🔒 Fixed member email change vulnerability

refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr

This updates the signup/signin flow for members to no longer support the
email address change flow - which had missing authentication. It has
been replaced with a dedicated email change flow, and Portal has been
updated to use it.

core/server/web/members/app.js

@@ -34,6 +34,7 @@ module.exports = function setupMembersApp() {
     // We don't want to add global bodyParser middleware as that interfers with stripe webhook requests on - `/webhooks`.
     membersApp.get('/api/member', middleware.getMemberData);
     membersApp.put('/api/member', bodyParser.json({limit: '1mb'}), middleware.updateMemberData);
+    membersApp.post('/api/member/email', bodyParser.json({limit: '1mb'}), (req, res) => membersService.api.middleware.updateEmailAddress(req, res));
     membersApp.get('/api/session', middleware.getIdentityToken);
     membersApp.delete('/api/session', middleware.deleteSession);
     membersApp.get('/api/site', middleware.getMemberSiteData);

core/shared/config/defaults.json

@@ -121,7 +121,7 @@
         "emailAnalytics": true
     },
     "portal": {
-        "url": "https://unpkg.com/@tryghost/portal@~1.9.0/umd/portal.min.js",
-        "version": "1.9"
+        "url": "https://unpkg.com/@tryghost/portal@~1.10.0/umd/portal.min.js",
+        "version": "1.10"
     }
 }

package.json

@@ -74,7 +74,7 @@
     "@tryghost/limit-service": "0.6.1",
     "@tryghost/logging": "0.1.7",
     "@tryghost/magic-link": "1.0.11",
-    "@tryghost/members-api": "1.32.1",
+    "@tryghost/members-api": "1.32.3",
     "@tryghost/members-csv": "1.1.6",
     "@tryghost/members-importer": "0.3.2",
     "@tryghost/members-ssr": "1.0.12",

yarn.lock

@@ -1505,10 +1505,10 @@
     jsonwebtoken "^8.5.1"
     lodash "^4.17.15"
 
-"@tryghost/members-api@1.32.1":
-  version "1.32.1"
-  resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-1.32.1.tgz#a890c8f2f2ae92d7d43437e52cb14dd6ae194732"
-  integrity sha512-1ox59JG6RCa+BZpuJQtfPjddIMQnodAfD2/nm8MvMsEVrUMtiu9BeH6yihJATroCwoqCvNJWGhG2/1t/FubGkw==
+"@tryghost/members-api@1.32.3":
+  version "1.32.3"
+  resolved "https://registry.yarnpkg.com/@tryghost/members-api/-/members-api-1.32.3.tgz#ecf0948db251edcbd5aa4efd5b12db25ceb87da4"
+  integrity sha512-p5rimYXj35fTQBtDuoSLDzuKEmofd4Ot3rokUDAmaa8Lj4Tsoh3TnrTESSUc7PkCwDYts4PDX5+cLPhkc3LpTg==
   dependencies:
     "@tryghost/debug" "^0.1.2"
     "@tryghost/errors" "^0.2.9"