Commit Graph

59 Commits

Author SHA1 Message Date
Steve Larson
f577aafa52
🐛 Fixed malformed unsubscribe_url in members api response (#21437)
no ref
2024-10-28 09:58:09 -05:00
Steve Larson
63f25ece6d
Added unsubscribe_url to member api response (#21207)
ref https://linear.app/tryghost/issue/ONC-387/

With some recent changes, we added validation to unsubscribe URLs to verify the source, allowing us to cut down on spam and improving security, as the underlying key could be re-generated should the need arise. This had the side effect of making unsubscribe URLs difficult to reconstruct when using third-party/downstream integrations, such as ActiveCampaign, which fills a gap in the current Ghost feature set.

Now any authenticated query to `/api/members` will return an `unsubscribe_url` field that can be used directly.
2024-10-16 14:00:31 -05:00
Sam Lord
56a9fa34af Fixed names of tests for Portal honeypot field
ref KTLO-1
2024-08-22 22:32:04 +01:00
Sam Lord
0a9d2fadba Added honeypot field to prevent bot signup/signin
ref KTLO-1
Should prevent untargeted attacks using headless browser bots.
2024-08-22 22:32:04 +01:00
Chris Raible
bf895e6e99
🐛 Fixed offer redemptions for free members redeeming an offer (#20571)
ref
https://linear.app/tryghost/issue/ENG-1251/support-escalation-re-offers-not-tracking

- Offer Redemptions were not being persisted in the database for
existing free members who upgrade to a paid plan with an offer, which
resulted in inaccurate offer redemption counts. This made it difficult
to assess the performance of an offer.
- Previously, Ghost recorded an offer redemption in the DB in response
to the `SubscriptionCreatedEvent`, under the assumption that the offer
details would be included in this event. This assumption was valid for
brand new members starting a subscription with an offer, but not for
existing free members upgrading to a paid plan with an offer.
- For existing free members, the subscription is first stored in Ghost
in response to the `customer.subscription.created` Stripe webhook. At
this point, the offer/discount is not attached to the subscription, so
the `SubscriptionCreatedEvent` triggers without the offer information,
and the offer redemption is not recorded. After the
`checkout.session.completed` webhook is received (which _does_ include
the offer details), the subscription is updated in Ghost, but the Offer
Redemption is not stored.
- For brand new members, the `customer.subscription.created` webhook
no-ops, because the member and Stripe Customer don't exist yet.
Therefore, the subscription is first created in Ghost in response to the
`checkout.session.completed` webhook, which _does_ include the offer
information, so the offer information is included in the
`SubscriptionCreatedEvent` and the offer redemption is recorded as
expected.
- This change adds a new `OfferRedemptionEvent`, which triggers
either: (1) when a new subscription is created with an offer (as in the
case of a brand new member), or (2) when an existing subscription is
first updated to include an offer (as in the case of an existing free
member upgrading with an offer). The Offer Redemption is then persisted
in the DB in response to the `OfferRedemptionEvent` rather than the
`SubscriptionCreatedEvent`.
2024-07-09 16:05:26 -07:00
Sag
725ebc3e9f
Fixed invalid tierId handling during member paid checkout (#20455)
- fixes https://linear.app/tryghost/issue/SLO-90
2024-06-24 15:33:39 +00:00
Sag
d751d648c7
Fixed offer not found case during Stripe checkout (#20322)
fixes https://linear.app/tryghost/issue/SLO-135

- handles edge cases when an invalid `offerId` is provided during Stripe
checkout
2024-06-04 10:27:45 +00:00
Sag
cb8213e7d3
Fixed validation when tierId is missing during Stripe checkout (#20195)
refs https://linear.app/tryghost/issue/SLO-90
refs
https://www.notion.so/ghost/Decoupling-Members-from-Stripe-13b644d4dccb43ea83f683473c690b82

- the members API didn't support passing a Stripe Price ID directly
during checkout since end of 2022. However, we did not update the param
validation accordingly
2024-05-13 14:47:39 +02:00
Daniel Lockyer
31bdef94cd Handled invalid filters in members event repository
fix https://linear.app/tryghost/issue/SLO-82/query-error-unexpected-character-in-filter-at-char-1

- previously, we weren't handling a parsing error, and just bubbling it
  back up the chain
- this would result in an InternalServerError somewhere, which caused
  500s
- we can handle this, because it's just a bad filter
- this adds handling so we return a 422 upon receiving an invalid filter
2024-05-01 11:58:09 +02:00
Ronald Langeveld
58c156001c
Added Newsletter Events Test to Members (#19653)
refs
https://linear.app/tryghost/issue/ENG-604/🐛-members-events-show-member-subscribed-to-archived-newsletter

- added a tests to avoid a potential regression
2024-02-05 13:54:10 +00:00
Simon Backx
eb063f7a40
Fixed clearing invalid sender_email when changing newsletter sender_reply_to (#19555)
fixes PROD-102

When a newsletter has a sender_email stored in the database that Ghost
is not allowed to send from, we no longer return it as sender_email in
the API. Instead we return it as the sender_reply_to. That way the
expected behaviour is shown correctly in the frontend and the API result
also makes more sense.

