Moved magiclink handling to /members/ + added redirect

- Magic link token handling doesn't need to be global, this couples the system to the frontend, which isn't necessary
- Instead, we create a session from the token, and redirect to the frontend
- Move res.locals.members setting into existing middleware function instead of having it separate

core/server/services/members/config.js

@@ -2,6 +2,7 @@ const {URL} = require('url');
 const settingsCache = require('../settings/cache');
 const ghostVersion = require('../../lib/ghost-version');
 const crypto = require('crypto');
+const path = require('path');
 const common = require('../../lib/common');
 const urlUtils = require('../../lib/url-utils');
 
@@ -155,6 +156,7 @@ function getTokenConfig() {
 
 function getSigninURL(token, type) {
     const signinURL = new URL(siteUrl);
+    signinURL.pathname = path.join(signinURL.pathname, '/members/');
     signinURL.searchParams.set('token', token);
     signinURL.searchParams.set('action', type);
     return signinURL.href;

core/server/services/members/middleware.js

@@ -1,6 +1,7 @@
 const common = require('../../lib/common');
 const labsService = require('../labs');
 const membersService = require('./index');
+const urlUtils = require('../../lib/url-utils');
 
 const getIdentityToken = async function (req, res) {
     try {
@@ -26,7 +27,7 @@ const deleteSession = async function (req, res) {
     }
 };
 
-const getMemberDataFromSession = async function (req, res, next) {
+const loadMemberSession = async function (req, res, next) {
     if (!labsService.isSet('members')) {
         req.member = null;
         return next();
@@ -34,6 +35,7 @@ const getMemberDataFromSession = async function (req, res, next) {
     try {
         const member = await membersService.ssr.getMemberDataFromSession(req, res);
         Object.assign(req, {member});
+        res.locals.member = req.member;
         next();
     } catch (err) {
         common.logging.warn(err.message);
@@ -68,7 +70,7 @@ const getMemberData = async function (req, res) {
     }
 };
 
-const exchangeTokenForSession = async function (req, res, next) {
+const createSessionFromMagicLink = async function (req, res, next) {
     if (!labsService.isSet('members')) {
         return next();
     }
@@ -76,8 +78,23 @@ const exchangeTokenForSession = async function (req, res, next) {
         return next();
     }
     try {
-        const member = await membersService.ssr.exchangeTokenForSession(req, res);
-        Object.assign(req, {member});
+        await membersService.ssr.exchangeTokenForSession(req, res);
+
+        // req.query is a plain object, copy it to a URLSearchParams object so we can call toString()
+        const searchParams = new URLSearchParams('');
+        Object.keys(req.query).forEach((param) => {
+            // don't copy the token param
+            if (param !== 'token') {
+                searchParams.set(param, req.query[param]);
+            }
+        });
+
+        // We need to include the subdirectory, but members is already removed from the path
+        let redirectPath = `${urlUtils.getSubdir()}${req.path}?${searchParams.toString()}`;
+
+        // Do a standard 302 redirect
+        res.redirect(redirectPath);
+
         next();
     } catch (err) {
         common.logging.warn(err.message);
@@ -85,25 +102,11 @@ const exchangeTokenForSession = async function (req, res, next) {
     }
 };
 
-const decorateResponse = function (req, res, next) {
-    if (!labsService.isSet('members')) {
-        return next();
-    }
-    res.locals.member = req.member;
-    next();
-};
-
 // @TODO only load this stuff if members is enabled
 // Set req.member & res.locals.member if a cookie is set
 module.exports = {
-    memberSession: [
-        getMemberDataFromSession,
-        decorateResponse
-    ],
-    createSessionFromMagicLink: [
-        exchangeTokenForSession,
-        decorateResponse
-    ],
+    loadMemberSession,
+    createSessionFromMagicLink,
     getIdentityToken,
     getMemberData,
     deleteSession,

core/server/web/site/app.js

@@ -138,10 +138,10 @@ module.exports = function setupSiteApp(options = {}) {
     siteApp.post('/members/webhooks/stripe', shared.middlewares.labs.members, membersMiddleware.stripeWebhooks);
 
     // Currently global handling for signing in with ?token= magiclinks
-    siteApp.use(membersMiddleware.createSessionFromMagicLink);
+    siteApp.use('/members/', membersMiddleware.createSessionFromMagicLink);
 
     // Global handling for member session, ensures a member is logged in to the frontend
-    siteApp.use(membersMiddleware.memberSession);
+    siteApp.use(membersMiddleware.loadMemberSession);
 
     // Theme middleware
     // This should happen AFTER any shared assets are served, as it only changes things to do with templates