Commit Graph

74 Commits

Author SHA1 Message Date
Kevin Ansfield
2947db0e6b
Added API endpoint for browsing custom theme settings (#13362)
refs https://github.com/TryGhost/Team/issues/1070

- bumped `@tryghost/custom-theme-settings-service` to get access to `.listSettings()` method
- added GET `/api/canary/admin/theme_settings/` route behind `'customThemeSettings'` feature flag that uses the custom theme settings service to return settings resources that are a combination of the theme-provided definition and the saved value
2021-09-27 11:31:47 +01:00
Fabien O'Carroll
e71114bb8f Added Members bulk actions endpoint
refs https://github.com/TryGhost/Team/issues/946

This adds the initial bulk actions endpoint used for the members
filtering feature. The idea is to eventually move bulk destroy into this
endpoint to and provide a consistent interface for applying bulk actions
to members.

The @tryghost/members-api package has been bumped to include the new
bulkEdit method.

The sinon.restore in tests was moved to an afterEach so that stubs did
not effect other tests.
2021-08-23 16:38:21 +02:00
Naz
11f37a9363 Refactor imports in API's routes files
refs https://github.com/TryGhost/Team/issues/856

- There were two problems with routes.js files defining API routes:
- First, the module requires wen too deep into the "api" module and used specific api modules directly. We have an "index.js" file which defines an API for whole API, it should be used as an entry point to anything to do with the API.
- Second, The naming was inconsistent between the routes.js files for "api", "apiV2", "apiCanary" - it is an extra maintenance burden to go on and change each "api" name when the new version is introduced. The only thing that should be changed within these files is a single line on very top that "requires" a specific API version like so: "const api = require('../../../../api').canary;" - way less maintenance to change that canary to v5 instead of doing an extra rename for all "apiCanary" to "apiV5"
2021-07-07 18:33:25 +04:00
Thibaut Patel
f12f64e87b
🔒 Added a "reset all passwords" feature (#13005)
issue https://github.com/TryGhost/Team/issues/750

- Only accessible by admins
- Resets all staff users' passwords and prevents them to log-in
- Sends them a reset email password to give them back access to their account
- Closes all existing staff user sessions
2021-06-23 14:54:28 +02:00
Sam Lord
35e51e364b Switch to @tryghost/debug, remove ghost-ignition
no issue
The only pieces of Ghost-Ignition used in Ghost were debug and
logging. Both of these modules have been superceded by the Framework
monorepo, and all usages of Ignition have now been removed, replaced
with @tryghost/debug and @tryghost/logging.
2021-06-15 17:24:22 +01:00
Fabien O'Carroll
83a9a1d0a5 Supported monthly & yearly price in Products API
refs https://github.com/TryGhost/Team/issues/712

- Adds a Content API for products, which can be used by the theme-engine
  middleware to populate the products data.
- Removes Stripe ids from Content API so they cannot be used to
  initiate checkout sessions directly
- The monthly_price and yearly_price are used to create new prices, and
  to set them to the default monthly & yearly price for the product.
2021-06-03 17:08:02 +01:00
Hannah Wolfe
273e220327 Moved i18n to shared
refs 829e8ed010

- i18n is used everywhere but only requires shared or external packages, therefore it's a good candidate for living in shared
- this reduces invalid requires across frontend and server, and lets us use it everywhere until we come up with a better option
2021-05-04 13:03:38 +01:00
Hannah Wolfe
829e8ed010 Expanded requires of lib/common i18n and events
- Having these as destructured from the same package is hindering refactoring now
- Events should really only ever be used server-side
- i18n should be a shared module for now so it can be used everywhere until we figure out something better
- Having them seperate also allows us to lint them properly
2021-05-03 17:14:52 +01:00
Fabien 'egg' O'Carroll
33f26fbf32
Updated subscriptions for Members Admin API
refs https://github.com/TryGhost/Team/issues/616

We need a way to assign Products to Members via a Subscription, and we've
followed the same pattern as the editSubscription method for the Members API
controller, which acts upon Subscriptions as a nested resource.

Subscriptions now are linked to products, and we've included those links by
default in the Member Admin API as we already include subscriptions by
default, and Products are now a core part of the Members feature-set.
2021-04-26 17:14:34 +01:00
Fabien O'Carroll
d7b6a48226 Added Products API to Admin API
refs https://github.com/TryGhost/Team/issues/616

This is a basic scaffold of the API to get things moving.

