Commit Graph

2865 Commits

Author SHA1 Message Date
Daniel Lockyer
4aad551c72 🐛 Fixed HTTP 500 error when image processing fails during upload
fixes ENG-740
fixes https://linear.app/tryghost/issue/ENG-740/http-500-error-when-image-processing-fails

- in the event the image transform library throws (which can happen for
  many reasons; sharp/libvips can come across a number of errors), we
  currently return this as a HTTP 500 error to the user
- in this case, we should just try-catch the call and jump to the
  non-processing flow where it just saves the original image
- also added breaking test
2024-03-12 15:33:17 +01:00
Kevin Ansfield
ef143978e7
🎨 Reduced requests and 403 responses for comments auth check (#19840)
closes https://linear.app/tryghost/issue/ENG-721
ref https://linear.app/tryghost/issue/ENG-708

Comments-UI loads `/ghost/admin-frame/` in an iframe to check if a Staff User is authenticated in order to  show moderation options. That iframe request loads a HTML page which in turn contains a script that fires off an API request that attempts to fetch the logged-in user details, resulting in a 403 "error" showing up when not authenticated. In the vast majority of cases there will be no staff user authenticated so lots of extra requests and "errors" are seen unnecessarily.

- adjusted the `/ghost/auth-frame/` endpoint to check if the request contains an Admin session cookie
  - if it does, continue as before with rendering the HTML page so the script is loaded
  - if it doesn't, return an empty 204 response avoiding the script request and subsequent 403-generating API request
- eliminates the 403 error being generated for all typical visitor traffic, the error should only be seen when an Admin was previously logged in but their cookie is no longer valid (either from logging out, or going past the 6month validity period)
2024-03-12 12:27:18 +00:00
Daniel Lockyer
5fa4496d52 🐛 Fixed HTTP 500 responses when oembed endpoint receives error
fixes https://github.com/TryGhost/Product/issues/4237

- this fixes the fact that we return a HTTP 500 response when the oembed
  library receives an error, such as a 401 or 403
- includes special handling for cases where we want to return a slightly
  different error message
- also adds unit tests for @tryghost/oembed-service package
2024-03-12 12:31:44 +01:00
Daniel Lockyer
6842d599e9 🐛 Fixed handling of image uploads with overly long filenames
fixes ENG-733
ref https://linear.app/tryghost/issue/ENG-733/handle-image-uploads-where-name-is-too-long

- filesystems usually have a filename length limit; ie. on macOS it is
  255 characters
- if a file is uploaded with a longer filename, we'll return a HTTP 500
- we shouldn't do this as it is user error, so we can just catch the
  error code and return BadRequest
- this implements that, and adds a breaking test
2024-03-12 12:31:44 +01:00
Daniel Lockyer
6db20fc14b Fixed minor code nits
- made fixes for the following:
  - jsdoc definitions
  - typos
  - extra parameter to function
  - missing `utf-8` to fs file read
2024-03-12 12:31:44 +01:00
Daniel Lockyer
360ecf15ae 🐛 Fixed HTTP 500 error when given incorrect Range header
ref ENG-729
ref https://linear.app/tryghost/issue/ENG-729/incorrect-range-header-leads-to-http-500-errors

- we didn't have handling here for the `RangeNotSatisfiableError` that
  can come from express/serve-static/send
- as a result, passing an invalid range would cause a 500 error
- this prevents that and adds a breaking test
2024-03-11 19:14:30 +01:00
Daniel Lockyer
162f438c63 Updated @tryghost/errors dependency
- this version is written in TS, but was published a few months ago and
  needs to be bumped here
- also updates a previous deep include into the library, which was
  unnecessary anyway
2024-03-11 17:33:51 +01:00
Ghost CI
f83d51c1e3 v5.80.2 2024-03-08 16:04:08 +00:00
Ghost CI
76383b4295 🎨 Updated Source to v1.2.0 2024-03-08 16:04:08 +00:00
renovate[bot]
3301332253 Update dependency express to v4.18.3 2024-03-07 13:42:27 +01:00
Ghost CI
624168ead5 Merged v5.80.1 into main 2024-03-07 09:04:51 +00:00
Ghost CI
0a8716b0ae v5.80.1 2024-03-07 09:04:50 +00:00
Sag
ae95e8de8c Fixed tiers paywall selecting all paid tiers (#19817)
refs INC-36

- oversight in parent commit 00cff0a
2024-03-06 22:35:43 +01:00
Sag
69466ecab9 🐛 Fixed free tier showing in the tiers-only paywall in posts (#19807)
refs INC-36
fixes https://github.com/TryGhost/Ghost/issues/19796

