Ghost/core/server/models/single-use-token.js

const ghostBookshelf = require('./base');
const crypto = require('crypto');
const logging = require('@tryghost/logging');

const SingleUseToken = ghostBookshelf.Model.extend({
    tableName: 'tokens',

    defaults() {
        return {
            token: crypto
                .randomBytes(192 / 8)
                .toString('base64')
                // base64url encoding means the tokens are URL safe
                .replace(/\+/g, '-')
                .replace(/\//g, '_')
        };
    }
}, {
    async findOne(data, unfilteredOptions = {}) {
        const model = await ghostBookshelf.Model.findOne.call(this, data, unfilteredOptions);

        if (model) {
            setTimeout(async () => {
                try {
                    await this.destroy(Object.assign({
                        destroyBy: {
                            id: model.id
                        }
                    }, {
                        ...unfilteredOptions,
                        transacting: null
                    }));
                } catch (err) {
                    logging.error(err);
                }
            }, 10 * 60 * 1000);
        }

        return model;
    }
});

const SingleUseTokens = ghostBookshelf.Collection.extend({
    model: SingleUseToken
});

module.exports = {
    SingleUseToken: ghostBookshelf.model('SingleUseToken', SingleUseToken),
    SingleUseTokens: ghostBookshelf.collection('SingleUseTokens', SingleUseTokens)
};
Added SingleUseToken model (#12215) no-issue This is a model for the tokens table, which handles the single use aspect by customising the `findOne` method to automatically destroy the model after reading from it 2020-09-18 17:05:56 +03:00			`const ghostBookshelf = require('./base');`
			`const crypto = require('crypto');`
Change to use @tryghost/logging no issue Logging is now controlled by a logginrc.js file in the root of the project - and now we can just import @tryghost/logging everywhere 2021-06-15 17:36:27 +03:00			`const logging = require('@tryghost/logging');`
Added SingleUseToken model (#12215) no-issue This is a model for the tokens table, which handles the single use aspect by customising the `findOne` method to automatically destroy the model after reading from it 2020-09-18 17:05:56 +03:00
			`const SingleUseToken = ghostBookshelf.Model.extend({`
			`tableName: 'tokens',`

			`defaults() {`
			`return {`
			`token: crypto`
			`.randomBytes(192 / 8)`
			`.toString('base64')`
			`// base64url encoding means the tokens are URL safe`
🐛 Fixed special chars in single use token (#12290) no refs - The token generation logic for single use token was replacing only the first instance of + or / to make the token URL safe, instead of replacing all instances which caused a bug where token was not validated properly in case it included multiple + or / in it. - The fix ensures replacing all the + or / in the token with URL safe _ or - so it can be properly validated via magic link 2020-10-20 09:19:20 +03:00			`.replace(/\+/g, '-')`
			`.replace(/\//g, '_')`
Added SingleUseToken model (#12215) no-issue This is a model for the tokens table, which handles the single use aspect by customising the `findOne` method to automatically destroy the model after reading from it 2020-09-18 17:05:56 +03:00			`};`
			`}`
			`}, {`
			`async findOne(data, unfilteredOptions = {}) {`
			`const model = await ghostBookshelf.Model.findOne.call(this, data, unfilteredOptions);`

			`if (model) {`
🐛 Added multiple use grace period to tokens (#12519) closes https://github.com/TryGhost/Ghost/issues/12347 This change allows a token to be used multiple times for the first 10 seconds after its initial use, this will stop dynamic link checking software from invaliding magic links. 2021-01-18 20:03:41 +03:00			`setTimeout(async () => {`
			`try {`
			`await this.destroy(Object.assign({`
			`destroyBy: {`
			`id: model.id`
			`}`
			`}, {`
			`...unfilteredOptions,`
			`transacting: null`
			`}));`
			`} catch (err) {`
			`logging.error(err);`
Added SingleUseToken model (#12215) no-issue This is a model for the tokens table, which handles the single use aspect by customising the `findOne` method to automatically destroy the model after reading from it 2020-09-18 17:05:56 +03:00			`}`
Updated SingleUseToken grace period to 10 minutes (#13926) refs https://github.com/TryGhost/Team/issues/1216 Some email security clients are scanning links at delivery, rather than at the point the user clicks on them. This is causing magic links to expire. To get around this we're increasing the grace period in which a link can be used multiple times to 10 minutes. 2022-01-03 18:55:53 +03:00			`}, 10 * 60 * 1000);`
Added SingleUseToken model (#12215) no-issue This is a model for the tokens table, which handles the single use aspect by customising the `findOne` method to automatically destroy the model after reading from it 2020-09-18 17:05:56 +03:00			`}`

			`return model;`
			`}`
			`});`

			`const SingleUseTokens = ghostBookshelf.Collection.extend({`
			`model: SingleUseToken`
			`});`

			`module.exports = {`
			`SingleUseToken: ghostBookshelf.model('SingleUseToken', SingleUseToken),`
			`SingleUseTokens: ghostBookshelf.collection('SingleUseTokens', SingleUseTokens)`
			`};`