no issue
- v0.1 is ☠️ so the access/refresh token based auth is no longer used
- removed all code related to the `accesstokens` and `refreshtokens` tables
- removed all `passport` related dependencies as it's no longer used
no-issue
* Installed @tryghost/members-ssr@0.4.0
This now supports caching of the data returned by the members-api
* Renamed cookies set by members-ssr
As discussed with @ErisDS I have prefixed these cookies with `ghost`
no-issue
When installing new packages yarn sorts them alphabetically, this meant
that installing/updating packages would have extra changes which would
be noisy either to developers or the git history.
no-issue
* Installed members-api@0.5.0 members-ssr@0.3.1
* Supported multiple members-forms
* Used members canary api
* Added GET handler to /members/ssr for id token
The identity token will be used to ensure that a payment is linked to the correct member
* Added stripe.js to ghost_head when members enabled
* Added basic support for linking to stripe checkout
* Removed listener to title and icon settings changes
* Added stripe subscription config
requires https://github.com/TryGhost/Ghost-Admin/pull/1293
- updates `oembed` endpoint behaviour
- if an oembed provider is not found then we use `metascraper` to populate a metadata object
- when metadata is returned rather than an oembed response the payload will look like this:
```json
{
"url": "...",
"type": "bookmark",
"metadata": {
"url": "...",
"title": "...",
"description": "...",
"author": "...",
"publisher": "...",
"thumbnail": "...",
"icon": "..."
}
}
```
- adds a `bookmark` card which generates output for the bookmark card:
```html
<figure class="kg-card kg-bookmark-card">
<a href="[URL]" class="kg-bookmark-container">
<div class="kg-bookmark-content">
<div class="kg-bookmark-title">[TITLE]</div>
<div class="kg-bookmark-description">[DESCRIPTION]</div>
<div class="kg-bookmark-metadata">
<img src="[ICON]" class="kg-bookmark-icon">
<span class="kg-bookmark-author">[AUTHOR]</span>
<span class="kg-bookmark-publisher">[PUBLISHER]</span>
</div>
</div>
<div class="kg-bookmark-thumbnail">
<img src="[THUMBNAIL]">
</div>
</a>
</figure>
```
- if a particular bit of data does not exist then the associated html element will not be present
no issue
- bump eslint-plugin-ghost to v0.5.0
- update core/test eslint config to use "ghost:test" in place of custom ruleset
- apply automated eslint fixes
no-issue
This module was being shared between multiple parts of the codebase, the
core/shared directory is a stopgap before we move it out to mongo-utils.
no issue
- updates `@tryghost/url-utils` following an internal refactor of the package
- renames `makeAbsoluteUrls` to `htmlRelativeToAbsolute` to better reflect what the function is doing
- renames `getBlogUrl` to `getSiteUrl`
- updates UrlUtils test stubbing util to work with a class
- fixes use of invalid port numbers in tests (max port number is 65535, any higher is an invalid URL that will error with some parsers)
refs #10870
- `moment-timezone` was bumped to `0.5.26` inadvertently as a result of bump to `url-utils` in 6cb0f800c8
- Added resolution makes sure we use `0.5.23` for `moment-timezone` till tests are updated to work with latest version
* Installed @tryghost/members-ssr@0.2.1
refs https://github.com/TryGhost/Members/issues/38
This updates allows for dynamic access of the membersApi, which will be
used in future when replacing the membersApi instance with a newly
configured one.
* Set the membersApiInstance logger to use common.logging
refs https://github.com/TryGhost/Members/issues/38
Passes the Ghost logger to the members api, so that we can keep an eye
on errors produced by the api.
* Refactored memberService use to always use getter
refs https://github.com/TryGhost/Members/issues/38
This will allow us to switch out the membersApi and the consumers of it
to have the updated reference by going through a getter.
* Installed @tryghost/members-api@0.3.0
refs https://github.com/TryGhost/Members/issues/38
Adds support for setting the logger
* Uninstalled stripe@7.0.0
refs https://github.com/TryGhost/Members/issues/38
The stripe module is now a dep of members-api, as it should be
* Updated members service to reconfigure settings
refs https://github.com/TryGhost/Members/issues/38
Previously we were unable to stop an invalidly configured members api
instance, now that we create a new instance, we can wait for the ready
or error event and only switch it out then.
* Installed @tryghost/members-api@0.2.0
refs #10886
This will allow us to mount one router rather than having a static and
api router.
* Added members v2 api directory
refs #10886
This brings the members api more inline with how the rest of the apis
work within Ghost.
* Mounted the members api app to the api route
closes#10886
This successfully mounts the api and the static pages to the
/api/v2/members/ URL.
* Installed @tryghost/members-auth-pages@1.0.0
refs #10886
This updates the auth pages to work correctly with the new mount point.
* Changed membersUrl in members.js to use members api
refs #10886
This keeps the membersUrl lined up with the path for the static
members pages.
* Removed old members static mount point
refs #10886
These are no longer used, nor desired.
* Remove superfluous code from members service
refs #10886
This remove the gateway getter which is no longer used, and the fallback
for members not enabled - which is handled within the members app.
