Ghost/core/server/web/members/app.js

const debug = require('@tryghost/debug')('members');
const {URL} = require('url');
const cors = require('cors');
const bodyParser = require('body-parser');
const express = require('../../../shared/express');
const urlUtils = require('../../../shared/url-utils');
const membersService = require('../../services/members');
const middleware = membersService.middleware;
const shared = require('../shared');
const labs = require('../../../shared/labs');

module.exports = function setupMembersApp() {
    debug('Members App setup start');
    const membersApp = express('members');

    // Members API shouldn't be cached
    membersApp.use(shared.middleware.cacheControl('private'));

    // Support CORS for requests from the frontend
    const siteUrl = new URL(urlUtils.getSiteUrl());
    membersApp.use(cors(siteUrl.origin));

    // Currently global handling for signing in with ?token= magiclinks
    membersApp.use(middleware.createSessionFromMagicLink);

    // Routing

    // Webhooks
    membersApp.post('/webhooks/stripe', middleware.stripeWebhooks);

    // Initializes members specific routes as well as assigns members specific data to the req/res objects
    // We don't want to add global bodyParser middleware as that interfers with stripe webhook requests on - `/webhooks`.
    membersApp.get('/api/member', middleware.getMemberData);
    membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData);
    membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res));
    membersApp.get('/api/session', middleware.getIdentityToken);
    membersApp.get('/api/offers/:id', middleware.getOfferData);
    membersApp.delete('/api/session', middleware.deleteSession);
    membersApp.get('/api/site', middleware.getMemberSiteData);

    // NOTE: this is wrapped in a function to ensure we always go via the getter
    membersApp.post('/api/send-magic-link', bodyParser.json(), shared.middleware.brute.membersAuth, (req, res, next) => membersService.api.middleware.sendMagicLink(req, res, next));
    membersApp.post('/api/create-stripe-checkout-session', (req, res, next) => membersService.api.middleware.createCheckoutSession(req, res, next));
    membersApp.post('/api/create-stripe-update-session', (req, res, next) => membersService.api.middleware.createCheckoutSetupSession(req, res, next));
    membersApp.put('/api/subscriptions/:id', (req, res, next) => membersService.api.middleware.updateSubscription(req, res, next));
    membersApp.post('/api/events', labs.enabledMiddleware('membersActivity'), middleware.loadMemberSession, (req, res, next) => membersService.api.middleware.createEvents(req, res, next));

    // API error handling
    membersApp.use('/api', shared.middleware.errorHandler.resourceNotFound);
    membersApp.use('/api', shared.middleware.errorHandler.handleJSONResponseV2);

    // Webhook error handling
    membersApp.use('/webhooks', shared.middleware.errorHandler.resourceNotFound);
    membersApp.use('/webhooks', shared.middleware.errorHandler.handleJSONResponseV2);

    debug('Members App setup end');