The input serializer is so that the controller logic does not need to
know about the json-api shape of the input data.

The output serializer is an adaptation of the members one.
2021-04-20 13:04:51 +01:00
Kevin Ansfield
bb19eddeae
Added DELETE /members/ to the Admin API for bulk member deletion (#12082)
refs https://github.com/TryGhost/Team/issues/585

- adds `DELETE /members/` route to the Admin API
- supports `?filter`, and `?search` query params to limit the members that are deleted
- `?all=true` is required if no other filter or query is provided
- uses `models.Member.bulkDestroy` which _will not_ cancel any Stripe subscriptions if members have them but _will_ clean up the Stripe relationship data in Ghost's database
2021-04-08 12:03:45 +01:00
Rishabh Garg
72e8894eac
Cleaned old members stats endpoint (#12821)
no refs

- Removes old `/members/stats` endpoint in favor of new `/members/stats/count` in canary/v4 which captures members counts using new events table
- Removes tests for old `/members/stats` endpoint
- Added test for new `/members/stats/count` endpoint
2021-03-29 13:07:01 +05:30
Thibaut Patel
63d55570a3 💥 Removed the /redirects/json route alias
no issue

This route had been deprecated and wasn't used anymore. You should switch to `GET /redirects/download` and `POST /redirects/upload` instead.
2021-03-17 15:58:28 +01:00
Rish
0620ff6ae0 Added new browse email endpoint
refs https://github.com/TryGhost/Ghost/issues/12633

Adds new `browse` endpoint for emails that allows Admin to check performance of newsletters over time and show stats on dashboard as primary usecase
2021-02-22 13:55:20 +05:30
Fabien 'egg' O'Carroll
7abc6ac705
Added initial member events timeline API (#12661)
refs https://github.com/TryGhost/Ghost/issues/12633

Allows us to show a list of recent member events for the site dashboard
2021-02-18 11:52:18 +00:00
Rish
0719b0618c Added new members stats endpoints
refs https://github.com/TryGhost/Ghost/issues/12633

Adds new stats endpoints for showing member dashboard, which fetches aggregate date over member events tables to form relevant datasets -

- Adds new endpoint for tracking MRR of site over time - `/members/stats/mrr`
- Adds new endpoint for tracking subscribers on site over time - `/members/stats/subscribers`
- Adds new endpoint for tracking gross volume of site over time - `/members/stats/gross_volume`
- Adds new endpoint for tracking member count on site over time - `/members/stats/count`
2021-02-16 11:18:58 +05:30
Kevin Ansfield
3e228072ba
Added ability to install themes directly from GitHub (#12635)
refs https://github.com/TryGhost/Ghost/issues/12608

- adds `admin/canary/themes/install` endpoint to the Admin API
  - requires two query params. `source` must be set to "github". `ref` should refer to a GitHub repo in the format "{org}/{repo}"
  - downloads zip archive for the repo from github
  - runs downloaded zip through the same process as uploaded zips
2021-02-12 09:19:17 +00:00
Fabien 'egg' O'Carroll
73f6fd8c51
Enabled Members for all sites (#12582)
no-issue

This removes all references to the members labs setting, any code that was run conditionally behind this flag now runs unconditionally. 

* Removed usage of Members labs flag
* Removed tests for Members disabled
* Added dynamic keypair generation for when setting is missing
2021-02-02 16:12:53 +00:00
Fabien O'Carroll
73dc19e498 Removed Members CSV import validation endpoint
no-issue

The new import flow does not use prevalidation of the CSV file, so we
have no use for this anymore.
2020-12-09 19:25:57 +00:00
Thibaut Patel
4edccfd2f7 Added the Admin API and tests for Personal Tokens.
no issue
2020-11-20 09:53:18 +01:00
Kukhyeon Heo
5715aa2155
Added .yaml format support in redirects configuration (#12187)
closes #11085

