ghost 6.2.0 → 6.3.1

package/core/server/services/stats/ReferrersStatsService.js

@@ -1,4 +1,5 @@
 const moment = require('moment');
+const errors = require('@tryghost/errors');
 
 // Import centralized date utilities
 const {getDateBoundaries, applyDateFilter} = require('./utils/date-utils');
@@ -261,7 +262,7 @@ class ReferrersStatsService {
     async fetchMrrSourcesWithRange(options) {
         const knex = this.knex;
         const {dateFrom: startDateTime, dateTo: endDateTime} = getDateBoundaries(options);
-        
+
         // Join subscription created events with paid subscription events to get MRR changes
         let query = knex('members_subscription_created_events as msce')
             .join('members_paid_subscription_events as mpse', function () {
@@ -275,10 +276,10 @@ class ReferrersStatsService {
             .whereNotNull('msce.referrer_source') // Only entries with attribution
             .groupBy('date', 'msce.referrer_source')
             .orderBy('date');
-            
+
         // Apply centralized date filtering
         applyDateFilter(query, startDateTime, endDateTime, 'msce.created_at');
-        
+
         const rows = await query;
 
         return rows;
@@ -293,7 +294,7 @@ class ReferrersStatsService {
     async fetchMemberCountsBySource(options) {
         const knex = this.knex;
         const {dateFrom: startDateTime, dateTo: endDateTime} = getDateBoundaries(options);
-        
+
         // Query 1: Free members who haven't converted to paid within the same time window
         const freeSignupsQuery = knex('members_created_events as mce')
             .select('mce.referrer_source as source')
@@ -306,7 +307,7 @@ class ReferrersStatsService {
             })
             .whereNull('msce.id')
             .groupBy('mce.referrer_source');
-            
+
         // Apply date filtering to the main query
         applyDateFilter(freeSignupsQuery, startDateTime, endDateTime, 'mce.created_at');
 
@@ -315,7 +316,7 @@ class ReferrersStatsService {
             .select('msce.referrer_source as source')
             .select(knex.raw('COUNT(DISTINCT msce.member_id) as paid_conversions'))
             .groupBy('msce.referrer_source');
-            
+
         // Apply date filtering to the paid conversions query
         applyDateFilter(paidConversionsQuery, startDateTime, endDateTime, 'msce.created_at');
 
@@ -327,7 +328,7 @@ class ReferrersStatsService {
 
         // Combine results by source
         const sourceMap = new Map();
-        
+
         // Add free signups
         freeResults.forEach((row) => {
             sourceMap.set(row.source, {
@@ -336,7 +337,7 @@ class ReferrersStatsService {
                 paid_conversions: 0
             });
         });
-        
+
         // Add paid conversions
         paidResults.forEach((row) => {
             const existing = sourceMap.get(row.source);
@@ -367,11 +368,11 @@ class ReferrersStatsService {
      */
     async getTopSourcesWithRange(options = {}) {
         const {orderBy = 'signups desc', limit = 50} = options;
-        
+
         // Get deduplicated member counts and MRR data in parallel
         const [memberCounts, mrrEntries] = await Promise.all([
             this.fetchMemberCountsBySource(options),
-            this.fetchMrrSourcesWithRange(options) 
+            this.fetchMrrSourcesWithRange(options)
         ]);
 
         // Aggregate by source (not by date + source)
@@ -416,10 +417,10 @@ class ReferrersStatsService {
 
