 'Too many mention attempts',
     emailPreviewBlock: 'Only 10 test emails can be sent per hour'
 };
@@ -35,6 +39,8 @@ let spamMemberLogin = spam.member_login || {};
 let spamContentApiKey = spam.content_api_key || {};
 let spamWebmentionsBlock = spam.webmentions_block || {};
 let spamEmailPreviewBlock = spam.email_preview_block || {};
+let spamOtcVerificationEnumeration = spam.otc_verification_enumeration || {};
+let spamOtcVerification = spam.otc_verification || {};
 
 let store;
 let memoryStore;
@@ -50,6 +56,8 @@ let sendVerificationCodeInstance;
 let userVerificationInstance;
 let contentApiKeyInstance;
 let emailPreviewBlockInstance;
+let otcVerificationEnumerationInstance;
+let otcVerificationInstance;
 
 const spamConfigKeys = ['freeRetries', 'minWait', 'maxWait', 'lifetime'];
 
@@ -248,6 +256,68 @@ const membersAuthEnumeration = () => {
     return membersAuthEnumerationInstance;
 };
 
+const otcVerificationEnumeration = () => {
+    const ExpressBrute = require('express-brute');
+    const BruteKnex = require('brute-knex');
+    const db = require('../../../../data/db');
+
+    store = store || new BruteKnex({
+        tablename: 'brute',
+        createTable: false,
+        knex: db.knex
+    });
+
+    if (!otcVerificationEnumerationInstance) {
+        otcVerificationEnumerationInstance = new ExpressBrute(store,
+            extend({
+                attachResetToRequest: false,
+                failCallback(req, res, next, nextValidRequestDate) {
+                    return next(new errors.TooManyRequestsError({
+                        message: `Too many verification attempts across multiple codes, try again in ${moment(nextValidRequestDate).fromNow(true)}`,
+                        context: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        help: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        code: 'OTC_TOTAL_ATTEMPTS_RATE_LIMITED'
+                    }));
+                },
+                handleStoreError: handleStoreError
+            }, pick(spamOtcVerificationEnumeration, spamConfigKeys))
+        );
+    }
+
+    return otcVerificationEnumerationInstance;
+};
+
+const otcVerification = () => {
+    const ExpressBrute = require('express-brute');
+    const BruteKnex = require('brute-knex');
+    const db = require('../../../../data/db');
+
+    store = store || new BruteKnex({
+        tablename: 'brute',
+        createTable: false,
+        knex: db.knex
+    });
+
+    if (!otcVerificationInstance) {
+        otcVerificationInstance = new ExpressBrute(store,
+            extend({
+                attachResetToRequest: false,
+                failCallback(req, res, next, nextValidRequestDate) {
+                    return next(new errors.TooManyRequestsError({
+                        message: `Too many attempts for this verification code, try again in ${moment(nextValidRequestDate).fromNow(true)}`,
+                        context: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        help: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        code: 'OTC_CODE_ATTEMPTS_RATE_LIMITED'
+                    }));
+                },
+                handleStoreError: handleStoreError
+            }, pick(spamOtcVerification, spamConfigKeys))
+        );
+    }
+
+    return otcVerificationInstance;
+};
+
 // Stops login attempts for a user+IP pair with an increasing time period starting from 10 minutes
 // and rising to a week in a fibonnaci sequence
 // The user+IP count is reset when on successful login
@@ -432,6 +502,8 @@ module.exports = {
     userVerification: userVerification,
     membersAuth: membersAuth,
     membersAuthEnumeration: membersAuthEnumeration,
+    otcVerification: otcVerification,
+    otcVerificationEnumeration: otcVerificationEnumeration,
     userReset: userReset,
     privateBlog: privateBlog,
     contentApiKey: contentApiKey,
@@ -450,6 +522,8 @@ module.exports = {
         sendVerificationCodeInstance = undefined;
         userVerificationInstance = undefined;
         contentApiKeyInstance = undefined;
+        otcVerificationEnumerationInstance = undefined;
+        otcVerificationInstance = undefined;
 