- Ghost has been using YAML format for other configurations (e.g. routes). The plan is to move to this format for all user-edited settings files. By default JSON format is still used in Ghost Admin API v2/v3, but will be changed to YAML in API v4. Check referenced issue for more context.
- New format supports all the features available before. The main noticeable change is the structure of config file. It is now grouped by redirect HTTP code instead of specifying `"permanent": true | false` attribute for each config property. Example format for YAML config:
```
302:
  /from-url/: /to-url/

301:
  /category/([a-z0-9\-]+)/i: /tag/$1/
  /v([0-9\.]+)/docs/([a-z0-9\-]+)/i: /docs/$2/
```
- Added 2 new endpoints: `POST redirects/upload` and `GET redirects/download`. These serve as an alias to current GET/POST `/redirects/json. "upload/download" naming pattern is introduced to match the convention with other resources that can be uploaded and downloaded (images, themes etc.). `/redirects/json`  endpoints will be removed in Admin API v4
- The parsing code from `custom-redirects.js` has been moved to `frontend/services/redirects/settings.js`. This location is more appropriate for this logic and eventually `custom-redirects.js` middlewear might be moved into "frontend" as this middlewear plays a role mostly effecting that area.
2020-11-04 12:08:32 +13:00
Kevin Ansfield
16bfb3fa41 Added basic CRUD admin API for snippets
no issue

- standard browse/read/add/edit/destroy API endpoints for snippets resource
- updates `@tryghost/admin-api-schema` dependency to version that includes snippet definition and schemas
2020-10-16 18:02:58 +01:00
Rish
cbb3664bdd Added handling for new members support/reply email addresses
no issue

- Updated magic link generation and validation methods for email update API to handle new support address
- Updated importer to ignore the new support address as it can only be updated via verification
- Updated members service to listen on settings edit for new support/reply address fields as well
- Updated tests to include the new settings
2020-08-31 18:09:38 +05:30
Rishabh Garg
c7f3837c54
Added admin endpoint for editing member subscription (#12145)
refs #12127

- Adds new `editSubscription` endpoint for members admin API which allows updating individual subscription for a member - `PUT /members/:id/subscriptions/:subscription_id/`
- `editSubscription` has same permissions as member's `edit` endpoint
- Currently allows toggling of cancellation at period end for an active subscription
2020-08-20 17:28:11 +05:30
Nazar Gargol
067d2eb614 Moved canary/v3 webhooks API to "stable" group
no issue

- Webhooks API has been stabilized with latest changes and there are no breaking changes planned for v3. The change has strictly "informative" purpose
- Changed variable naming from "whitelisted" to "allowlisted" to follow updated naming convention (refs. https://mysqlhighavailability.com/mysql-terminology-updates/)
2020-08-03 23:40:15 +12:00
Nazar Gargol
173e3292fa Fixed integration_id handling in Webhooks Admin API
no issue

- Changes introduced to both API v3 and v2
- Makes sure to use the same integration_id as authenticated integration for the webhook's data.
-  Makde it is impossible to create orphaned webhooks using token authentication
- Allowed only parent integration to edit it's children webhooks. Throwing permission error otherwise
2020-07-08 16:54:31 +12:00
Fabien O'Carroll
4716d13d13 Added API endpoints for disconnecting Stripe
no-issue
pr: https://github.com/TryGhost/Ghost/pull/11930

- Upgraded @tryghost/members-api to 0.23.0

  This version includes a new method hasActiveStripeSubscriptions

- Added /admin/members/hasActiveStripeSubscriptions

  This can be used to determine whether or not we should allow removing
  the stripe keys.

- Added /admin/settings/stripe/connect

  This can be used to delete a Stripe Connect integration, provided
  there are not active subscriptions
2020-06-18 18:42:20 +02:00
Nazar Gargol
5f00619d1a Renamed members import/export endpoints
refs cb26fd9305

- Reasoning behind the rename in referenced commit
2020-06-16 18:08:50 +12:00
Nazar Gargol
cb26fd9305 Changed members upload validation endpoint to /members/upload/validate
no issue

- The intention is to move away from using file type names in URLs. This endpoint is meant to correspond to current `POST /members/csv` endpoint, that is  planned to be renamed into `/members/upload`. And the `GET /members/csv` to be renamed to  `/members/download` respectively.
2020-06-12 23:31:56 +12:00
Nazar Gargol
589d826afd Added /members/validate ednpoint to Admin API
no issue

- This endpoint is meant to be used for validation of imported members
- Main function at the moment is to validate if stripe_customer_id present in the dataset exists in connected Stripe account
2020-06-12 16:34:12 +12:00
Rish
bca41e1877 Allowed updating from address domain for member emails
refs https://github.com/TryGhost/Ghost/issues/11414

Confirms if the fromAddress for sending member emails is valid and accessible using magic link flow, allowing owners to update full from address including domain change.

