Ghost/core/server/api/v3/settings.js

const Promise = require('bluebird');
const _ = require('lodash');
const models = require('../../models');
const routeSettings = require('../../services/route-settings');
const frontendSettings = require('../../../frontend/services/settings');
const i18n = require('../../../shared/i18n');
const {BadRequestError, NoPermissionError} = require('@tryghost/errors');
const settingsService = require('../../services/settings');
const settingsCache = require('../../../shared/settings-cache');
const membersService = require('../../services/members');

const settingsBREADService = settingsService.getSettingsBREADServiceInstance();

module.exports = {
    docName: 'settings',

    browse: {
        options: ['type', 'group'],
        permissions: true,
        query(frame) {
            let settings = settingsCache.getAll();

            // CASE: no context passed (functional call)
            if (!frame.options.context) {
                return Promise.resolve(settings.filter((setting) => {
                    return setting.group === 'site';
                }));
            }

            if (!frame.options.context.internal) {
                // CASE: omit core settings unless internal request
                settings = _.filter(settings, (setting) => {
                    const isCore = setting.group === 'core';
                    return !isCore;
                });
                // CASE: omit secret settings unless internal request
                settings = settings.map(settingsService.hideValueIfSecret);
            }

            return settings;
        }
    },

    read: {
        options: ['key'],
        validation: {
            options: {
                key: {
                    required: true
                }
            }
        },
        permissions: {
            identifier(frame) {
                return frame.options.key;
            }
        },
        query(frame) {
            return settingsBREADService.read(frame.options.key, frame.options.context);
        }
    },

    validateMembersEmailUpdate: {
        options: [
            'token',
            'action'
        ],
        permissions: false,
        validation: {
            options: {
                token: {
                    required: true
                },
                action: {
                    values: ['fromaddressupdate', 'supportaddressupdate']
                }
            }
        },
        async query(frame) {
            // This is something you have to do if you want to use the "framework" with access to the raw req/res
            frame.response = async function (req, res) {
                try {
                    const {token, action} = frame.options;
                    const updatedEmailAddress = await membersService.settings.getEmailFromToken({token});
                    const actionToKeyMapping = {
                        fromAddressUpdate: 'members_from_address',
                        supportAddressUpdate: 'members_support_address'
                    };
                    if (updatedEmailAddress) {
                        return models.Settings.edit({
                            key: actionToKeyMapping[action],
                            value: updatedEmailAddress
                        }).then(() => {
                            // Redirect to Ghost-Admin settings page
                            const adminLink = membersService.settings.getAdminRedirectLink({type: action});
                            res.redirect(adminLink);
                        });
                    } else {
                        return Promise.reject(new BadRequestError({
                            message: 'Invalid token!'
                        }));
                    }
                } catch (err) {
                    return Promise.reject(new BadRequestError({
                        err,
                        message: 'Invalid token!'
                    }));
                }
            };
        }
    },

    updateMembersEmail: {
        permissions: {
            method: 'edit'
        },
        data: [
            'email',
            'type'
        ],
        async query(frame) {
            const {email, type} = frame.data;

            try {
                // Send magic link to update fromAddress
                await membersService.settings.sendEmailAddressUpdateMagicLink({
                    email,
                    type
                });
            } catch (err) {
                throw new BadRequestError({
                    err,
                    message: i18n.t('errors.mail.failedSendingEmail.error')
                });
            }
        }
    },

    disconnectStripeConnectIntegration: {
        permissions: {
            method: 'edit'
        },
        async query(frame) {
            const hasActiveStripeSubscriptions = await membersService.api.hasActiveStripeSubscriptions();
            if (hasActiveStripeSubscriptions) {
                throw new BadRequestError({
                    message: 'Cannot disconnect Stripe whilst you have active subscriptions.'
                });
            }

            return models.Settings.edit([{
                key: 'stripe_connect_publishable_key',
                value: null
            }, {
                key: 'stripe_connect_secret_key',
                value: null
            }, {
                key: 'stripe_connect_livemode',
                value: null
            }, {
                key: 'stripe_connect_display_name',
                value: null
            }, {
                key: 'stripe_connect_account_id',
                value: null
            }], frame.options);
        }
    },

    edit: {
        headers: {
            cacheInvalidate: true
        },
        permissions: {
            unsafeAttrsObject(frame) {
                return _.find(frame.data.settings, {key: 'labs'});
            },
            async before(frame) {
                if (frame.options.context && frame.options.context.internal) {
                    return;
                }

