npm - ghost - Versions diffs - 6.3.1 → 6.4.0 - Mend

ghost 6.3.1 → 6.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/core/server/api/endpoints/utils/serializers/output/utils/extra-attrs.js CHANGED Viewed

@@ -8,12 +8,18 @@ const readingMinutes = require('@tryghost/helpers').utils.readingMinutes;
  * @returns {void} - modifies attrs
  */
 module.exports.forPost = (options, model, attrs) => {
+    // requested via `columns`
     const columnsIncludesCustomExcerpt = options.columns?.includes('custom_excerpt');
     const columnsIncludesExcerpt = options.columns?.includes('excerpt');
     const columnsIncludesPlaintext = options.columns?.includes('plaintext');
     const columnsIncludesReadingTime = options.columns?.includes('reading_time');
+    // requested via `formats`
     const formatsIncludesPlaintext = options.formats?.includes('plaintext');
+    // no columns requested
+    const noColumnsRequested = !Object.prototype.hasOwnProperty.call(options, 'columns');
     // 1. Gets excerpt from post's plaintext. If custom_excerpt exists, it overrides the excerpt but the key remains excerpt.
     if (columnsIncludesExcerpt) {
         if (!attrs.custom_excerpt) {
@@ -32,7 +38,6 @@ module.exports.forPost = (options, model, attrs) => {
         }
     }
-    // 2. Displays plaintext if requested via `columns` or `formats`
     if (columnsIncludesPlaintext || formatsIncludesPlaintext) {
         let plaintext = model.get('plaintext');
         if (plaintext) {
@@ -43,7 +48,7 @@ module.exports.forPost = (options, model, attrs) => {
     }
     // 3. Displays excerpt if no columns was requested - specifically needed for the Admin Posts API
-    if (!Object.prototype.hasOwnProperty.call(options, 'columns')) {
+    if (noColumnsRequested) {
         let customExcerpt = model.get('custom_excerpt');
         if (customExcerpt !== null) {
@@ -59,7 +64,7 @@ module.exports.forPost = (options, model, attrs) => {
     }
     // 4. Add `reading_time` if no columns were requested, or if `reading_time` was requested via `columns`
-    if (!Object.prototype.hasOwnProperty.call(options, 'columns') || columnsIncludesReadingTime) {
+    if (noColumnsRequested || columnsIncludesReadingTime) {
         if (attrs.html) {
             let additionalImages = 0;

package/core/server/data/migrations/versions/6.4/2025-10-13-10-18-38-add-tokens-otc-used-count-column.js ADDED Viewed

@@ -0,0 +1,8 @@
+const {createAddColumnMigration} = require('../../utils');
+module.exports = createAddColumnMigration('tokens', 'otc_used_count', {
+    type: 'integer',
+    nullable: false,
+    unsigned: true,
+    defaultTo: 0
+});

package/core/server/data/schema/schema.js CHANGED Viewed

@@ -1,7 +1,7 @@
 /* String Column Sizes Information
  * (From: https://github.com/TryGhost/Ghost/pull/7932)
  * New/Updated column maxlengths should meet these guidlines
- *
+ *
  * Small strings = length 50
  * Medium strings = length 191
  * Large strings = length 2000 (use soft limits via validation for 191-2000)
@@ -925,7 +925,8 @@ module.exports = {
         created_at: {type: 'dateTime', nullable: false},
         updated_at: {type: 'dateTime', nullable: true},
         first_used_at: {type: 'dateTime', nullable: true},
-        used_count: {type: 'integer', nullable: false, unsigned: true, defaultTo: 0}
+        used_count: {type: 'integer', nullable: false, unsigned: true, defaultTo: 0},
+        otc_used_count: {type: 'integer', nullable: false, unsigned: true, defaultTo: 0}
     },
     snippets: {
         id: {type: 'string', maxlength: 24, nullable: false, primary: true},

package/core/server/models/single-use-token.js CHANGED Viewed

@@ -7,6 +7,7 @@ const SingleUseToken = ghostBookshelf.Model.extend({
     defaults() {
         return {
             used_count: 0,
+            otc_used_count: 0,
             uuid: crypto.randomUUID(),
             token: crypto
                 .randomBytes(192 / 8)

package/core/server/services/email-service/email-templates/template.hbs CHANGED Viewed