- Extends member service to handle magic link generation and validation for email update
- Updates existing setting endpoint to not directly update from address
- Adds new endpoint to send magic link to new address
- Adds new endpoint for validating the magic link when clicked and update the new email for from address
- Adds new email template for from address update email
2020-06-09 00:06:07 +05:30
Fabien O'Carroll
fc0e97593b Added membersStripeConnect controller auth method
no-issue

In order to issue a redirect we need access to the "raw" req/res
objects, which is why we must return the function which gets access to
them.

The members service is used to create the auth url and to update the
users session.
2020-06-02 15:28:42 +02:00
Kevin Ansfield
071ab9774b
Added Admin API endpoint for basic member stats (#11840)
no issue

- moves members stats generation for the admin graph from the client to the server
- outputs a basic totals count across a requested date range of 30, 90, 365 days, or all time. See below for the response shape
- leaves heavy lifting of the counts to the SQL engines - tested on a dataset of 100k members and query performance is <100ms

```
GET /ghost/api/canary/members/stats/?days=30

{
    total: 100000,
    total_in_range: 20000,
    total_on_date: {
        '2020-04-25': 19000,
        '2020-04-26': 19500,
        // continues until today's date
    },
    new_today: 200
}
```
2020-05-26 10:38:42 +01:00
Rishabh Garg
a01bcdd2d0
Added new endpoint for refreshing api key secret (#11791)
no issue

- Adds new endpoint on integration to refresh admin/content api key secret
- Allows owner/admin to refresh their content or admin API keys for an integration via Ghost Admin
- Adds a new `refreshed` event to actions table for anytime an api_key secret is refreshed
2020-05-05 23:36:21 +05:30
Hannah Wolfe
53d14fd8e3 Added Router etc to shared/express + use everywhere
- Added a wrapper around express.Router to our shared/express util
- Also export static and _express
- Use this shared util everywhre, meaning express is only used directly in this one file
- ATM this file is mostly an experiment / debug helper, it might be removed again later
- The aim is to have a minimal framework wrapping express that allows us to:
     - reduce our usage of express() in favour of Router()
     - unify some of our duplicated logic
     - fix some structural issues e.g. Sentry
     - make it easier to understand the codebase
2020-05-01 19:32:57 +01:00
Hannah Wolfe
5365522cf5 Removed dupe use of labs.members & leftover file
- Meant to cleanup the old api/canary/members earlier, removed now as it's unused
- Also removed all the duplicate references to labs.members in various places
2020-04-30 19:33:09 +01:00
Hannah Wolfe
0fe0e09d62 Moved express init + sentry to a shared util
- added core/shared to watched folders in grunt
- moved sentry to shared
- moved express initialisation to a shared file
- always set trust proxy + sentry error handler
- use this new express init everywhere, and remove duplicate trust proxy and sentry error handler code
2020-04-27 18:17:50 +01:00
Hannah Wolfe
19dde146c1 Renamed redirect functions for clarity
- we had urlRedirects, urlRedirects.adminRedirect and adminRedirects
- all do kinda similar things, but for different contexts so for now I've done a minimal renaming for clarity
- and updated some comments!!
- also removed totally unnecessary if res.isAdmin clause, as we don't use that, and it was never true
2020-04-22 19:31:36 +01:00
Hannah Wolfe
f4f61b8a3a Moved normalize image mw into api app
- Moved normalize image mw from shared to api as it is not shared (except within the API)
- This file is only used in one part of the app, this updates the code structure to reflect this
- This is one of many similar changes needed to make it easier to refactor to the existing setup
2020-04-22 17:48:54 +01:00
Hannah Wolfe
de9864db30 Moved upload validation mw into api app
- Moved upload validation mw from shared to api as it is not shared (except within the API)
- Co-located the code with the upload middleware, as it's small and gives us a nice API of .upload.single and .upload.validation
- This file is only used in one part of the app, this updates the code structure to reflect this
- This is one of many similar changes needed to make it easier to refactor to the existing setup
2020-04-22 07:37:02 +01:00
Hannah Wolfe
36b42505ea Moved upload mw into api app
- Moved upload mw from shared to api as it is not shared (except within the API)
- This file is only used in one part of the app, this updates the code structure to reflect this
- This is one of many similar changes needed to make it easier to refactor to the existing setup
2020-04-22 07:12:25 +01:00
Hannah Wolfe
05cf4f495d Moved update-user-last-seen mw into api app
- Moved update-user-last-seen from shared to api as it is not shared (except within the API)
- This file is only used in one part of the app, this updates the code structure to reflect this
- This is one of many similar changes needed to make it easier to refactor to the existing setup
2020-04-22 07:12:25 +01:00
Hannah Wolfe
92af5b8f09 Moved api cors mw into api app
- Moved api cors from shared to api as it is not shared (except within the API)
- This file is only used in one part of the app, this updates the code structure to reflect this
- This is one of many similar changes needed to make it easier to refactor to the existing setup
2020-04-22 07:12:25 +01:00
Hannah Wolfe
41c3b4e92b Moved version-match mw into api app
- Moved version-match from shared to api as it is not shared (except within the API)
- This file is only used in one part of the app, this updates the code structure to reflect this
- This is one of many similar changes needed to make it easier to refactor to the existing setup
2020-04-22 07:12:25 +01:00
Hannah Wolfe
4f5fb3d820 Swapped common for @tryghost/errors in core/server/web
- Update all references to common.errors to use @tryghost/errors
- Use dereferencing to only require used bits of common in each file
2020-04-09 19:40:00 +01:00
Fabien O'Carroll
d246a4761e Implemented externally verifiable identity tokens
no-issue