- The tiers-only paywall was incorrectly rendering "Free". Example:
"This post is for subscribers of the Free, Silver and Gold tiers only"
- Steps to reproduce the issue:
    1. Create a post with public visibility, publish it
    2. Then swap the visibility to specific tiers. The default selects all
paid tiers. Leave it like that
    3. Update the post. The paywall show Free, even though it should be
showing only the paid tiers
- This fix filters out the "free" tier when visibility is set to tiers,
before updating a Post or a Page. The fix includes bulk updates from the
list of Posts and Pages (right-click on a Post/Page > Change Access).
2024-03-06 22:35:33 +01:00
Sag
656846018a
Fixed tiers paywall selecting all paid tiers (#19817)
refs INC-36

- oversight in parent commit 00cff0a
2024-03-06 22:14:17 +01:00
Sag
00cff0aece
🐛 Fixed free tier showing in the tiers-only paywall in posts (#19807)
refs INC-36
fixes https://github.com/TryGhost/Ghost/issues/19796

- The tiers-only paywall was incorrectly rendering "Free". Example:
"This post is for subscribers of the Free, Silver and Gold tiers only"
- Steps to reproduce the issue:
    1. Create a post with public visibility, publish it
    2. Then swap the visibility to specific tiers. The default selects all
paid tiers. Leave it like that
    3. Update the post. The paywall show Free, even though it should be
showing only the paid tiers
- This fix filters out the "free" tier when visibility is set to tiers,
before updating a Post or a Page. The fix includes bulk updates from the
list of Posts and Pages (right-click on a Post/Page > Change Access).
2024-03-06 21:30:00 +01:00
Kevin Ansfield
3090f8ec95
🎨 Improved lazy-loading of comments data (#19809)
no issue

Bumps `Comments-UI` app version that contains an improvement to data loading:

- within the comments block we only use Admin auth to show moderation options on each displayed comment but we were always pre-emptively loading the `admin-auth` frame and making the associated Admin API user request. That loading has now been deferred until at least one comment has been displayed cutting down unnecessary requests on each post view
2024-03-06 10:29:55 +00:00
Kevin Ansfield
78aba5b22a
🎨 Improved lazy-loading of comments data (#19809)
no issue

Bumps `Comments-UI` app version that contains an improvement to data loading:

- within the comments block we only use Admin auth to show moderation options on each displayed comment but we were always pre-emptively loading the `admin-auth` frame and making the associated Admin API user request. That loading has now been deferred until at least one comment has been displayed cutting down unnecessary requests on each post view
2024-03-06 10:17:32 +00:00
Kevin Ansfield
b704530d74
🐛 Fixed unexpected conversion of single-quoted attributes in HTML cards (#19727)
closes ENG-627

We were using `cheerio` to parse+modify+serialize our rendered HTML to modify links for member attribution. Cheerio's serializer has a [long-standing issue](https://github.com/cheeriojs/cheerio/issues/720) (that we've [had to deal with before](https://github.com/TryGhost/SDK/issues/124)) where it replaces single-quote attributes with double-quote attributes. That was resulting in broken rendering when content used single-quotes such as in HTML cards that have JSON data inside a `data-` attribute or otherwise used single-quotes to avoid escaping double-quotes in an attribute value.

- swapped the implementation that uses `cheerio` for one that uses `html5parser` to tokenize the html string, from there we can loop over the tokens and replace the href attribute values in the original string without touching any other part of the content. Avoids a full parse+serialize process which is both more costly and can result unexpected content changes due to serializer opinions.
  - fixes the quote change bug
  - uses tokenization directly to avoid cost of building a full AST
- updated Content API Posts snapshot
  - one of our fixtures has a missing closing tag which we're no longer "fixing" with a full parse+serialize step in the link replacer (keeps modified src closer to original and better matches behaviour elsewhere in the app / without member-attribution applied)
  - the link replacer no longer converts `attr=""` to `attr` (these are equivalent in the HTML spec so no change in behaviour other than preserving the original source html)
- added a benchmark test file comparing the two implementations because the link replacer runs on render so it's used in a hot path
  - new implementation has a 3x performance improvement
  - the separate files with the old/new implementations have been cleaned up but I've left the benchmark test file in place for future reference

Benchmark results comparing implementations:

```
❯ node test/benchmark.js

LinkReplacer
├─ cheerio: 5.03K /s ±2.20%
├─ html5parser: 16.5K /s ±0.43%

Completed benchmark in 0.9976526670455933s
┌─────────────┬─────────┬────────────┬─────────┬───────┐
│   (index)   │ percent │ iterations │ current │  max  │
├─────────────┼─────────┼────────────┼─────────┼───────┤
│   cheerio   │   ''    │ '5.03K/s'  │  5037   │ 5037  │
│ html5parser │   ''    │ '16.5K/s'  │  16534  │ 16534 │
└─────────────┴─────────┴────────────┴─────────┴───────┘
```
2024-03-06 09:11:49 +00:00
Fabien O'Carroll
d9fb4787ec Removed whitelist of JWT errors
refs https://linear.app/tryghost/issue/ENG-712/