    return membersApp;
};
Simplified + unified debug naming conventions - Reduced the number of levels in our debug naming in the frontend - Unified components like "themes" and "routing" under one name - Should help to make debug slightly more useful again 2021-07-06 13:02:37 +03:00			`const debug = require('@tryghost/debug')('members');`
Moved members API out of backend 2020-04-30 19:29:51 +03:00			`const {URL} = require('url');`
			`const cors = require('cors');`
Added member update endpoint with session auth (#11824) - Allows member logged in with valid session to update their profile info - name, email, subscribed(newsletter subscription status) - Adds new util method for formatted member response on the endpoints - Adds common middlewares for body/bool parser and maintenance - Adds `subscribed` status to member response 2020-05-20 12:07:58 +03:00			`const bodyParser = require('body-parser');`
Moved members routing+mw into its own app - create a new app for the /members/ endpoint - moved all /members/ routes and middleware onto this app - helps to separate members and frontend/site logic so we can start to decouple things more 2020-04-30 09:52:22 +03:00			`const express = require('../../../shared/express');`
Moved core/server/lib/url-utils to core/shared/url-utils (#11856) * moved url-utils from server to shared * updated imports of url-utils 2020-05-28 13:57:02 +03:00			`const urlUtils = require('../../../shared/url-utils');`
Moved members API out of backend 2020-04-30 19:29:51 +03:00			`const membersService = require('../../services/members');`
			`const middleware = membersService.middleware;`
Moved members routing+mw into its own app - create a new app for the /members/ endpoint - moved all /members/ routes and middleware onto this app - helps to separate members and frontend/site logic so we can start to decouple things more 2020-04-30 09:52:22 +03:00			`const shared = require('../shared');`
Added new ingress endpoint for client-side events res https://github.com/TryGhost/Team/issues/1064 - adds new events endpoint on members app to capture client side events for member analytics behind the `membersActivity` flag 2021-09-21 10:25:42 +03:00			`const labs = require('../../../shared/labs');`
Moved members routing+mw into its own app - create a new app for the /members/ endpoint - moved all /members/ routes and middleware onto this app - helps to separate members and frontend/site logic so we can start to decouple things more 2020-04-30 09:52:22 +03:00
			`module.exports = function setupMembersApp() {`
Moved members API out of backend 2020-04-30 19:29:51 +03:00			`debug('Members App setup start');`
Added Router etc to shared/express + use everywhere - Added a wrapper around express.Router to our shared/express util - Also export static and _express - Use this shared util everywhre, meaning express is only used directly in this one file - ATM this file is mostly an experiment / debug helper, it might be removed again later - The aim is to have a minimal framework wrapping express that allows us to: - reduce our usage of express() in favour of Router() - unify some of our duplicated logic - fix some structural issues e.g. Sentry - make it easier to understand the codebase 2020-05-01 21:29:42 +03:00			`const membersApp = express('members');`
Moved members routing+mw into its own app - create a new app for the /members/ endpoint - moved all /members/ routes and middleware onto this app - helps to separate members and frontend/site logic so we can start to decouple things more 2020-04-30 09:52:22 +03:00
Added cache control headers to members api closes https://github.com/TryGhost/Team/issues/846 - members api was missing cacheControl middleware to declare its cache control headers 2021-07-06 17:47:59 +03:00			`// Members API shouldn't be cached`
Renamed middlewares to middleware consistently - This is a minor bugbare, but it will affect some configuration I'm about to do for c8 - I've been wanting to do it for ages, middleware is plural all on it's own so it's an odd affectation in our codebase - This also only exists in 2 places, everywhere else we use "middleware" - Sadly it did result in a lot of churn as I did a full find and replace, but consistency is king! 2021-11-16 18:42:02 +03:00			`membersApp.use(shared.middleware.cacheControl('private'));`
Added cache control headers to members api closes https://github.com/TryGhost/Team/issues/846 - members api was missing cacheControl middleware to declare its cache control headers 2021-07-06 17:47:59 +03:00
Moved members API out of backend 2020-04-30 19:29:51 +03:00			`// Support CORS for requests from the frontend`
			`const siteUrl = new URL(urlUtils.getSiteUrl());`
			`membersApp.use(cors(siteUrl.origin));`

Moved members routing+mw into its own app - create a new app for the /members/ endpoint - moved all /members/ routes and middleware onto this app - helps to separate members and frontend/site logic so we can start to decouple things more 2020-04-30 09:52:22 +03:00			`// Currently global handling for signing in with ?token= magiclinks`
			`membersApp.use(middleware.createSessionFromMagicLink);`