@@ -9,12 +9,10 @@
     </head>
     <body>
         <span class="preheader">{{preheader}}</span>
-        {{#hasFeature 'emailCustomization'}}
         <!-- SPACING TO AVOID BODY TEXT BEING DUPLICATED IN PREVIEW TEXT -->
         <div style="display:none; max-height:0; overflow:hidden; mso-hide: all;" aria-hidden="true" role="presentation">
             {{{preheaderSpacing}}}
         </div>
-        {{/hasFeature}}
         <!-- HEADER WITH FULL-WIDTH BACKGROUND -->
         {{#if hasHeaderContent}}

package/core/server/services/lib/MailgunClient.js CHANGED Viewed

@@ -68,7 +68,8 @@ module.exports = class MailgunClient {
                 html: messageContent.html,
                 text: messageContent.plaintext,
                 'recipient-variables': JSON.stringify(recipientData),
-                'h:Sender': message.from
+                'h:Sender': message.from,
+                'h:Auto-Submitted': 'auto-generated'
             };
             // Do we have a custom List-Unsubscribe header set?

package/core/server/services/lib/magic-link/MagicLink.js CHANGED Viewed

@@ -243,4 +243,3 @@ function defaultGetSubject(type, otc) {
 }
 module.exports = MagicLink;
-module.exports.JWTTokenProvider = require('./JWTTokenProvider');

package/core/server/services/mail/GhostMailer.js CHANGED Viewed

@@ -17,6 +17,7 @@ const messages = {
     messageSent: 'Message sent. Double check inbox and spam folder!'
 };
 const EmailAddressParser = require('../email-address/EmailAddressParser');
+const DEFAULT_TAGS = ['ghost-email', 'transactional-email'];
 function getDomain() {
     const domain = urlUtils.urlFor('home', true).match(new RegExp('^https?://([^/:?#]+)(?:[/:?#]|$)', 'i'));
@@ -129,6 +130,15 @@ module.exports = class GhostMailer {
         }
         const messageToSend = createMessage(message);
+        if (this.state.usingMailgun) {
+            const tags = this.getTags();
+            if (tags.length > 0) {
+                messageToSend['o:tag'] = tags;
+            }
+            if (settingsCache.get('emailTrackOpens')) {
+                messageToSend['o:tracking-opens'] = true;
+            }
+        }
         const response = await this.sendMail(messageToSend);
@@ -184,4 +194,15 @@ module.exports = class GhostMailer {
         return tpl(messages.messageSent);
     }
+    getTags() {
+        const tagList = [...DEFAULT_TAGS];
+        const siteId = config.get('hostSettings:siteId');
+        if (siteId) {
+            tagList.push(`blog-${siteId}`);
+        }
+        return tagList;
+    }
 };