                const firstCoreSetting = frame.data.settings.find(setting => setting.group === 'core');
                if (firstCoreSetting) {
                    throw new NoPermissionError({
                        message: i18n.t('errors.api.settings.accessCoreSettingFromExtReq')
                    });
                }
            }
        },
        async query(frame) {
            let stripeConnectData;
            const stripeConnectIntegrationToken = frame.data.settings.find(setting => setting.key === 'stripe_connect_integration_token');

            if (stripeConnectIntegrationToken && stripeConnectIntegrationToken.value) {
                const getSessionProp = prop => frame.original.session[prop];

                stripeConnectData = await settingsBREADService.getStripeConnectData(
                    stripeConnectIntegrationToken,
                    getSessionProp,
                    membersService.stripeConnect.getStripeConnectTokenData
                );
            }

            return await settingsBREADService.edit(frame.data.settings, frame.options, stripeConnectData);
        }
    },

    upload: {
        headers: {
            cacheInvalidate: true
        },
        permissions: {
            method: 'edit'
        },
        async query(frame) {
            await routeSettings.setFromFilePath(frame.file.path);
            const getRoutesHash = () => frontendSettings.getCurrentHash('routes');
            await settingsService.syncRoutesHash(getRoutesHash);
        }
    },

    download: {
        headers: {
            disposition: {
                type: 'yaml',
                value: 'routes.yaml'
            }
        },
        response: {
            format: 'plain'
        },
        permissions: {
            method: 'browse'
        },
        query() {
            return routeSettings.get();
        }
    }
};
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`const Promise = require('bluebird');`
			`const _ = require('lodash');`
			`const models = require('../../models');`
Moved route settings to new server service - The main goal here is getting this settings related code out of the routing service as it really doesn't belong there - This settings file is used purely by the API to get and set files - its not really anything to do with actual routing - This file calls out to the bridge to do a reload, which helps decouple slightly - More refactoring is needed to get rid of the urlService dependency - Note this file is really similar to the redirects one, it would be good to merge them 2021-06-28 14:09:02 +03:00			`const routeSettings = require('../../services/route-settings');`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`const frontendSettings = require('../../../frontend/services/settings');`
Moved i18n to shared refs https://github.com/TryGhost/Ghost/commit/829e8ed010adf5d0856cdc840c53a447e6b8ac2e - i18n is used everywhere but only requires shared or external packages, therefore it's a good candidate for living in shared - this reduces invalid requires across frontend and server, and lets us use it everywhere until we come up with a better option 2021-05-03 19:29:44 +03:00			`const i18n = require('../../../shared/i18n');`
Removed method complexity in settings API v3 controller refs https://github.com/TryGhost/Team/issues/694 refs https://linear.app/tryghost/issue/CORE-13 - The controller code is not meant to contain complex business logic. Removed complexity in settings.edit method - Have brought up to sync v3 controller code to the changes that were done in v4. Didn't touch v2 controller as it had slight API differences, so avoided going on another trip into the unknown - Migrating v3 controller was pretty straigh forward as it's an exact copy of the v4 one (at least for the methods that were extracted) 2021-09-21 12:55:17 +03:00			`const {BadRequestError, NoPermissionError} = require('@tryghost/errors');`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`const settingsService = require('../../services/settings');`
Moved settings/cache to shared/settings-cache - This is part of the quest to separate the frontend and server & get rid of all the places where there are cross-requires - At the moment the settings cache is one big shared cache used by the frontend and server liberally - This change doesn't really solve the fundamental problems, as we still depend on events, and requires from inside frontend - However it allows us to control the misuse slightly better by getting rid of restricted requires and turning on that eslint ruleset 2021-06-30 16:56:57 +03:00			`const settingsCache = require('../../../shared/settings-cache');`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`const membersService = require('../../services/members');`

Removed method complexity in settings API v3 controller refs https://github.com/TryGhost/Team/issues/694 refs https://linear.app/tryghost/issue/CORE-13 - The controller code is not meant to contain complex business logic. Removed complexity in settings.edit method - Have brought up to sync v3 controller code to the changes that were done in v4. Didn't touch v2 controller as it had slight API differences, so avoided going on another trip into the unknown - Migrating v3 controller was pretty straigh forward as it's an exact copy of the v4 one (at least for the methods that were extracted) 2021-09-21 12:55:17 +03:00			`const settingsBREADService = settingsService.getSettingsBREADServiceInstance();`

💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`module.exports = {`
			`docName: 'settings',`

			`browse: {`
			`options: ['type', 'group'],`
			`permissions: true,`
			`query(frame) {`
			`let settings = settingsCache.getAll();`

			`// CASE: no context passed (functional call)`
			`if (!frame.options.context) {`
			`return Promise.resolve(settings.filter((setting) => {`
			`return setting.group === 'site';`
			`}));`
			`}`