* Updated ssoOrigin to use admin url
refs #10886
This ensures that sites running on a separate admin domain have the
correct ssoOrigin, which is used to ensure only the designated auth
pages are used to hit the authentication endpoints.
Since the auth pages are now hosted under the `/ghost` url, they will be
on the admin origin and not the site origin
no issue
- Updated Test & linting packages
- Updated use of hasOwnProperty
- Using Object.prototype.hasOwnProperty instead (ref. eslint.org/docs/rules/no-prototype-builtins)
- Removed already defined built-in global variable Intl
- Applied `--fix` with lint command on `core/test` folder
- The rules were broken because some of them were made stricter for `eslint: recommended` ruleset (ref. https://eslint.org/docs/user-guide/migrating-to-6.0.0#eslint-recommended-changes)
- Removed redundant global variable declarations to pass linting
no issue
- The underlying issue is the change in retry behavior in 'got' (a3e77de287)
- Now 500 responses trigger 2 default retries
- Renamed retries -> retry. As mentioned in https://github.com/sindresorhus/got/releases/v9.0.0
- Added response body error check
This reverts commit 64735693be.
- `rsa-keypair` is a binary dependency that was failing to install for a lot of users, reverting for now so we can look at alternative options for speeding up boot time
no-issue
This updates Ghost to inject the exact urls we want to use for both the
static members pages and the ssr endpoints we've configured for the
frontend. This allows us to changes these without having to update the
members repository, and gives a cleaner split between the two.
closes#10773
- The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK
- Added url-utils stubbing utility for test suites
- Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
* Installed `@tryghost/members-{api,auth-pages}`
no-issue
* Used @tryghost/members-auth-pages in member service
no-issue
* Used @tryghost/members-api in members service
no-issue
* Deleted core/server/lib/members
no-issue
* Fixed parent app tests
no-issue
Requiring the members api (via the `gateway` getter) was throwing an
error, so we stub out the members service getters
no-issue
This bump to members-ssr includes an update which no longer consumes the
request stream when calling getMemberDataFromSession. Previously, this
method was called on every request to the theme layer, and the
private-blogging middleware was unable to parse the body as the request
stream had already been consumed.
no issue
- when sending `html` with `?source=html` to the v2 Admin API it's now possible to include blocks of HTML that will be extracted to html cards rather than going through the normal lossy html-to-mobiledoc conversion
Example usage would be sending HTML in the following format:
```html
<p>Some standard content...</p>
<!--kg-card-begin: html-->
<div class="my-custom-html">...</div>
<!--kg-card-end: html-->
<p>Some more content...</p>
```
In this case an html card will be created in the mobiledoc with the content `<div class="my-custom-html">...</div>`.
no-issue
The previous postinstall script used the unix specific `cp` command,
which caused installing on Windows to break. This replaces it with an
npm module which handles copying files agnostic to platform.
* Removed support for cookies in members auth middleware
no-issue
The members middleware will no longer be supporting cookies, the cookie
will be handled by a new middleware specific for serverside rendering,
more informations can be found here:
https://paper.dropbox.com/doc/Members-Auth-II-4WP4vF6coMqDYbSMIajo5
* Removed members auth middleware from site app
no-issue
The site app no longer needs the members auth middleware as it doesn't
support cookies, and will be replaced by ssr specific middleware.
https://paper.dropbox.com/doc/Members-Auth-II-4WP4vF6coMqDYbSMIajo5
* Added comment for session_secret setting
no-issue
We are going to have multiple concepts of sessions, so adding a comment
here to be specific that this is for the Ghost Admin client
* Added theme_session_secret setting dynamic default
no-issue
Sessions for the theme layer will be signed, so we generate a random hex
string to use as a signing key
* Added getPublicConfig method
* Replaced export of httpHandler with POJO apiInstance
no-issue
This is mainly to reduce the public api, so it's easier to document.
* Renamed memberUserObject -> members
no-issue
Simplifies the interface, and is more inline with what we would want to export as an api library.
* Removed use of require options inside members
no-issue
This was too tight of a coupling between Ghost and Members
* Simplified apiInstance definition
no-issue
* Added getMember method to members api
* Added MembersSSR instance to members service
* Wired up routes for members ssr
* Updated members auth middleware to use getPublicConfig
* Removed publicKey static export from members service
* Used real session secret
no-issue
* Added DELETE /members/ssr handler
no-issue
This allows users to log out of the theme layer
* Fixed missing code property
no-issue
Ignition uses the statusCode property to forward status codes to call sites
* Removed superfluous error middleware
no-issue
Before we used generic JWT middleware which would reject, now the
middleware catches it's own error and doesn't error, thus this
middleware is unecessary.
* Removed console.logs
no-issue
* Updated token expirty to hardcoded 20 minutes
no-issue
This returns to our previous state of using short lived tokens, both for
security and simplicity.
* Removed hardcoded default member settings
no-issue
This is no longer needed, as defaults are in default-settings.json
* Removed stripe from default payment processor
no-issue
* Exported `getSiteUrl` method from url utils
no-issue
This keeps inline with newer naming conventions
* Updated how audience access control works
no-issue
Rather than being passed a function, members api now receives an object
which describes which origins have access to which audiences, and how
long those tokens should be allowed to work for. It also allows syntax
for default tokens where audience === origin requesting it. This can be
set to undefined or null to disable this functionality.