			`// Routing`
Renamed members ssr + api endpoints 2020-04-30 21:00:37 +03:00
			`// Webhooks`
Removed dupe use of labs.members & leftover file - Meant to cleanup the old api/canary/members earlier, removed now as it's unused - Also removed all the duplicate references to labs.members in various places 2020-04-30 21:33:09 +03:00			`membersApp.post('/webhooks/stripe', middleware.stripeWebhooks);`
Moved members routing+mw into its own app - create a new app for the /members/ endpoint - moved all /members/ routes and middleware onto this app - helps to separate members and frontend/site logic so we can start to decouple things more 2020-04-30 09:52:22 +03:00
Renamed members ssr + api endpoints 2020-04-30 21:00:37 +03:00			`// Initializes members specific routes as well as assigns members specific data to the req/res objects`
Removed global bodyParser middleware for members app no issue - Removes global bodyParser middleware for membersApp and adds it to specific endpoints - Removes global boolParser middleware for membersApp We added bodayParser middleware to memebrsApp in [this](https://github.com/TryGhost/Ghost/commit/fe3eab18364f13114b6cd02af82f8b2c4d9ba14b) commit to read json requests for members update endpoint, but that had issues with stripe webhook parsing for `/webhooks` endpoint as stripe expects raw data to be passed down. 2020-05-22 11:55:13 +03:00			// We don't want to add global bodyParser middleware as that interfers with stripe webhook requests on - `/webhooks`.
Removed dupe use of labs.members & leftover file - Meant to cleanup the old api/canary/members earlier, removed now as it's unused - Also removed all the duplicate references to labs.members in various places 2020-04-30 21:33:09 +03:00			`membersApp.get('/api/member', middleware.getMemberData);`
Removed global bodyParser middleware for members app no issue - Removes global bodyParser middleware for membersApp and adds it to specific endpoints - Removes global boolParser middleware for membersApp We added bodayParser middleware to memebrsApp in [this](https://github.com/TryGhost/Ghost/commit/fe3eab18364f13114b6cd02af82f8b2c4d9ba14b) commit to read json requests for members update endpoint, but that had issues with stripe webhook parsing for `/webhooks` endpoint as stripe expects raw data to be passed down. 2020-05-22 11:55:13 +03:00			`membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData);`
🔒 Fixed member email change vulnerability refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr This updates the signup/signin flow for members to no longer support the email address change flow - which had missing authentication. It has been replaced with a dedicated email change flow, and Portal has been updated to use it. 2021-09-22 15:11:31 +03:00			`membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res));`
Removed dupe use of labs.members & leftover file - Meant to cleanup the old api/canary/members earlier, removed now as it's unused - Also removed all the duplicate references to labs.members in various places 2020-04-30 21:33:09 +03:00			`membersApp.get('/api/session', middleware.getIdentityToken);`
Removed references to Offers labs flag (#13709) refs https://github.com/TryGhost/Team/issues/1115 This feature is now GA, and the flag has been hardcoded to `true`, here we clean up the remaining references as they're no longer needed. 2021-11-03 18:11:48 +03:00			`membersApp.get('/api/offers/:id', middleware.getOfferData);`
Removed dupe use of labs.members & leftover file - Meant to cleanup the old api/canary/members earlier, removed now as it's unused - Also removed all the duplicate references to labs.members in various places 2020-04-30 21:33:09 +03:00			`membersApp.delete('/api/session', middleware.deleteSession);`
Added new members/api/site endpoint - easy way to access public settings needed for building members clients - no auth means this is for public info only 2020-04-30 21:50:40 +03:00			`membersApp.get('/api/site', middleware.getMemberSiteData);`
Renamed members ssr + api endpoints 2020-04-30 21:00:37 +03:00
Moved members API out of backend 2020-04-30 19:29:51 +03:00			`// NOTE: this is wrapped in a function to ensure we always go via the getter`
Renamed middlewares to middleware consistently - This is a minor bugbare, but it will affect some configuration I'm about to do for c8 - I've been wanting to do it for ages, middleware is plural all on it's own so it's an odd affectation in our codebase - This also only exists in 2 places, everywhere else we use "middleware" - Sadly it did result in a lot of churn as I did a full find and replace, but consistency is king! 2021-11-16 18:42:02 +03:00			`membersApp.post('/api/send-magic-link', bodyParser.json(), shared.middleware.brute.membersAuth, (req, res, next) => membersService.api.middleware.sendMagicLink(req, res, next));`
Moved members API out of backend 2020-04-30 19:29:51 +03:00			`membersApp.post('/api/create-stripe-checkout-session', (req, res, next) => membersService.api.middleware.createCheckoutSession(req, res, next));`
Renamed members ssr + api endpoints 2020-04-30 21:00:37 +03:00			`membersApp.post('/api/create-stripe-update-session', (req, res, next) => membersService.api.middleware.createCheckoutSetupSession(req, res, next));`
Moved members API out of backend 2020-04-30 19:29:51 +03:00			`membersApp.put('/api/subscriptions/:id', (req, res, next) => membersService.api.middleware.updateSubscription(req, res, next));`
Added new ingress endpoint for client-side events res https://github.com/TryGhost/Team/issues/1064 - adds new events endpoint on members app to capture client side events for member analytics behind the `membersActivity` flag 2021-09-21 10:25:42 +03:00			`membersApp.post('/api/events', labs.enabledMiddleware('membersActivity'), middleware.loadMemberSession, (req, res, next) => membersService.api.middleware.createEvents(req, res, next));`
Moved members API out of backend 2020-04-30 19:29:51 +03:00
			`// API error handling`
Renamed middlewares to middleware consistently - This is a minor bugbare, but it will affect some configuration I'm about to do for c8 - I've been wanting to do it for ages, middleware is plural all on it's own so it's an odd affectation in our codebase - This also only exists in 2 places, everywhere else we use "middleware" - Sadly it did result in a lot of churn as I did a full find and replace, but consistency is king! 2021-11-16 18:42:02 +03:00			`membersApp.use('/api', shared.middleware.errorHandler.resourceNotFound);`
			`membersApp.use('/api', shared.middleware.errorHandler.handleJSONResponseV2);`
Increased route specificity for API error handling (#11795) no-issue This ensures that errors that are not part of the members frontend API will be handled by the theme and not with JSON 2020-05-07 23:38:58 +03:00
			`// Webhook error handling`
Renamed middlewares to middleware consistently - This is a minor bugbare, but it will affect some configuration I'm about to do for c8 - I've been wanting to do it for ages, middleware is plural all on it's own so it's an odd affectation in our codebase - This also only exists in 2 places, everywhere else we use "middleware" - Sadly it did result in a lot of churn as I did a full find and replace, but consistency is king! 2021-11-16 18:42:02 +03:00			`membersApp.use('/webhooks', shared.middleware.errorHandler.resourceNotFound);`
			`membersApp.use('/webhooks', shared.middleware.errorHandler.handleJSONResponseV2);`
Moved members API out of backend 2020-04-30 19:29:51 +03:00
			`debug('Members App setup end');`

Moved members routing+mw into its own app - create a new app for the /members/ endpoint - moved all /members/ routes and middleware onto this app - helps to separate members and frontend/site logic so we can start to decouple things more 2020-04-30 09:52:22 +03:00			`return membersApp;`
			`};`