package/core/server/services/members/SingleUseTokenProvider.js CHANGED Viewed

@@ -9,6 +9,7 @@ const messages = {
     INVALID_OTC_VERIFICATION_HASH: 'Invalid OTC verification hash',
     INVALID_TOKEN: 'Invalid token provided',
     TOKEN_EXPIRED: 'Token expired',
+    OTC_EXPIRED: 'One-time code expired',
     DERIVE_OTC_MISSING_INPUT: 'tokenId and tokenValue are required'
 };
@@ -56,7 +57,7 @@ class SingleUseTokenProvider {
      * @param {Object} [options.transacting] - Database transaction object
      * @param {string} [options.otcVerification] - OTC verification hash for additional validation
      *
-     * @returns {Promise<Object<string, any>>}
+     * @returns {Promise<Object<string, unknown>>}
      */
     async validate(token, options = {}) {
         if (!options.transacting) {
@@ -68,66 +69,13 @@ class SingleUseTokenProvider {
             });
         }
-        if (options.otcVerification) {
-            const isValidOTCVerification = await this._validateOTCVerificationHash(options.otcVerification, token);
-            if (!isValidOTCVerification) {
-                throw new ValidationError({
-                    message: tpl(messages.INVALID_OTC_VERIFICATION_HASH),
-                    code: 'INVALID_OTC_VERIFICATION_HASH'
-                });
-            }
-        }
-        const model = await this.model.findOne({token}, {transacting: options.transacting, forUpdate: true});
-        if (!model) {
-            throw new ValidationError({
-                message: tpl(messages.INVALID_TOKEN),
-                code: 'INVALID_TOKEN'
-            });
-        }
-        if (model.get('used_count') >= this.maxUsageCount) {
-            throw new ValidationError({
-                message: tpl(messages.TOKEN_EXPIRED),
-                code: 'TOKEN_EXPIRED'
-            });
-        }
-        const createdAtEpoch = model.get('created_at').getTime();
-        const firstUsedAtEpoch = model.get('first_used_at')?.getTime() ?? createdAtEpoch;
-        // Is this token already used?
-        if (model.get('used_count') > 0) {
-            const timeSinceFirstUsage = Date.now() - firstUsedAtEpoch;
-            if (timeSinceFirstUsage > this.validityPeriodAfterUsage) {
-                throw new ValidationError({
-                    message: tpl(messages.TOKEN_EXPIRED),
-                    code: 'TOKEN_EXPIRED'
-                });
-            }
-        }
-        const tokenLifetimeMilliseconds = Date.now() - createdAtEpoch;
-        if (tokenLifetimeMilliseconds > this.validityPeriod) {
-            throw new ValidationError({
-                message: tpl(messages.TOKEN_EXPIRED),
-                code: 'TOKEN_EXPIRED'
-            });
-        }
+        const model = await this._findAndLockTokenModel(token, options.transacting);
-        if (!model.get('first_used_at')) {
-            await model.save({
-                first_used_at: new Date(),
-                updated_at: new Date(),
-                used_count: model.get('used_count') + 1
-            }, {autoRefresh: false, patch: true, transacting: options.transacting});
+        if (options.otcVerification) {
+            await this._validateOTCVerificationHash(options.otcVerification, model.get('token'));
+            await this._validateOTCUsageLimit(model, options.transacting);
         } else {
-            await model.save({
-                used_count: model.get('used_count') + 1,
-                updated_at: new Date()
-            }, {autoRefresh: false, patch: true, transacting: options.transacting});
+            await this._validateUsageLimit(model, options.transacting);
         }
         try {
@@ -137,6 +85,40 @@ class SingleUseTokenProvider {
         }
     }
+    /**
+     * @private
+     * @method _validateOTCUsageLimit
+     * Validates a token model is within it's usage limits after additional OTC verification..
+     * OTC bypasses the non-OTC usage count and time-since-first-usage validation but is true single-use.
+     *
+     * @param {Object} model - Token model instance
+     * @param {Object} transaction - Database transaction object
+     *
+     * @returns {Promise<void>}
+     */
+    async _validateOTCUsageLimit(model, transaction) {
+        this._validateOTCUsageCount(model);
+        this._validateTotalTokenLifetime(model);