         // Apply sorting - only allow descending sorts for sources
         const [field] = orderBy.split(' ');
-        
+
         results.sort((a, b) => {
             let valueA; let valueB;
-            
+
             switch (field) {
             case 'signups':
                 valueA = a.signups;
@@ -455,6 +456,264 @@ class ReferrersStatsService {
             meta: {}
         };
     }
+
+    /**
+     * Fetch free member counts by UTM parameter with date range
+     * Returns members who haven't converted to paid within the same time window
+     * @param {string} utmField - The UTM field to group by
+     * @param {Object} options - Query options
+     * @returns {Promise<{utm_value: string, signups: number}[]>}
+     **/
+    async fetchMemberCountsByUtm(utmField, options) {
+        // Validate utm_field for defense-in-depth (even though caller validates)
+        const validUtmFields = ['utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content'];
+        if (!validUtmFields.includes(utmField)) {
+            throw new errors.BadRequestError({
+                message: `Invalid UTM field: ${utmField}. Must be one of: ${validUtmFields.join(', ')}`
+            });
+        }
+
+        const knex = this.knex;
+        const {dateFrom: startDateTime, dateTo: endDateTime} = getDateBoundaries(options);
+        const {post_id: postId} = options;
+
+        // Query: Free members who haven't converted to paid within the same time window
+        const freeSignupsQuery = knex('members_created_events as mce')
+            .select(knex.raw(`mce.${utmField} as utm_value`))
+            .select(knex.raw('COUNT(DISTINCT mce.member_id) as signups'))
+            .leftJoin('members_subscription_created_events as msce', function () {
+                this.on('mce.member_id', '=', 'msce.member_id')
+                    // Filter msce.created_at: only count conversions within the same time window
+                    // This ensures we don't count conversions that happened outside our date range
+                    .andOn('msce.created_at', '>=', knex.raw('?', [startDateTime]))
+                    .andOn('msce.created_at', '<=', knex.raw('?', [endDateTime]));
+            })
+            .whereNull('msce.id')
+            .whereNotNull(`mce.${utmField}`)
+            .groupBy(`mce.${utmField}`);
+
+        // Filter mce.created_at: only include members created within the date range
+        applyDateFilter(freeSignupsQuery, startDateTime, endDateTime, 'mce.created_at');
+
+        // Apply post filtering if post_id is provided
+        if (postId) {
+            freeSignupsQuery
+                .where('mce.attribution_id', postId)
+                .where('mce.attribution_type', 'post');
+        }
+
+        const results = await freeSignupsQuery;
+        return results.map(row => ({
+            utm_value: row.utm_value,
+            signups: parseInt(row.signups) || 0
+        }));
+    }
+
+    /**
+     * Fetch paid conversion counts by UTM parameter with date range
+     * @param {string} utmField - The UTM field to group by
+     * @param {Object} options - Query options
+     * @returns {Promise<{utm_value: string, paid_conversions: number}[]>}
+     **/
+    async fetchPaidConversionsByUtm(utmField, options) {
+        // Validate utm_field for defense-in-depth (even though caller validates)
+        const validUtmFields = ['utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content'];
+        if (!validUtmFields.includes(utmField)) {
+            throw new errors.BadRequestError({
+                message: `Invalid UTM field: ${utmField}. Must be one of: ${validUtmFields.join(', ')}`
+            });
+        }
+
+        const knex = this.knex;
+        const {dateFrom: startDateTime, dateTo: endDateTime} = getDateBoundaries(options);
+        const {post_id: postId} = options;
+
+        const paidConversionsQuery = knex('members_subscription_created_events as msce')
+            .select(knex.raw(`msce.${utmField} as utm_value`))
+            .select(knex.raw('COUNT(DISTINCT msce.member_id) as paid_conversions'))
+            .whereNotNull(`msce.${utmField}`)
+            .groupBy(`msce.${utmField}`);
+
+        // Apply date filtering
+        applyDateFilter(paidConversionsQuery, startDateTime, endDateTime, 'msce.created_at');
+
+        // Apply post filtering if post_id is provided
+        if (postId) {
+            paidConversionsQuery
+                .where('msce.attribution_id', postId)
+                .where('msce.attribution_type', 'post');
+        }
+
+        const results = await paidConversionsQuery;
+        return results.map(row => ({
+            utm_value: row.utm_value,
+            paid_conversions: parseInt(row.paid_conversions) || 0
+        }));
+    }
+
+    /**
+     * Fetch MRR by UTM parameter with date range
+     * @param {string} utmField - The UTM field to group by
+     * @param {Object} options - Query options
+     * @returns {Promise<{utm_value: string, mrr: number}[]>}
+     **/
+    async fetchMrrByUtm(utmField, options) {
+        // Validate utm_field for defense-in-depth (even though caller validates)
+        const validUtmFields = ['utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content'];
+        if (!validUtmFields.includes(utmField)) {
+            throw new errors.BadRequestError({
+                message: `Invalid UTM field: ${utmField}. Must be one of: ${validUtmFields.join(', ')}`
+            });
+        }
+
+        const knex = this.knex;
+        const {dateFrom: startDateTime, dateTo: endDateTime} = getDateBoundaries(options);
+        const {post_id: postId} = options;