This adds two new endpoints, one at /ghost/.well-known/jwks.json for exposing
a public key, and one on the canary api /identities, which allows the
Owner user to fetch a JWT.

This token can then be used by external services to verify the domain

* Added ghost_{public,private}_key settings

    This key can be used for generating tokens for communicating with
    external services on behalf of Ghost

* Added .well-known directory to /ghost/.well-known

    We add a jwks.json file to the .well-known directory which exposes a
    public JWK which can be used to verify the signatures of JWT's created
    by Ghost

    This is added to the /ghost/ path so that it can live on the admin
    domain, rather than the frontend. This is because most of its
    uses/functions will be in relation to the admin domain.

* Improved settings model tests

    This removes hardcoded positions in favour of testing that a particular
    event wasn't emitted which is less brittle and more precise about what's
    being tested

* Fixed parent app unit tests for well-known

    This updates the parent app unit tests to check that the well-known
    route is mounted. We all change proxyquire to use `noCallThru` which
    ensures that the ubderlying modules are not required. This stops the
    initialisation logic in ./well-known erroring in tests

https://github.com/thlorenz/proxyquire/issues/215

* Moved jwt signature to a separate 'token' propery

    This structure corresponds to other resources and allows to exptend with
    additional properties in future if needed
2020-03-16 13:22:04 +01:00
Naz
b0ff1e7cac
Added member login resource to Admin API (#11607)
no issue

- Adds 'GET /members/:id/signin_urls' endpoint to Admin API allowing to fetch login URL for member. This URL allows to log in as a member which is useful in situations when you need to impersonate a member (for example to debug some issue they are having)
- Added member_signin_urls permission with migrations. Only the "Owner" user can read "signin_urls" resource. Admin and other users will be denied access
2020-02-27 11:48:02 +08:00
Naz
3af621ea9a
Added handling allowing members to edit their billing info (#11571)
no issue

- This functionality allows member to update their billing information, like credit card information.
- Adds handler to update Stripe billing when element with `data-members-edit-billing` attribute is present on the page. Additional `data-members-success` and `data-members-cancel` attributes could be used to control the redirects on billing update success or failure. They work in the same fission as for 'members-plan' (https://ghost.org/docs/members/checkout-buttons/#redirects)
2020-02-26 12:42:41 +08:00
Kevin Ansfield
2f55baccd7 Added "trust proxy" to members API app
no issue

- match the other express apps, makes sure that we have access to the correct IP and forwarded host names when running behind proxies
2020-02-20 18:20:57 +00:00
Rishabh Garg
001db05075
Added labels for Members (#11538)
no issue

* Updated sendEmailWithMagicLink syntax

* Updated label name selection from theme

* Updated migration version for labels

* Added labels to export/import of members

* Added member labels sanitization for case-insensitive duplicates

* Fixed tests

* Fixed label serialization bug on import

* Bumped @tryghost/members-api to 0.15.0

* Fixed lint

* Cleanup
2020-02-14 15:03:10 +05:30