         spam = config.get('spam') || {};
         spamPrivateBlock = spam.private_block || {};
@@ -461,5 +535,7 @@ module.exports = {
         spamUserVerification = spam.user_verification || {};
         spamMemberLogin = spam.member_login || {};
         spamContentApiKey = spam.content_api_key || {};
+        spamOtcVerificationEnumeration = spam.otc_verification_enumeration || {};
+        spamOtcVerification = spam.otc_verification || {};
     }
 };

package/core/server/web/shared/middleware/brute.js

@@ -128,6 +128,29 @@ module.exports = {
         return spamPrevention.membersAuthEnumeration().prevent(req, res, next);
     },
 
+    /**
+     * Block too many OTC verification attempts from same IP (blocks user enumeration)
+     */
+    otcVerificationEnumeration(req, res, next) {
+        return spamPrevention.otcVerificationEnumeration().prevent(req, res, next);
+    },
+
+    /**
+     * Block too many attempts for the same otcRef
+     */
+    otcVerification(req, res, next) {
+        return spamPrevention.otcVerification().getMiddleware({
+            // ignoring IP here blocks rotating ip attacks, only one IP should receive an otcRef so it shouldn't cause false positives
+            ignoreIP: true,
+            key(_req, _res, _next) {
+                if (_req.body.otcRef) {
+                    return _next(`${_req.body.otcRef}otc_verification`);
+                }
+                return _next();
+            }
+        })(req, res, next);
+    },
+
     /**
      * Blocks webmention spam
      */

package/core/shared/config/defaults.json

@@ -130,6 +130,18 @@
             "lifetime": 3600,
             "freeRetries": 10
         },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 3600000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
+        },
         "blocked_email_domains": []
     },
     "caching": {
@@ -212,7 +224,7 @@
     },
     "portal": {
         "url": "https://cdn.jsdelivr.net/ghost/portal@~{version}/umd/portal.min.js",
-        "version": "2.54"
+        "version": "2.55"
     },
     "sodoSearch": {
         "url": "https://cdn.jsdelivr.net/ghost/sodo-search@~{version}/umd/sodo-search.min.js",

package/core/shared/config/env/config.testing-browser.json

@@ -70,6 +70,18 @@
             "maxWait": 360000,
             "lifetime": 3600,
             "freeRetries": 10
+        },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 300000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
         }
     },
     "privacy": {

package/core/shared/config/env/config.testing-mysql.json

@@ -74,6 +74,18 @@
             "maxWait": 360000,
             "lifetime": 3600,
             "freeRetries": 10
+        },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 300000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
         }
     },
     "privacy": {

package/core/shared/config/env/config.testing.json

@@ -70,6 +70,18 @@
             "maxWait": 360000,
             "lifetime": 3600,
             "freeRetries": 10
+        },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 300000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
         }
     },
     "privacy": {

package/core/shared/labs.js

@@ -48,6 +48,7 @@ const PRIVATE_FEATURES = [
     'contentVisibilityAlpha',
     'emailCustomization',
     'membersSigninOTC',
+    'membersSigninOTCAlpha',
     'tagsX',
     'utmTracking',
     'emailUniqueid'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "6.2.0",
+  "version": "6.3.0",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.2.0.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.3.0.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -196,7 +196,7 @@
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
     "multer": "2.0.2",
-    "mysql2": "3.15.1",
+    "mysql2": "3.15.2",
     "nconf": "0.13.0",
     "node-fetch": "2.7.0",
     "node-jose": "2.2.0",
@@ -208,7 +208,7 @@
     "probe-image-size": "7.2.3",
     "rss": "1.2.2",
     "sanitize-html": "2.17.0",
-    "semver": "7.7.2",
+    "semver": "7.7.3",
     "simple-dom": "1.4.0",
     "stoppable": "1.1.0",
     "stripe": "8.222.0",
@@ -273,7 +273,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.2.0.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.3.0.tgz"
   },
   "nx": {
     "targets": {