+
+        // Join subscription created events with paid subscription events to get MRR changes
+        let query = knex('members_subscription_created_events as msce')
+            .join('members_paid_subscription_events as mpse', function () {
+                this.on('msce.member_id', '=', 'mpse.member_id')
+                    .andOn('msce.subscription_id', '=', 'mpse.subscription_id');
+            })
+            .select(knex.raw(`msce.${utmField} as utm_value`))
+            .select(knex.raw(`SUM(mpse.mrr_delta) as mrr`))
+            .where('mpse.mrr_delta', '>', 0) // Only positive MRR changes (new subscriptions)
+            .whereNotNull(`msce.${utmField}`)
+            .groupBy(`msce.${utmField}`);
+
+        // Apply date filtering
+        applyDateFilter(query, startDateTime, endDateTime, 'msce.created_at');
+
+        // Apply post filtering if post_id is provided
+        if (postId) {
+            query
+                .where('msce.attribution_id', postId)
+                .where('msce.attribution_type', 'post');
+        }
+
+        const results = await query;
+        return results.map(row => ({
+            utm_value: row.utm_value,
+            mrr: parseInt(row.mrr) || 0
+        }));
+    }
+
+    /**
+     * Get UTM growth stats broken down by UTM parameter
+     * @param {Object} options
+     * @param {string} [options.utm_type='utm_source'] - Which UTM field to group by ('utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content')
+     * @param {string} [options.order='free_members desc'] - Sort order
+     * @param {number} [options.limit=50] - Maximum number of results
+     * @param {string} [options.date_from] - Start date in YYYY-MM-DD format
+     * @param {string} [options.date_to] - End date in YYYY-MM-DD format
+     * @param {string} [options.timezone] - Timezone to use for date interpretation
+     * @param {string} [options.post_id] - Optional filter by post ID
+     * @returns {Promise<{data: UtmGrowthStat[], meta: {}}>}
+     */
+    async getUtmGrowthStats(options = {}) {
+        const utmField = options.utm_type || 'utm_source';
+        const limit = options.limit || 50;
+        const postId = options.post_id;
+        const orderBy = options.order || 'free_members desc';
+
+        // Validate utm_type is a valid UTM field
+        const validUtmFields = ['utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content'];
+        if (!validUtmFields.includes(utmField)) {
+            throw new errors.BadRequestError({
+                message: `Invalid utm_type: ${utmField}. Must be one of: ${validUtmFields.join(', ')}`
+            });
+        }
+
+        // Fetch data from database in parallel
+        const [freeMembers, paidConversions, mrrData] = await Promise.all([
+            this.fetchMemberCountsByUtm(utmField, options),
+            this.fetchPaidConversionsByUtm(utmField, options),
+            this.fetchMrrByUtm(utmField, options)
+        ]);
+
+        // Combine results by utm_value
+        const utmMap = new Map();
+
+        // Add free members
+        freeMembers.forEach((row) => {
+            utmMap.set(row.utm_value, {
+                utm_value: row.utm_value,
+                utm_type: utmField,
+                free_members: row.signups,
+                paid_members: 0,
+                mrr: 0
+            });
+        });
+
+        // Add paid conversions
+        paidConversions.forEach((row) => {
+            const existing = utmMap.get(row.utm_value);
+            if (existing) {
+                existing.paid_members = row.paid_conversions;
+            } else {
+                utmMap.set(row.utm_value, {
+                    utm_value: row.utm_value,
+                    utm_type: utmField,
+                    free_members: 0,
+                    paid_members: row.paid_conversions,
+                    mrr: 0
+                });
+            }
+        });
+
+        // Add MRR data
+        mrrData.forEach((row) => {
+            const existing = utmMap.get(row.utm_value);
+            if (existing) {
+                existing.mrr = row.mrr;
+            } else {
+                utmMap.set(row.utm_value, {
+                    utm_value: row.utm_value,
+                    utm_type: utmField,
+                    free_members: 0,
+                    paid_members: 0,
+                    mrr: row.mrr
+                });
+            }
+        });
+
+        // Convert to array
+        let results = Array.from(utmMap.values());
+
+        // Apply sorting
+        const [field, direction] = orderBy.split(' ');
+        const validFields = ['free_members', 'paid_members', 'mrr', 'utm_value'];
+
+        if (validFields.includes(field)) {
+            results.sort((a, b) => {
+                let valueA = a[field];
+                let valueB = b[field];
+
+                // Handle string sorting for utm_value
+                if (field === 'utm_value') {
+                    valueA = String(valueA).toLowerCase();
+                    valueB = String(valueB).toLowerCase();
+                }
+
+                if (direction === 'asc') {
+                    return valueA < valueB ? -1 : valueA > valueB ? 1 : 0;
+                }
+                // Default to desc
+                return valueA < valueB ? 1 : valueA > valueB ? -1 : 0;
+            });
+        }
+
+        // Apply limit (but not when filtering by post as per original implementation)
+        if (!postId && limit && limit > 0) {
+            results = results.slice(0, limit);
+        }
+
+        return {
+            data: results,
+            meta: {}
+        };
+    }
 }
 