I don't think we ever need to respond with a 500 here, if the verify call
fails, we know that the token is unauthorized for use.
2024-03-05 03:04:34 +07:00
Fabien O'Carroll
dcbd168585 🐛 Fixed 500 error for premature api token use
refs https://linear.app/tryghost/issue/ENG-712

We weren't handling the NotBeforeError and instead responing with a 500 which
is not correct.
2024-03-05 03:04:34 +07:00
renovate[bot]
b6b2e2ea31 Update dependency newrelic to v11.12.0 2024-03-04 18:35:26 +00:00
Ghost CI
9df5148427 v5.80.0 2024-03-01 16:04:20 +00:00
renovate[bot]
69459e9b42 Update dependency yjs to v13.6.14 2024-03-01 11:32:05 +00:00
renovate[bot]
81f1b63cca Update dependency yjs to v13.6.13 2024-02-29 19:32:37 +00:00
Peter Zimon
8f3617aaa8
Content card design improvements (#19737)
refs. https://linear.app/tryghost/issue/DES-122/bookmark-card-issues

This PR addresses the following content card related problems:

1. The design of the following cards are more self-contained so it makes
more sense to use `px` for their font-sizes and spacings so it looks the
same regardless of the theme. Of course themes still can override these
values.

Updated cards to use `px` for font sizing:
- audio
- bookmark
- file
- product

2. So far header and signup cards had been using `rem` for font-sizes
and some sizing. This commit updates these to use `em` instead so that
it's consistent with all other cards.

3. The favicon sometimes is not available for bookmark cards. This PR also
fixes that by providing a default favicon for these cases.
2024-02-29 17:09:34 +01:00
Sanne de Vries
c7e475feb0
Remove comment icon at the top of email template (#19771)
Refs
https://linear.app/tryghost/issue/DES-80/newsletter-view-in-browser-breaking-to-next-line-with-incorrect
2024-02-29 14:45:38 +01:00
Kevin Ansfield
e0d8e18785
Added lazy-loading of comments data (#19778)
no issue

Bumps `Comments-UI` app version that contains a few changes:

- comments data is now lazy-loaded with API requests being deferred until the comments block is scrolled into view, saving up-front visitor data usage as well as reducing server-load for page views where the comments are never seen
- comments data is now fetched from `/members/api/comments/{post_id}/` rather than using the post_id in the `filter` param to enable cache bucketing and cache invalidation
- `created_at` timestamp has been dropped from the initial comments data request so the results can be cached, on pagination requests the timestamp has been improved to use the created_at data from the response so it remains consistent and can also be cached
- `order` param has been dropped from API requests as the API has been updated to include our default ordering
2024-02-29 10:21:05 +00:00
Fabien 'egg' O'Carroll
a489d5a3d8
Added /comments/:id/replies/ to X-Cache-Invalidate
refs https://linear.app/tryghost/issue/ENG-682/

This should allow us to bust both endpoints cache when write operations
are made to comments.
2024-02-28 23:15:02 +00:00
Kevin Ansfield
44e602b447
Switched to default ordering for comments API requests (#19774)
closes ENG-681

There's no need to provide an `order` param with every request in Comments-UI if the API has default ordering that matches our requirements. The order param makes logs more noisy/harder to read than they need to be so we want to get rid of it.

- modified comments API input serializer to add a default order param to the browse and replies endpoints when none is provided
- removed order param from the requests that Comments-UI makes
2024-02-28 18:42:02 +00:00
Fabien O'Carroll
4c6f7715ef Cleaned up comments controller
no-issue

This removes some redundant calls to `get` and makes refactoring
easier in future.
2024-02-29 00:24:34 +07:00
Fabien O'Carroll
001f2b0b91 Invalidated post comments cache on like&unlike
refs https://linear.app/tryghost/issue/ENG-676/

We want to make sure that we're not serving stale liked counts for
comments, which means we need to cache bust when they're liked/unliked

Unfortuantely this means we need to fetch the comment from the db so
that we have access to the post id.
2024-02-29 00:24:34 +07:00
Fabien O'Carroll
58dd79ccb4 Invalidated the new comments endpoint cache on add & edit
refs https://linear.app/tryghost/issue/ENG-676/

This is the meat of the change and actually causes the cache to be
invalidated on adds and edits to the comments endpoints.

It doesn't currently include the liked/unliked actions at the moment
as we don't have easy access to the post id from those endpoints.
2024-02-28 22:40:56 +07:00
Fabien O'Carroll
2c6321472c Added endpoint for comments/post/:post_id
refs https://linear.app/tryghost/issue/ENG-676/

This is pretty simple as we can reuse the existing browse method
on the CommentsController, but we need to add support for the post_id
option to the endpoint, for it to be added to the frame.

