Moved magiclink handling to /members/ + added redirect

- Magic link token handling doesn't need to be global, this couples the system to the frontend, which isn't necessary - Instead, we create a session from the token, and redirect to the frontend - Move res.locals.members setting into existing middleware function instead of having it separate
2024-12-28 21:33:24 +03:00 · 2020-04-29 18:23:55 +01:00 · 2020-04-29 18:23:55 +01:00 · d8d5d6b7d0
commit d8d5d6b7d0
parent 0e1ae7c2af
3 changed files with 27 additions and 22 deletions
--- a/core/server/services/members/config.js
+++ b/core/server/services/members/config.js
@ -2,6 +2,7 @@ const {URL} = require('url');
 const settingsCache = require('../settings/cache');
 const ghostVersion = require('../../lib/ghost-version');
 const crypto = require('crypto');
 const path = require('path');
 const common = require('../../lib/common');
 const urlUtils = require('../../lib/url-utils');
@ -155,6 +156,7 @@ function getTokenConfig() {
 function getSigninURL(token, type) {
    const signinURL = new URL(siteUrl);
    signinURL.pathname = path.join(signinURL.pathname, '/members/');
    signinURL.searchParams.set('token', token);
    signinURL.searchParams.set('action', type);
    return signinURL.href;
--- a/core/server/services/members/middleware.js
+++ b/core/server/services/members/middleware.js
@ -1,6 +1,7 @@
 const common = require('../../lib/common');
 const labsService = require('../labs');
 const membersService = require('./index');
 const urlUtils = require('../../lib/url-utils');
 const getIdentityToken = async function (req, res) {
    try {
@ -26,7 +27,7 @@ const deleteSession = async function (req, res) {
    }
 };
-const getMemberDataFromSession = async function (req, res, next) {
+const loadMemberSession = async function (req, res, next) {
    if (!labsService.isSet('members')) {
        req.member = null;
        return next();
@ -34,6 +35,7 @@ const getMemberDataFromSession = async function (req, res, next) {
    try {
        const member = await membersService.ssr.getMemberDataFromSession(req, res);
        Object.assign(req, {member});
        res.locals.member = req.member;
        next();
    } catch (err) {
        common.logging.warn(err.message);
@ -68,7 +70,7 @@ const getMemberData = async function (req, res) {
    }
 };
-const exchangeTokenForSession = async function (req, res, next) {
+const createSessionFromMagicLink = async function (req, res, next) {
    if (!labsService.isSet('members')) {
        return next();
    }
@ -76,8 +78,23 @@ const exchangeTokenForSession = async function (req, res, next) {
        return next();
    }
    try {
-        const member = await membersService.ssr.exchangeTokenForSession(req, res);
+        await membersService.ssr.exchangeTokenForSession(req, res);
-        Object.assign(req, {member});
+
        // req.query is a plain object, copy it to a URLSearchParams object so we can call toString()
        const searchParams = new URLSearchParams('');
        Object.keys(req.query).forEach((param) => {
            // don't copy the token param
            if (param !== 'token') {
                searchParams.set(param, req.query[param]);
            }
        });
        // We need to include the subdirectory, but members is already removed from the path
        let redirectPath = `${urlUtils.getSubdir()}${req.path}?${searchParams.toString()}`;
        // Do a standard 302 redirect
        res.redirect(redirectPath);
        next();
    } catch (err) {
        common.logging.warn(err.message);
@ -85,25 +102,11 @@ const exchangeTokenForSession = async function (req, res, next) {
    }
 };
 const decorateResponse = function (req, res, next) {
    if (!labsService.isSet('members')) {
        return next();
    }
    res.locals.member = req.member;
    next();
 };
 // @TODO only load this stuff if members is enabled
 // Set req.member & res.locals.member if a cookie is set
 module.exports = {
-    memberSession: [
+    loadMemberSession,
-        getMemberDataFromSession,
+    createSessionFromMagicLink,
        decorateResponse
    ],
    createSessionFromMagicLink: [
        exchangeTokenForSession,
        decorateResponse
    ],
    getIdentityToken,
    getMemberData,
    deleteSession,
--- a/core/server/web/site/app.js
+++ b/core/server/web/site/app.js
@ -138,10 +138,10 @@ module.exports = function setupSiteApp(options = {}) {
    siteApp.post('/members/webhooks/stripe', shared.middlewares.labs.members, membersMiddleware.stripeWebhooks);
    // Currently global handling for signing in with ?token= magiclinks
-    siteApp.use(membersMiddleware.createSessionFromMagicLink);
+    siteApp.use('/members/', membersMiddleware.createSessionFromMagicLink);
    // Global handling for member session, ensures a member is logged in to the frontend
-    siteApp.use(membersMiddleware.memberSession);
+    siteApp.use(membersMiddleware.loadMemberSession);
    // Theme middleware
    // This should happen AFTER any shared assets are served, as it only changes things to do with templates