 module.exports = ReferrersStatsService;
@@ -507,3 +766,13 @@ module.exports.normalizeSource = normalizeSource;
  * @property {number} mrr Total MRR from this source (in cents)
  * @property {string} date The date (YYYY-MM-DD) on which these counts were recorded
  **/
+
+/**
+ * @typedef {object} UtmGrowthStat
+ * @type {Object}
+ * @property {string} utm_value - The UTM parameter value (e.g., 'google', 'facebook')
+ * @property {string} utm_type - The UTM parameter type ('utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content')
+ * @property {number} free_members - Count of free member signups
+ * @property {number} paid_members - Count of paid member conversions
+ * @property {number} mrr - Total MRR from this UTM parameter (in cents)
+ **/

package/core/server/services/stats/StatsService.js

@@ -244,6 +244,23 @@ class StatsService {
         return this.referrers.getTopSourcesWithRange(options);
     }
 
+    /**
+     * Get UTM growth stats broken down by UTM field
+     * Can be filtered by post using post_id parameter
+     * @param {Object} options
+     * @param {string} [options.utm_type='utm_source'] - Which UTM field to group by ('utm_source', 'utm_medium', 'utm_campaign', 'utm_term', 'utm_content')
+     * @param {string} [options.order='free_members desc'] - Sort order
+     * @param {number} [options.limit=50] - Maximum number of results (ignored when filtering by post)
+     * @param {string} [options.date_from] - Start date in YYYY-MM-DD format
+     * @param {string} [options.date_to] - End date in YYYY-MM-DD format
+     * @param {string} [options.timezone] - Timezone to use for date interpretation
+     * @param {string} [options.post_id] - Optional filter by post ID
+     * @returns {Promise<{data: import('./ReferrersStatsService').UtmGrowthStat[], meta: {}}>}
+     */
+    async getUtmGrowthStats(options = {}) {
+        return this.referrers.getUtmGrowthStats(options);
+    }
+
     /**
      * @param {object} deps
      *

package/core/server/services/stripe/StripeAPI.js

@@ -526,13 +526,18 @@ module.exports = class StripeAPI {
             items: [{
                 plan: priceId
             }],
-            metadata: { 
+            metadata: {
                 attribution_id: metadata?.attribution_id,
                 attribution_url: metadata?.attribution_url,
                 attribution_type: metadata?.attribution_type,
                 referrer_source: metadata?.referrer_source,
                 referrer_medium: metadata?.referrer_medium,
-                referrer_url: metadata?.referrer_url
+                referrer_url: metadata?.referrer_url,
+                utm_source: metadata?.utm_source,
+                utm_medium: metadata?.utm_medium,
+                utm_campaign: metadata?.utm_campaign,
+                utm_term: metadata?.utm_term,
+                utm_content: metadata?.utm_content
             }
         };
 

package/core/server/services/stripe/services/webhook/CheckoutSessionEventService.js

@@ -75,7 +75,12 @@ module.exports = class CheckoutSessionEventService {
             attributionType: session.metadata?.attribution_type ?? null,
             referrerSource: session.metadata?.referrer_source ?? null,
             referrerMedium: session.metadata?.referrer_medium ?? null,
-            referrerUrl: session.metadata?.referrer_url ?? null
+            referrerUrl: session.metadata?.referrer_url ?? null,
+            utmSource: session.metadata?.utm_source ?? null,
+            utmMedium: session.metadata?.utm_medium ?? null,
+            utmCampaign: session.metadata?.utm_campaign ?? null,
+            utmTerm: session.metadata?.utm_term ?? null,
+            utmContent: session.metadata?.utm_content ?? null
         });
 
         const donationRepository = this.deps.donationRepository;