We also need to update the browse method to enforce the post_id on the
NQL filter. I initially tried this with string concatenation, but ran
into way too many bugs, so we're using a mongo transformer instead.
2024-02-28 22:40:56 +07:00
Djordje Vlaisavljevic
f032f11d8a Added hrefs to paywall links for improved SEO
refs DES-150
2024-02-28 15:28:41 +00:00
Fabien O'Carroll
ec697051dc 🐛 Fixed cache invalidation header race conditions
refs https://linear.app/tryghost/issue/ENG-674/

This ensures that all of our dynamic cache invalidation header logic
is applied on a per-request basis!
2024-02-28 21:31:04 +07:00
Fabien 'egg' O'Carroll
5fae212416
Ensured comment counts route doesn't load member (#19762)
refs https://linear.app/tryghost/issue/ENG-672/

The comment counts endpoint does not need member authentication.
This saves us a bunch of db queries for each request
2024-02-28 07:36:35 +07:00
Fabien 'egg' O'Carroll
7f392c305b
Added output to the get helper when the timeout is exceeded (#19761)
refs https://linear.app/tryghost/issue/ENG-670

We keep running into issues with a sites content not being correct,
and slow get helpers being the suspect - but it's difficult to prove.
The idea behind this it to give us concrete evidence, which will allow
us to diagnose the problem faster.
2024-02-28 07:35:16 +07:00
renovate[bot]
0c5f1daf96 Update dependency newrelic to v11.11.0 2024-02-27 22:55:16 +00:00
Kevin Ansfield
f3e36bcd4e
🐛 Fixed extra whitespace in plaintext transactional member emails (#19736)
closes ENG-660

- added tagged template function to strip leading whitespace from our plaintext email strings without making the source file harder to read
2024-02-27 16:24:38 +00:00
Ghost CI
536f67398c Merged v5.79.6 into main 2024-02-26 17:18:43 +00:00
Ghost CI
3b0d0934eb v5.79.6 2024-02-26 17:18:41 +00:00
Kevin Ansfield
ab7c1cfa92
Fixed incorrect cache invalidation headers for slugs Admin API endpoint (#19753)
closes ENG-666

- the Admin API `GET /slugs/{type}/{slug}/` endpoint is used by Admin to check when a potential slug needs de-duping by adding a `-{x}` suffix. Most often this occurs when setting a draft post title
- the endpoint was returning a full-site cache invalidation header meaning hosting services could be blowing away their site caches and needlessly hurting performance because this endpoint is purely a read operation and makes no changes to the site
- updated the endpoint to return no cache invalidation header
2024-02-26 17:02:09 +00:00
Kevin Ansfield
ca9c0a4055
Fixed incorrect cache invalidation headers for slugs Admin API endpoint (#19753)
closes ENG-666

- the Admin API `GET /slugs/{type}/{slug}/` endpoint is used by Admin to check when a potential slug needs de-duping by adding a `-{x}` suffix. Most often this occurs when setting a draft post title
- the endpoint was returning a full-site cache invalidation header meaning hosting services could be blowing away their site caches and needlessly hurting performance because this endpoint is purely a read operation and makes no changes to the site
- updated the endpoint to return no cache invalidation header
2024-02-26 16:59:29 +00:00
renovate[bot]
65a9a04959 Update dependency mysql2 to v3.9.2 2024-02-26 16:25:50 +00:00
Ghost CI
3a0fd45958 v5.79.5 2024-02-26 06:26:13 +00:00
renovate[bot]
49fc876fe1 Update dependency sanitize-html to v2.12.1 2024-02-22 19:17:35 +00:00
Steve Larson
02edc5ad4f
Updated browser tests to be less flaky (#19701)
no refs

- Offers browser tests were subject to a race condition. I'm guessing
this dates back to when we moved to Settings X (and React), as it seems
the url for the offer is not present on the first render of the page -
despite being returned in the `POST` request of the offer creation, the
component does a `GET` on render to get the link. This is now awaited.
- The Publishing timezone test also seemed to suffer from a race
condition. This is less sure of a fix as it's a much less frequent
failure. The date time picker input is now validated in the test before
continuing.
- Offers browser tests often timed out so the timeout has been moved to
90s for these tests.
- All tests were bumped to 75s timeout as we generally would
occasionally hit the timeout.
2024-02-21 17:47:44 +00:00
renovate[bot]
bcbd3fbcc8 Update dependency sanitize-html to v2.12.0 2024-02-21 16:47:38 +00:00
Kevin Ansfield
a3f8aa110d
🐛 Fixed explicit HTML entities being decoded when rendering HTML cards (#19728)
closes ENG-608

- bumps Koenig rendering packages to include fix for HTML entities in HTML card content being decoded during rendering which could result in unexpected/broken output
2024-02-21 16:36:04 +00:00