In addition to that, when a change is made to a newsletters reply_to
address we'll clear any invalid sender_email values in that newsletter.
That makes sure we can clear the sender_reply_to value instead of
keeping the current fallback to sender_email if that one is stored.

On top of that, this change correclty updates the browse endpoint to use
the newsletter service instead of directly using the model.
2024-01-23 16:10:11 +01:00
Simon Backx
370c6b465b
Filter members by email disabled (#18884)
fixes https://github.com/TryGhost/Product/issues/4108

- Updates filters behind a new alpha feature flag so you can also filter
on members who have email disabled (because the email had a permanent
bounce, they reported spam or the email address is invalid)
- When returning members, we now also use the email_disabled flag to set
email_suppression.suppressed correctly (in case they are out of sync,
which should normally never happen).
2023-11-14 14:37:01 +01:00
Princi Vershwal
f243083bfa
Name for custom newsletters (#18124)
refs https://github.com/TryGhost/Product/issues/3862 &
https://github.com/TryGhost/Product/issues/3863
2023-09-15 16:15:09 +05:30
Michael Barrett
a1f056ee86
🐛 Fixed portal showing incorrect expiry date for comped subscription (#18120)
refs https://github.com/TryGhost/Product/issues/3875

When a member had a comped subscription, the portal was showing an
incorrect expiry date. This was because the `expiry_date` was being set
to the `created_at` date of the subscription, rather than the
`expiry_date` of the comped subscription
2023-09-14 08:46:23 +01:00
Michael Barrett
72cc285184
Refactor validating specified newsletters in custom sign-up form (#18032)
refs https://github.com/TryGhost/Product/issues/3837

Moved the logic for validating specified newsletters to controller so
that the request can be failed
2023-09-08 13:55:02 +01:00
Princi Vershwal
f663774cf9
Added support for multiple newsletters in custom signup form (#18023)
refs https://github.com/TryGhost/Product/issues/3514

---------

Co-authored-by: Michael Barrett <mike182uk@gmail.com>
2023-09-08 11:09:44 +01:00
Princi Vershwal
83282ca4cd
Added checks for subscription to multiple newsletter through custom sign up form (#17994)
refs https://github.com/TryGhost/Product/issues/3810

---------

Co-authored-by: Michael Barrett <mike@ghost.org>
2023-09-07 18:27:32 +01:00
Simon Backx
a011151e24
🐛 Fixed handling multiple Stripe subscriptions for same member (#17773)
fixes https://github.com/TryGhost/Product/issues/3752

- Added some extra tests for edge cases
- Updated handling of multiple subscriptions so they are handled better
- Canceling a subscription when the member still has other subscriptions will now get handled correctly where the status and products of the member stay intact
2023-08-22 13:27:21 +02:00
Hannah Wolfe
6161f94910
Updated to use assert/strict everywhere (#17047)
refs: https://github.com/TryGhost/Toolbox/issues/595

We're rolling out new rules around the node assert library, the first of which is enforcing the use of assert/strict. This means we don't need to use the strict version of methods, as the standard version will work that way by default.

This caught some gotchas in our existing usage of assert where the lack of strict mode had unexpected results:
- Url matching needs to be done on `url.href` see aa58b354a4
- Null and undefined are not the same thing,  there were a few cases of this being confused
- Particularly questionable changes in [PostExporter tests](c1a468744b) tracked [here](https://github.com/TryGhost/Team/issues/3505).
- A typo see eaac9c293a

Moving forward, using assert strict should help us to catch unexpected behaviour, particularly around nulls and undefineds during implementation.
2023-06-21 09:56:59 +01:00
Fabien "egg" O'Carroll
104f84f252 Added eslint rule for file naming convention
As discussed with the product team we want to enforce kebab-case file names for
all files, with the exception of files which export a single class, in which
case they should be PascalCase and reflect the class which they export.

This will help find classes faster, and should push better naming for them too.