package/core/server/web/api/endpoints/admin/routes.js

@@ -165,6 +165,7 @@ module.exports = function apiRoutes() {
     router.get('/stats/posts/:id/top-referrers', mw.authAdminApi, http(api.stats.postReferrersAlpha));
     router.get('/stats/posts/:id/growth', mw.authAdminApi, http(api.stats.postGrowthStats));
     router.get('/stats/top-sources-growth', mw.authAdminApi, http(api.stats.topSourcesGrowth));
+    router.get('/stats/utm-growth', mw.authAdminApi, http(api.stats.utmGrowth));
     router.post('/stats/posts-visitor-counts', mw.authAdminApi, http(api.stats.postsVisitorCounts));
     router.post('/stats/posts-member-counts', mw.authAdminApi, http(api.stats.postsMemberCounts));
 

package/core/server/web/members/app.js

@@ -89,6 +89,8 @@ module.exports = function setupMembersApp() {
         '/api/verify-otc',
         bodyParser.json(),
         middleware.verifyIntegrityToken,
+        shared.middleware.brute.otcVerificationEnumeration,
+        shared.middleware.brute.otcVerification,
         // NOTE: this is wrapped in a function to ensure we always go via the getter
         function lazyVerifyOTCMw(req, res, next) {
             return membersService.api.middleware.verifyOTC(req, res, next);

package/core/server/web/shared/middleware/api/spam-prevention.js

@@ -21,6 +21,10 @@ const messages = {
         context: 'Too many login attempts.'
     },
     tooManyAttempts: 'Too many attempts.',
+    tooManyOTCVerificationAttempts: {
+        error: 'Too many attempts for this verification code.',
+        context: 'Too many verification code attempts.'
+    },
     webmentionsBlock: 'Too many mention attempts',
     emailPreviewBlock: 'Only 10 test emails can be sent per hour'
 };
@@ -35,6 +39,8 @@ let spamMemberLogin = spam.member_login || {};
 let spamContentApiKey = spam.content_api_key || {};
 let spamWebmentionsBlock = spam.webmentions_block || {};
 let spamEmailPreviewBlock = spam.email_preview_block || {};
+let spamOtcVerificationEnumeration = spam.otc_verification_enumeration || {};
+let spamOtcVerification = spam.otc_verification || {};
 
 let store;
 let memoryStore;
@@ -50,6 +56,8 @@ let sendVerificationCodeInstance;
 let userVerificationInstance;
 let contentApiKeyInstance;
 let emailPreviewBlockInstance;
+let otcVerificationEnumerationInstance;
+let otcVerificationInstance;
 
 const spamConfigKeys = ['freeRetries', 'minWait', 'maxWait', 'lifetime'];
 
@@ -248,6 +256,68 @@ const membersAuthEnumeration = () => {
     return membersAuthEnumerationInstance;
 };
 
+const otcVerificationEnumeration = () => {
+    const ExpressBrute = require('express-brute');
+    const BruteKnex = require('brute-knex');
+    const db = require('../../../../data/db');
+
+    store = store || new BruteKnex({
+        tablename: 'brute',
+        createTable: false,
+        knex: db.knex
+    });
+
+    if (!otcVerificationEnumerationInstance) {
+        otcVerificationEnumerationInstance = new ExpressBrute(store,
+            extend({
+                attachResetToRequest: false,
+                failCallback(req, res, next, nextValidRequestDate) {
+                    return next(new errors.TooManyRequestsError({
+                        message: `Too many verification attempts across multiple codes, try again in ${moment(nextValidRequestDate).fromNow(true)}`,
+                        context: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        help: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        code: 'OTC_TOTAL_ATTEMPTS_RATE_LIMITED'
+                    }));
+                },
+                handleStoreError: handleStoreError
+            }, pick(spamOtcVerificationEnumeration, spamConfigKeys))
+        );
+    }
+
+    return otcVerificationEnumerationInstance;
+};
+
+const otcVerification = () => {
+    const ExpressBrute = require('express-brute');
+    const BruteKnex = require('brute-knex');
+    const db = require('../../../../data/db');
+
+    store = store || new BruteKnex({
+        tablename: 'brute',
+        createTable: false,
+        knex: db.knex
+    });
+
+    if (!otcVerificationInstance) {
+        otcVerificationInstance = new ExpressBrute(store,
+            extend({
+                attachResetToRequest: false,
+                failCallback(req, res, next, nextValidRequestDate) {
+                    return next(new errors.TooManyRequestsError({
+                        message: `Too many attempts for this verification code, try again in ${moment(nextValidRequestDate).fromNow(true)}`,
+                        context: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        help: tpl(messages.tooManyOTCVerificationAttempts.context),
+                        code: 'OTC_CODE_ATTEMPTS_RATE_LIMITED'
+                    }));
+                },
+                handleStoreError: handleStoreError
+            }, pick(spamOtcVerification, spamConfigKeys))
+        );
+    }
+
+    return otcVerificationInstance;
+};
+
 // Stops login attempts for a user+IP pair with an increasing time period starting from 10 minutes
 // and rising to a week in a fibonnaci sequence
 // The user+IP count is reset when on successful login
@@ -432,6 +502,8 @@ module.exports = {
     userVerification: userVerification,
     membersAuth: membersAuth,
     membersAuthEnumeration: membersAuthEnumeration,
+    otcVerification: otcVerification,
+    otcVerificationEnumeration: otcVerificationEnumeration,
     userReset: userReset,
     privateBlog: privateBlog,
     contentApiKey: contentApiKey,
@@ -450,6 +522,8 @@ module.exports = {
         sendVerificationCodeInstance = undefined;
         userVerificationInstance = undefined;
         contentApiKeyInstance = undefined;
+        otcVerificationEnumerationInstance = undefined;
+        otcVerificationInstance = undefined;
 