			`if (!frame.options.context.internal) {`
🔒 Added a way to hide the secret settings once they are set issue https://github.com/TryGhost/Team/issues/621 2021-04-16 18:05:16 +03:00			`// CASE: omit core settings unless internal request`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`settings = _.filter(settings, (setting) => {`
			`const isCore = setting.group === 'core';`
			`return !isCore;`
			`});`
🔒 Added a way to hide the secret settings once they are set issue https://github.com/TryGhost/Team/issues/621 2021-04-16 18:05:16 +03:00			`// CASE: omit secret settings unless internal request`
			`settings = settings.map(settingsService.hideValueIfSecret);`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`}`

			`return settings;`
			`}`
			`},`

			`read: {`
			`options: ['key'],`
			`validation: {`
			`options: {`
			`key: {`
			`required: true`
			`}`
			`}`
			`},`
			`permissions: {`
			`identifier(frame) {`
			`return frame.options.key;`
			`}`
			`},`
			`query(frame) {`
Removed method complexity in settings API v3 controller refs https://github.com/TryGhost/Team/issues/694 refs https://linear.app/tryghost/issue/CORE-13 - The controller code is not meant to contain complex business logic. Removed complexity in settings.edit method - Have brought up to sync v3 controller code to the changes that were done in v4. Didn't touch v2 controller as it had slight API differences, so avoided going on another trip into the unknown - Migrating v3 controller was pretty straigh forward as it's an exact copy of the v4 one (at least for the methods that were extracted) 2021-09-21 12:55:17 +03:00			`return settingsBREADService.read(frame.options.key, frame.options.context);`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`}`
			`},`

			`validateMembersEmailUpdate: {`
			`options: [`
			`'token',`
			`'action'`
			`],`
			`permissions: false,`
			`validation: {`
			`options: {`
			`token: {`
			`required: true`
			`},`
			`action: {`
			`values: ['fromaddressupdate', 'supportaddressupdate']`
			`}`
			`}`
			`},`
			`async query(frame) {`
			`// This is something you have to do if you want to use the "framework" with access to the raw req/res`
			`frame.response = async function (req, res) {`
			`try {`
			`const {token, action} = frame.options;`
			`const updatedEmailAddress = await membersService.settings.getEmailFromToken({token});`
			`const actionToKeyMapping = {`
			`fromAddressUpdate: 'members_from_address',`
			`supportAddressUpdate: 'members_support_address'`
			`};`
			`if (updatedEmailAddress) {`
			`return models.Settings.edit({`
			`key: actionToKeyMapping[action],`
			`value: updatedEmailAddress`
			`}).then(() => {`
			`// Redirect to Ghost-Admin settings page`
			`const adminLink = membersService.settings.getAdminRedirectLink({type: action});`
			`res.redirect(adminLink);`
			`});`
			`} else {`
			`return Promise.reject(new BadRequestError({`
			`message: 'Invalid token!'`
			`}));`
			`}`
			`} catch (err) {`
			`return Promise.reject(new BadRequestError({`
			`err,`
			`message: 'Invalid token!'`
			`}));`
			`}`
			`};`
			`}`
			`},`

			`updateMembersEmail: {`
			`permissions: {`
			`method: 'edit'`
			`},`
			`data: [`
			`'email',`
			`'type'`
			`],`
			`async query(frame) {`
			`const {email, type} = frame.data;`

			`try {`
			`// Send magic link to update fromAddress`
			`await membersService.settings.sendEmailAddressUpdateMagicLink({`
			`email,`
			`type`
			`});`
			`} catch (err) {`
			`throw new BadRequestError({`
			`err,`
			`message: i18n.t('errors.mail.failedSendingEmail.error')`
			`});`
			`}`
			`}`
			`},`

			`disconnectStripeConnectIntegration: {`
			`permissions: {`
			`method: 'edit'`
			`},`
			`async query(frame) {`
			`const hasActiveStripeSubscriptions = await membersService.api.hasActiveStripeSubscriptions();`
			`if (hasActiveStripeSubscriptions) {`
			`throw new BadRequestError({`
			`message: 'Cannot disconnect Stripe whilst you have active subscriptions.'`
			`});`
			`}`

			`return models.Settings.edit([{`
			`key: 'stripe_connect_publishable_key',`
			`value: null`
			`}, {`
			`key: 'stripe_connect_secret_key',`
			`value: null`
			`}, {`
			`key: 'stripe_connect_livemode',`
			`value: null`
			`}, {`
			`key: 'stripe_connect_display_name',`
			`value: null`
			`}, {`
			`key: 'stripe_connect_account_id',`
			`value: null`
			`}], frame.options);`
			`}`
			`},`

