refs https://github.com/TryGhost/Team/issues/2233
**Problem**
When a user clicks an offer link that has an archived tier, the site
blocks and you are no longer able to scroll. This is because the product
for that offer can't be found. This has been fixed by updating the
`isActiveOffer` helper to also check for the existence of the
corresponding tier.
**Solution**
- You no longer are able to create new offers if there are no active
tiers
- A custom message is shown that instructs the user to create a new tier
if there are not active tiers on the offers page
- Improved detection of changes in tiers by correctly reloading the
members utils service after tier changes
- Portal redirects to the homepage for offers with an archived tier
(same behaviour as invalid offers)
- Offers of an archived tier are no longer visible in the dashboard
closes https://github.com/TryGhost/Team/issues/2202
Some parts of the codebase were not using the isSameCurrency helper
which meant that we were incorrectly filtering out tiers from the
upgrade screen. Tiers used to *usually* have a lowercased currency
property, but they now _always_ have an uppercased.
refs https://github.com/TryGhost/Team/issues/2199
The data-attribute handler was not using the utils/api package but
instead reimplemnted the logic to create checkout sessions, this was
missed when moving to a redirect for checkout and so wasn't working
correctly.
closes https://github.com/TryGhost/Team/issues/2197
Portal was relying on monthlyPrice or yearlyPrice being undefined as a
proxy to determine whether or not to show paid plans, this fixes it to
check for whether or not stripe is enabled.
I did consider using the portal_plans array to filter out unselected
Tiers, but wasn't sure of the repercussions, though it does seem like
the correct fix long term.
`window.location.assign` does not return anything, so `result.error` was
failing because `result` was undefined. We've moved the handling of the
result of `redirectToCheckout` to be specific to that promise. We've
also removed the use of `catch` because all it did was rethrow the
error, which is default behaviour.
- Main goal to improve modal when audience feedback fails
- Felt right to also improve the newsletter unsubscribe issue, too
- Makes this more pleasing to read and look at, nothing fancy
refs https://github.com/TryGhost/Team/issues/2081
refs https://github.com/TryGhost/Team/issues/2078
As part of decoupling Stripe from the members feature, we are going to be using
payment URLs rather than Stripe sepcific session ids and publick keys.
This prepares Portal to work with the new system, whilst retainign the existing
functionality
fixes https://github.com/TryGhost/Ghost/issues/14508
This change requires the frontend to send an explicit `emailType` when sending a magic link. We default to `subscribe` (`signin` for invite only sites) for now to remain compatible with the existing behaviour.
**Problem:**
When a member tries to login and that member doesn't exist, we created a new member in the past.
- This caused the creation of duplicate accounts when members were guessing the email address they used.
- This caused the creation of new accounts when using an old impersonation token, login link or email change link that was sent before member deletion.
**Fixed:**
- Trying to login with an email address that doesn't exist will throw an error now.
- Added new and separate rate limiting to login (to prevent user enumeration). This rate limiting has a higher default limit of 8. I think it needs a higher default limit (because it is rate limited on every call instead of per email address. And it should be configurable independent from administrator rate limiting. It also needs a lower lifetime value because it is never reset.
- Updated error responses in the `sendMagicLink` endpoint to use the default error encoding middleware.
- The type (`signin`, `signup`, `updateEmail` or `subscribe`) is now stored in the magic link. This is used to prevent signups with a sign in token.
**Notes:**
- Between tests, we truncate the database, but this is not enough for the rate limits to be truly reset. I had to add a method to the spam prevention service to reset all the instances between tests. Not resetting them caused random failures because every login in every test was hitting those spam prevention middlewares and somehow left a trace of that in those instances (even when the brute table is reset). Maybe those instances were doing some in memory caching.
refs https://github.com/TryGhost/Toolbox/issues/426
- with the existing `ship` command, it publishes to npm before pushing
to GitHub
- I fear we're likely to run into a scenario where the HEAD of `main` is
behind, so the git push fails, and then rebasing the HEAD will break
the tags that we created
- in this scenario, I think it's better to hard reset back, git pull and
then try again
- in that case, we need to publish to npm after GitHub
- this commit should implement that
refs https://github.com/TryGhost/Toolbox/issues/426
- now Portal is in the monorepo, the dev script doesn't need to wipe the
console output nor print instructions as that should be handled with
setting environment variables
- these changes were needed ahead of the upcoming bump to react-scripts,
which bumps eslint to v8, and therefore we can update
eslint-plugin-ghost, which introduces some new linting rules