+        await this._incrementOTCUsageCount(model, transaction);
+    }
+    /**
+     * @private
+     * @method _validateUsageLimit
+     * Validates a token model is within it's usage limits
+     *
+     * @param {Object} model - Token model instance
+     * @param {Object} transaction - Database transaction object
+     *
+     * @returns {Promise<void>}
+     */
+    async _validateUsageLimit(model, transaction) {
+        this._validateUsageCount(model);
+        this._validateTimeSinceFirstUsage(model);
+        this._validateTotalTokenLifetime(model);
+        await this._incrementUsageCount(model, transaction);
+    }
     /**
      * @private
      * @method deriveCounter
@@ -268,17 +250,59 @@ class SingleUseTokenProvider {
         return hmac.digest('hex');
     }
+    /**
+     * @private
+     * @method _findAndLockTokenModel
+     * Finds token in database and locks it for update
+     *
+     * @param {string} token
+     * @param {Object} transacting
+     * @returns {Promise<Object>}
+     */
+    async _findAndLockTokenModel(token, transacting) {
+        const model = await this.model.findOne({token}, {transacting, forUpdate: true});
+        if (!model) {
+            throw new ValidationError({
+                message: tpl(messages.INVALID_TOKEN),
+                code: 'INVALID_TOKEN'
+            });
+        }
+        return model;
+    }
     /**
      * @private
      * @method _validateOTCVerificationHash
-     * Validates OTC verification hash by recreating and comparing the hash.
-     * Private because it's only used internally by the public validate method.
+     * Validates OTC verification hash, throwing on invalid hash.
      *
      * @param {string} otcVerificationHash - The hash to validate (timestamp:hash format)
      * @param {string} token - The token value
-     * @returns {Promise<boolean>} - True if hash is valid, false otherwise
+     * @returns {Promise<void>}
      */
     async _validateOTCVerificationHash(otcVerificationHash, token) {
+        const isValid = await this._isValidOTCVerificationHash(otcVerificationHash, token);
+        if (!isValid) {
+            throw new ValidationError({
+                message: tpl(messages.INVALID_OTC_VERIFICATION_HASH),
+                code: 'INVALID_OTC_VERIFICATION_HASH'
+            });
+        }
+    }
+    /**
+     * @private
+     * @method _isValidOTCVerificationHash
+     * Validates OTC verification hash by recreating and comparing the hash.
+     * Returns true if the hash is valid, false otherwise.
+     *
+     * @param {string} otcVerificationHash - The hash to validate (timestamp:hash format)
+     * @param {string} token - The token value
+     * @returns {Promise<boolean>}
+     */
+    async _isValidOTCVerificationHash(otcVerificationHash, token) {
         try {
             if (!this.secret || !otcVerificationHash || !token) {
                 return false;
@@ -319,6 +343,138 @@ class SingleUseTokenProvider {
             return false;
         }
     }
+    /**
+     * @private
+     * @method _validateUsageCount
+     * Validates that token has not exceeded usage limits, throws on over-used token
+     *
+     * @param {Object} model - The token model
+     * @returns {void}
+     */
+    _validateUsageCount(model) {
+        // Magic links are invalid if OTC has been used
+        const otcUsedCount = model.get('otc_used_count') || 0;
+        if (otcUsedCount > 0) {
+            throw new ValidationError({
+                message: tpl(messages.TOKEN_EXPIRED),
+                code: 'TOKEN_EXPIRED'
+            });
+        }
+        if (model.get('used_count') >= this.maxUsageCount) {
+            throw new ValidationError({
+                message: tpl(messages.TOKEN_EXPIRED),
+                code: 'TOKEN_EXPIRED'
+            });
+        }
+    }
+    /**
+     * @private
+     * @method _validateOTCUsageCount
+     * Validates that OTC has not exceeded usage limits, throws on over-used token
+     *
+     * @param {Object} model - The token model
+     * @returns {void}
+     */
+    _validateOTCUsageCount(model) {
+        const otcUsedCount = model.get('otc_used_count') || 0;
+        if (otcUsedCount >= 1) {
+            throw new ValidationError({
+                message: tpl(messages.OTC_EXPIRED),