			`edit: {`
			`headers: {`
			`cacheInvalidate: true`
			`},`
			`permissions: {`
			`unsafeAttrsObject(frame) {`
			`return _.find(frame.data.settings, {key: 'labs'});`
			`},`
			`async before(frame) {`
			`if (frame.options.context && frame.options.context.internal) {`
			`return;`
			`}`

			`const firstCoreSetting = frame.data.settings.find(setting => setting.group === 'core');`
			`if (firstCoreSetting) {`
			`throw new NoPermissionError({`
			`message: i18n.t('errors.api.settings.accessCoreSettingFromExtReq')`
			`});`
			`}`
			`}`
			`},`
			`async query(frame) {`
Removed method complexity in settings API v3 controller refs https://github.com/TryGhost/Team/issues/694 refs https://linear.app/tryghost/issue/CORE-13 - The controller code is not meant to contain complex business logic. Removed complexity in settings.edit method - Have brought up to sync v3 controller code to the changes that were done in v4. Didn't touch v2 controller as it had slight API differences, so avoided going on another trip into the unknown - Migrating v3 controller was pretty straigh forward as it's an exact copy of the v4 one (at least for the methods that were extracted) 2021-09-21 12:55:17 +03:00			`let stripeConnectData;`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`const stripeConnectIntegrationToken = frame.data.settings.find(setting => setting.key === 'stripe_connect_integration_token');`

			`if (stripeConnectIntegrationToken && stripeConnectIntegrationToken.value) {`
			`const getSessionProp = prop => frame.original.session[prop];`
Removed method complexity in settings API v3 controller refs https://github.com/TryGhost/Team/issues/694 refs https://linear.app/tryghost/issue/CORE-13 - The controller code is not meant to contain complex business logic. Removed complexity in settings.edit method - Have brought up to sync v3 controller code to the changes that were done in v4. Didn't touch v2 controller as it had slight API differences, so avoided going on another trip into the unknown - Migrating v3 controller was pretty straigh forward as it's an exact copy of the v4 one (at least for the methods that were extracted) 2021-09-21 12:55:17 +03:00
			`stripeConnectData = await settingsBREADService.getStripeConnectData(`
			`stripeConnectIntegrationToken,`
			`getSessionProp,`
			`membersService.stripeConnect.getStripeConnectTokenData`
			`);`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`}`

Removed method complexity in settings API v3 controller refs https://github.com/TryGhost/Team/issues/694 refs https://linear.app/tryghost/issue/CORE-13 - The controller code is not meant to contain complex business logic. Removed complexity in settings.edit method - Have brought up to sync v3 controller code to the changes that were done in v4. Didn't touch v2 controller as it had slight API differences, so avoided going on another trip into the unknown - Migrating v3 controller was pretty straigh forward as it's an exact copy of the v4 one (at least for the methods that were extracted) 2021-09-21 12:55:17 +03:00			`return await settingsBREADService.edit(frame.data.settings, frame.options, stripeConnectData);`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`}`
			`},`

			`upload: {`
			`headers: {`
			`cacheInvalidate: true`
			`},`
			`permissions: {`
			`method: 'edit'`
			`},`
			`async query(frame) {`
Fixed route settings ref in api v3 refs: https://github.com/TryGhost/Ghost/commit/8612f3aaeb1543cc240eed89f203a28b8c52cc94 - this change was missing a git commit --amend 🙈 - note to self: our acceptance tests all use the v3 API... 2021-06-30 13:49:30 +03:00			`await routeSettings.setFromFilePath(frame.file.path);`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`const getRoutesHash = () => frontendSettings.getCurrentHash('routes');`
			`await settingsService.syncRoutesHash(getRoutesHash);`
			`}`
			`},`

			`download: {`
			`headers: {`
			`disposition: {`
			`type: 'yaml',`
			`value: 'routes.yaml'`
			`}`
			`},`
			`response: {`
			`format: 'plain'`
			`},`
			`permissions: {`
			`method: 'browse'`
			`},`
			`query() {`
Fixed route settings ref in api v3 refs: https://github.com/TryGhost/Ghost/commit/8612f3aaeb1543cc240eed89f203a28b8c52cc94 - this change was missing a git commit --amend 🙈 - note to self: our acceptance tests all use the v3 API... 2021-06-30 13:49:30 +03:00			`return routeSettings.get();`
💡 Split the v3 endpoint from the canary endpoint refs https://github.com/TryGhost/Team/issues/221 2021-01-21 11:57:52 +03:00			`}`
			`}`
			`};`