Some files and packages have been excluded from this linting, specifically when
a library or framework depends on the naming of a file for the functionality
e.g. Ember, knex-migrator, adapter-manager
2023-05-09 12:34:34 -04:00
Steve Larson
6402d89e08 removed require should 2023-03-08 16:50:03 -06:00
Steve Larson
cb05fae5a3
🐛 Fixed maintaining archived newsletter subscriptions for members (#16375)
refs #16355
-archived newsletters will no longer be unsubscribed when saving member
-fixed bug with initialMember load
-fixed errors in unit tests
2023-03-08 16:39:28 -06:00
Rishabh Garg
8bdad78377
🐛 Fixed broken redemption count for offers (#15954)
refs https://github.com/TryGhost/Team/issues/2369

- offer id was not getting attached to stripe checkout metadata, causing the checkout event to not store any offer information for a subscription. This got changed in a prev refactor [here](25d8d694a0 (diff-b7dfcd660902a2a20dff7da5e886d8e10234bda4ba78228255afc8d4a8e78cf6L206))
- cleans up offer id handling for checkout session event
2022-12-07 14:30:11 +05:30
Fabien "egg" O'Carroll
65a4eb5eb6 🐛 Fixed upgrading Subscriptions to new Tiers
refs https://github.com/TryGhost/Team/issues/2204

This was found during Tiers flows testing, the logic for fetching
price information from Tiers had not been updated to use the new Tiers
package and Payments service. This only affects Tiers created since 5.22.x
2022-11-07 17:42:32 +07:00
Rishabh Garg
007637973e
🐛 Fixed comped member creation via Admin API (#15714)
closes https://github.com/TryGhost/Team/issues/2184

- when using the old legacy method of `comped:true` to add complimentary subs to a member along with a label, the API call failed with `Internal Server error` and the member was added as free on the site.
- patches the options sent for fetching default product to only pick the relevant keys, as it was picking up the `withRelated` for `labels` that caused the API failure
2022-10-28 01:59:05 +05:30
Simon Backx
b911208b41
Improved filter support in activity API to allow pagination (#15684)
fixes https://github.com/TryGhost/Team/issues/2129

- This changes how the activity feed API parses the filter.
- We now parse the filter early to a MongoDB filter, and split it in two. One of the filters is applied to the pageActions, and the other one is used individually for every event type. We now allow to use grouping and OR's inside the filters because of this change. As long as we don't combine filters on 'type' with other filters inside grouped filters or OR, then it is allowed.
- We make use of mongoTransformer to manually inject a mongo filter without needing to parse it from a string value again (that would make it a lot harder because we would have to convert the splitted filter back to a string and we currently don't have methods for that).
- Added sorting by id for events with the same timestamp (required for reliable pagination)
- Added id to each event (required for pagination)
- Added more tests for filters
- Added test for pagination
- Removed unsued getSubscriptions and getVolume methods

Used new mongo utility methods introduced here: https://github.com/TryGhost/NQL/pull/49
2022-10-27 12:13:24 +02:00
Naz
0e094b371b
Reused getDefaultProduct where possible
refs 82ed10473b
refs https://github.com/TryGhost/Team/issues/1869

- getDefaultProduct has unified logic across different places (see refed commit). It is recommended to use instead of writing custom queries prone to mistakes.
- Also added more readable name to the possible error message thrown by setComplimentarySubscription
2022-10-20 17:23:59 +08:00
Naz
82ed10473b
Added 'getDefaultProduct' convenience method to product repo
refs https://github.com/TryGhost/Team/issues/1869

- There are multiple places in the codebase fetching "default product". The code is slightly divergent in each one of them and has been a source of bugs (like the one referenced). Having the logic captured in one place will allow reducing the code duplication, making code less bug prone, and making testing the modules dependent on the "setDefaultProduct" method easier
2022-10-20 17:19:52 +08:00
Naz
03e0962889
Removed garbage test
no issue

- This test does nothing but occupy the disc space
2022-10-20 14:34:23 +08:00
Rishabh
054833992e Wired events for triggering email alerts for subscription creation/cancellation
refs https://github.com/TryGhost/Team/issues/1865

- refactors subscription creation/cancellation to dispatch proper events which are used for email alerts
- cleanup
2022-09-10 11:06:34 +05:30
Rishabh Garg
c4041e46c8
🐛 Fixed email alerts for paid members on import (#15347)
closes https://github.com/TryGhost/Team/issues/1868

- email alerts should not be sent out when paid subscriptions are created via our importer
2022-09-01 20:00:37 +05:30
Naz
02a0fd5a32 Fixed source attribution for staff token API requests
closes https://github.com/TryGhost/Toolbox/issues/386

- When the API request was made using staff token the source attribution was "user" instead of "api". Misattribution caused ripple effects in  limit service.
- The fix also adds a new combination of data available on the  `req` object - both `user` and `api_key` can be present when the request is done using a staff (user) token. Having both pieces of data on the request object gives more context for business logic, did not find a good reason to keep it "pure" with either `api_key` or `user` property.
2022-08-23 14:38:46 +08:00
Naz
32343a7adb Extracted context to source mapping logic
refs https://github.com/TryGhost/Toolbox/issues/386

- Before changing the mapping logic it needs to become testable!
2022-08-23 14:38:46 +08:00
Daniel Lockyer
6dde5e40e3
Updated Eslint ECMAScript compatibility to 2022
refs https://github.com/TryGhost/Toolbox/issues/345