         spam = config.get('spam') || {};
         spamPrivateBlock = spam.private_block || {};
@@ -461,5 +535,7 @@ module.exports = {
         spamUserVerification = spam.user_verification || {};
         spamMemberLogin = spam.member_login || {};
         spamContentApiKey = spam.content_api_key || {};
+        spamOtcVerificationEnumeration = spam.otc_verification_enumeration || {};
+        spamOtcVerification = spam.otc_verification || {};
     }
 };

package/core/server/web/shared/middleware/brute.js

@@ -128,6 +128,29 @@ module.exports = {
         return spamPrevention.membersAuthEnumeration().prevent(req, res, next);
     },
 
+    /**
+     * Block too many OTC verification attempts from same IP (blocks user enumeration)
+     */
+    otcVerificationEnumeration(req, res, next) {
+        return spamPrevention.otcVerificationEnumeration().prevent(req, res, next);
+    },
+
+    /**
+     * Block too many attempts for the same otcRef
+     */
+    otcVerification(req, res, next) {
+        return spamPrevention.otcVerification().getMiddleware({
+            // ignoring IP here blocks rotating ip attacks, only one IP should receive an otcRef so it shouldn't cause false positives
+            ignoreIP: true,
+            key(_req, _res, _next) {
+                if (_req.body.otcRef) {
+                    return _next(`${_req.body.otcRef}otc_verification`);
+                }
+                return _next();
+            }
+        })(req, res, next);
+    },
+
     /**
      * Blocks webmention spam
      */

package/core/shared/config/defaults.json

@@ -130,6 +130,18 @@
             "lifetime": 3600,
             "freeRetries": 10
         },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 3600000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
+        },
         "blocked_email_domains": []
     },
     "caching": {
@@ -212,7 +224,7 @@
     },
     "portal": {
         "url": "https://cdn.jsdelivr.net/ghost/portal@~{version}/umd/portal.min.js",
-        "version": "2.54"
+        "version": "2.55"
     },
     "sodoSearch": {
         "url": "https://cdn.jsdelivr.net/ghost/sodo-search@~{version}/umd/sodo-search.min.js",

package/core/shared/config/env/config.testing-browser.json

@@ -70,6 +70,18 @@
             "maxWait": 360000,
             "lifetime": 3600,
             "freeRetries": 10
+        },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 300000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
         }
     },
     "privacy": {

package/core/shared/config/env/config.testing-mysql.json

@@ -74,6 +74,18 @@
             "maxWait": 360000,
             "lifetime": 3600,
             "freeRetries": 10
+        },
+        "otc_verification_enumeration": {
+            "minWait": 600000,
+            "maxWait": 43200000,
+            "lifetime": 43200,
+            "freeRetries": 8
+        },
+        "otc_verification": {
+            "minWait": 300000,
+            "maxWait": 3600000,
+            "lifetime": 3600,
+            "freeRetries": 4
         }
     },
     "privacy": {