diff --git a/ghost/core/core/server/services/members/middleware.js b/ghost/core/core/server/services/members/middleware.js index 697514e0f2..bd64a14396 100644 --- a/ghost/core/core/server/services/members/middleware.js +++ b/ghost/core/core/server/services/members/middleware.js @@ -1,3 +1,4 @@ +const crypto = require('crypto'); const _ = require('lodash'); const logging = require('@tryghost/logging'); const membersService = require('./service'); @@ -20,16 +21,27 @@ const messages = { const accessInfoSession = async function accessInfoSession(req, res, next) { onHeaders(res, function () { - let activeSubscription; - if (req.member) { - activeSubscription = req.member.subscriptions?.find(sub => sub.status === 'active'); + if (!req.member) { + const accessCookie = `ghost-access=null; Max-Age=0; Path=/; HttpOnly; SameSite=Strict;`; + const hmacCookie = `ghost-access-hmac=null; Max-Age=0; Path=/; HttpOnly; SameSite=Strict;`; + const existingCookies = res.getHeader('Set-Cookie') || []; + const cookiesToSet = [accessCookie, hmacCookie].concat(existingCookies); + + res.setHeader('Set-Cookie', cookiesToSet); + return; } - const maxAge = req.member ? 3600 : 0; + + const activeSubscription = req.member.subscriptions?.find(sub => sub.status === 'active'); + const memberTier = activeSubscription && activeSubscription.tier.slug || 'free'; + const memberTierHmac = crypto.createHmac('sha256', '53CR37').update(memberTier).digest('hex'); + + const maxAge = 3600; const accessCookie = `ghost-access=${memberTier}; Max-Age=${maxAge}; Path=/; HttpOnly; SameSite=Strict;`; + const hmacCookie = `ghost-access-hmac=${memberTierHmac}; Max-Age=${maxAge}; Path=/; HttpOnly; SameSite=Strict;`; const existingCookies = res.getHeader('Set-Cookie') || []; - const cookiesToSet = [accessCookie].concat(existingCookies); + const cookiesToSet = [accessCookie, hmacCookie].concat(existingCookies); res.setHeader('Set-Cookie', cookiesToSet); });