- this commit bumps `eslint-plugin-ghost`, which bumps compatiblity to
  2022
- this also removes a lot of the manually-added
  `parserOptions.ecmaVersion` that we had in imported packages, in favor
  of the value set in `eslint-plugin-ghost`
2022-08-09 15:51:40 +02:00
Naz
900f7951b7 Added test coverage for JWKS token verification
refs https://github.com/TryGhost/Team/issues/1640

- Adds coverage for token verification based on public key exposed through the `/.well-known/jwks.json` endpoint
2022-05-23 17:59:33 +08:00
Naz
9e96916a6d Added basic test coverage for the token service
refs https://github.com/TryGhost/Team/issues/1640

- This is groundwork before fixing the referenced bug
2022-05-23 15:59:18 +08:00
Simon Backx
f8f4841d2b Updated tests for getNewsletterSubscriptionEvents 2022-04-26 14:21:50 +02:00
Kevin Ansfield
e8b8fef985 🐛 Fixed member responses not including complimentary subs when canceled subs exist
refs https://github.com/TryGhost/Team/issues/1141

- when a member had canceled subscriptions the check we have to match products to subscriptions to determine whether to insert the hardcoded complimentary subscription was incorrectly matching against the canceled subscriptions
- updated to match only active subscriptions
2022-03-18 10:47:24 +00:00
Fabien "egg" O'Carroll
a576326d0e Added test for isComplimentarySubscription
refs https://github.com/TryGhost/Members/commit/d7d7806d
2022-02-09 11:34:09 +02:00
Thibaut Patel
13a9962ade 🐛 Fixed the order of events returned by getEventTimeline
refs https://github.com/TryGhost/Team/issues/1299

- Convert `created_at` to the right column in each function query
- Renamed the misspelled `getEmailDeliveredEvents` function
- Updated existing unit tests to cover the order
2022-02-01 15:47:15 +01:00
Thibaut Patel
d7673bb1ef Moved the event filtering to the database queries
refs https://github.com/TryGhost/Team/issues/1277

- In `getEventTimeline` we filter to only perform the relevant queries, passing to each query function the filters (subset of NQL)
- In each query function, we rewrite the filters to adapt them to the internal data shape.
- We need to do this rewrite to allow API consumers to create filters based on the output on the API instead of the internal data structure.
- Added partial unit tests as there is a lot of repetition between the query functions.
2022-01-25 12:20:34 +01:00
Thibaut Patel
1370682a60 Added a function to parse a NQL subset
refs https://github.com/TryGhost/Team/issues/1277

- This will allow to filter events within `getEventTimeline`
- The subset of NQL has the following rules:
  - Only one level of filters, now parenthesis allowed
  - Only three filter keys allowed
  - No `or` allowed outside of the bracket notation (this is allowed: `type:-[email_opened_event,email_failed_event]` but this isn't: `type:1,data.created_at:1`)
- The return is an object with a NQL filter by allowed filter key
2022-01-24 18:53:14 +01:00
Fabien "egg" O'Carroll
5a9cb1ab83 Restricted changing Subscription to archived Tier
refs https://github.com/TryGhost/Team/issues/1252
2022-01-21 14:08:31 +02:00
Fabien "egg" O'Carroll
74225779a2 Moved webhook handling into Stripe service
no-issue

Handling Stripe webhooks is a Stripe concern and so we're moving it into
the Stripe module.
2022-01-18 10:37:47 +02:00
Rishabh Garg
dec16bd27c 🐛 Fixed 500 webhook errors for subscription with multiple prices (#350)
closes https://github.com/TryGhost/Team/issues/1238

- previously returned 500 errors when a subscription had multiple prices due to external tampering on Stripe directly
- instead now returns 400 Bad Request error when subscriptions don't have right number of prices
2021-12-01 20:09:55 +05:30
Rishabh
fe4fb78830 Cleaned up stripe-service package usage
no refs

- updates all usages of `stripe-service` package to new correct `members-stripe-service` package
2021-09-22 18:12:40 +05:30
Rishabh
c21a77cd01 Removed tests temporarily to publish new stripe package
no refs
2021-09-22 18:08:30 +05:30
Rishabh
3e54819469 Revert "Updated usage of stripe-service package to members-stripe-service package"
This reverts commit 7363f0769d.
2021-09-22 18:05:41 +05:30
Rishabh
7363f0769d Updated usage of stripe-service package to members-stripe-service package
refs 8b90c93a79
2021-09-22 18:02:50 +05:30
Fabien O'Carroll
7a401e5253 Used @tryghost/stripe-service in @tryghost/members-api
no-issue

This finalises the extraction of the StripeAPIService to a separate
package!
2021-09-13 14:38:40 +02:00