{
"http://site.com": {
"http://site.com": {
tokenLength: '5m'
},
"http://othersite.com": {
tokenLength: '1h'
}
},
"*": {
tokenLength: '30m'
}
}
* Updated members service to use access control feature
no-issue
This also cleans up a lot of unecessary variable definitions, and some
other minor cleanups.
* Added status code to auth pages html response
no-issue
This was missing, probably default but better to be explicit
* Updated gateway to have membersApiUrl from config
no-issue
Previously we were parsing the url, this was not very safe as we can
have Ghost hosted on a subdomain, and this would have failed.
* Added issuer to public config for members
no-issue
This can be used to request SSR tokens in the client
* Fixed path for gateway bundle
no-issue
* Updated settings model tests
no-issue
* Revert "Removed stripe from default payment processor"
This reverts commit 1d88d9b6d73a10091070bcc1b7f5779d071c7845.
* Revert "Removed hardcoded default member settings"
This reverts commit 9d899048ba7d4b272b9ac65a95a52af66b30914a.
* Installed @tryghost/members-ssr
* Fixed tests for settings model
no issue
- Updated theme fixtures to be in line with new deprecation rules
for {{lang}} and {{@blog.*}} helpers introduced with https://github.com/TryGhost/gscan/pull/180
no issue
- Migrated default scheduling adapter to use Got via the request proxy
- SchedulingDefault is the only module that was using superagent so removed it as a dependency
refs #9441
* Updated top-level ids to use const
* Removed one layer of indentation
* Added .eslintignore files for server and test tasks
* Added npm scripts for eslint
* Fixed lint command in w/ grunt
* Uninstalled grunt-eslint
* Added eslint config
no issue
- switch away from forked version of `oembed-parser` - our changes are merged upstream
- latest `oembed-parser` has a newer version of the providers list
no issue
- sometimes the Ghost-Admin build will succeed but show a `module is not defined` error. The only fix we've found so far is a computer restart (most reliable) or to clean the yarn cache and re-install the admin dependencies
- adds `yarn fixmodulenotdefined` that:
1. runs `yarn cache clean`
2. changes to `{ghost}/core/client` then deletes `node_modules`, `tmp`, and `dist`, before re-installing dependencies with `yarn`
3. changes back to `{ghost}/`
- after running the command you'll need to run `grunt dev` or similar again
refs #10438
- Added validation helper based on JSON schema
- Added schema validation for POST/PUT in /posts endpoints
- Refactored existing authors validation test suite
- Extended test coverage with a minimally required structure of post.add validator
no issue
- express-hbs has been updated to depend on handlebars@4.0.13 which protects against a potential RCE
- Ghost itself was not vulnerable to the RCE due to protection by gscan which does not allow themes using unknown helpers to be installed/activated
These changes introduce a new "service" to the members api, which handles getting and creating subscriptions.
This is wired up to get subscription information when creating tokens, and attaching information to the token, so that the Content API can allow/deny access.
Behind the subscription service we have a Stripe "payment processor", this holds the logic for creating subscriptions etc... in Stripe.
The logic for getting items out of stripe uses a hash of the relevant data as the id to search for, this allows us to forgo keeping stripe data in a db, so that this feature can get out quicker.
refs #9248
- Bookshelf gives access to ".changed" before the update
- Discussion: https://github.com/bookshelf/bookshelf/issues/1943
- We also need to know what has changed after the update to be able to decide if we should trigger events
- Furthermore: Bookshelf cannot handle relation updates, it always marks relations as changed even though they did not change
- Bumped bookshelf-relations to be able to
- know if relations were updated
- ensure we unset relations on bookshelf's ".changed"
closes#10421
refs #10181
This bumbs the ghost-ignition dep, so that the code passed to errors
takes priority over any code the error is inheriting from.
closes#10420
- bumped brute-knex
> error eslint@5.12.1: The engine “node” is incompatible with this module. Expected version “^6.14.0 || ^8.10.0 || >=9.10.0”. Got “8.9.1”
refs #9178
`yarn test` only runs acceptance and unit tests.
We will setup a cronjob in Travis and run the regression tests once per day.
You can manually run them with `yarn test:regression`
This separation is just a first step into the right direction.
Travis will no longer run for 10-13minutes.
The goal is to run common API use cases and unit tests in Travis and locally by default.
## After this separation we still need to:
- re-work our test utility
- remove some tests
- define which tests are our common API use cases
- rewrite some tests
- make testing easier (starting/stopping Ghost, fixtures and resetting services or event listeners, it's a pain and takes sometimes ages to fix tests)
---
**Acceptance:**
- common/basic API use cases against the current **stable** API
**Unit:**
- all unit tests (no database access)
- proper mocking
**Regression:**
- packages we don't want to run for each PR or commit
- tests which protect Ghost from breaking components and behaviour
- it is wishful that regression tests are using Ghost's API's (frontend, apps, core)
---
**This PR requires an update to our docs.**