+                code: 'OTC_EXPIRED'
+            });
+        }
+    }
+    /**
+     * @private
+     * @method _validateTimeSinceFirstUsage
+     * Validates token has not exceeded its time since first usage, throws on expired token
+     *
+     * @param {Object} model - The token model
+     * @returns {void}
+     */
+    _validateTimeSinceFirstUsage(model) {
+        const createdAtEpoch = model.get('created_at').getTime();
+        const firstUsedAtEpoch = model.get('first_used_at')?.getTime() ?? createdAtEpoch;
+        const timeSinceFirstUsage = Date.now() - firstUsedAtEpoch;
+        if (timeSinceFirstUsage > this.validityPeriodAfterUsage) {
+            throw new ValidationError({
+                message: tpl(messages.TOKEN_EXPIRED),
+                code: 'TOKEN_EXPIRED'
+            });
+        }
+    }
+    /**
+     * @private
+     * @method _validateTotalTokenLifetime
+     * Validates token has not exceeded its total lifetime, throws on expired token
+     *
+     * @param {Object} model - The token model
+     * @returns {void}
+     */
+    _validateTotalTokenLifetime(model) {
+        const createdAtEpoch = model.get('created_at').getTime();
+        const tokenLifetimeMilliseconds = Date.now() - createdAtEpoch;
+        if (tokenLifetimeMilliseconds > this.validityPeriod) {
+            throw new ValidationError({
+                message: tpl(messages.TOKEN_EXPIRED),
+                code: 'TOKEN_EXPIRED'
+            });
+        }
+    }
+    /**
+     * @private
+     * @method _incrementUsageCount
+     * Increments the usage count for a token
+     *
+     * @param {Object} model - The token model
+     * @param {Object} transacting - Database transaction object
+     * @returns {Promise<void>}
+     */
+    async _incrementUsageCount(model, transacting) {
+        const updateData = {used_count: model.get('used_count') + 1};
+        await this._saveUsageData(updateData, model, transacting);
+    }
+    /**
+     * @private
+     * @method _incrementOTCUsageCount
+     * Increments the OTC usage count for a token
+     *
+     * @param {Object} model - The token model
+     * @param transacting - Database transaction object
+     * @returns {Promise<void>}
+     */
+    async _incrementOTCUsageCount(model, transacting) {
+        const updateData = {otc_used_count: model.get('otc_used_count') + 1};
+        await this._saveUsageData(updateData, model, transacting);
+    }
+    /**
+     * @private
+     * @method _saveUsageData
+     * Saves the usage data for a token
+     *
+     * @param {Object} updateData - The data to save
+     * @param {Object} model - The token model
+     * @param {Object} transacting - Database transaction object
+     * @returns {Promise<void>}
+     */
+    async _saveUsageData(updateData, model, transacting) {
+        updateData.updated_at = new Date();
+        if (!model.get('first_used_at')) {
+            updateData.first_used_at = new Date();
+        }
+        await model.save(updateData, {autoRefresh: false, patch: true, transacting});
+    }
 }
 module.exports = SingleUseTokenProvider;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "6.3.1",
+  "version": "6.4.0",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.3.1.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.4.0.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -144,7 +144,7 @@
     "csso": "5.0.5",
     "csv-writer": "1.6.0",
     "date-fns": "2.30.0",
-    "dompurify": "3.2.7",
+    "dompurify": "3.3.0",
     "downsize": "0.0.8",
     "entities": "4.5.0",
     "express": "4.21.2",
@@ -166,7 +166,7 @@
     "heic-convert": "2.1.0",
     "html-to-text": "5.1.1",
     "html5parser": "2.0.2",
-    "human-number": "2.0.6",
+    "human-number": "2.0.7",
     "iconv-lite": "0.6.3",
     "image-size": "1.2.1",
     "intl": "1.2.5",
@@ -232,7 +232,7 @@
     "@types/bookshelf": "1.2.9",
     "@types/common-tags": "1.8.4",
     "@types/jsonwebtoken": "9.0.10",
-    "@types/node": "22.18.9",
+    "@types/node": "22.18.10",
     "@types/node-jose": "1.1.13",
     "@types/nodemailer": "6.4.20",
     "@types/sinon": "17.0.4",
@@ -273,7 +273,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-6.3.1.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-6.4.0.tgz"
   },
   "nx": {
     "targets": {