TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-05 09:50:34 +03:00
Code Issues Projects Releases Wiki Activity
13,490 Commits 250 Branches 1,686 Tags 408 MiB
62ee693310
Commit Graph

7 Commits

Author SHA1 Message Date
Fabien O'Carroll
62ee693310 Lazily instantiated express-session middleware 
refs https://github.com/TryGhost/Team/issues/756

When running the tests it was possible for this middleware to be
instantiated before the settings cache, resulting in an undefined
'session_secret' setting being passed. This would cause tests to fail.

Tracking this down proved difficult, so the fix was made here, by
instantiating the express-session middleware only once a request needs
to use it, we can be confident that Ghost has completely started.
 2021-07-14 17:19:53 +01:00
Hannah Wolfe
bd597db829
Moved settings/cache to shared/settings-cache 
- This is part of the quest to separate the frontend and server & get rid of all the places where there are cross-requires
- At the moment the settings cache is one big shared cache used by the frontend and server liberally
- This change doesn't really solve the fundamental problems, as we still depend on events, and requires from inside frontend
- However it allows us to control the misuse slightly better by getting rid of restricted requires and turning on that eslint ruleset
 2021-06-30 15:49:10 +01:00
Thibaut Patel
f12f64e87b
🔒 Added a "reset all passwords" feature (#13005) 
issue https://github.com/TryGhost/Team/issues/750

- Only accessible by admins
- Resets all staff users' passwords and prevents them to log-in
- Sends them a reset email password to give them back access to their account
- Closes all existing staff user sessions
 2021-06-23 14:54:28 +02:00
Daniel Lockyer
8799feb801 Replaced constants file with @tryghost/constants 
- extracted constants file into a new package
- replaced all local requires of the file with new package
 2020-08-11 12:51:16 +01:00
Vikas Potluri
1bd8c18a16
Moved core/server/lib/url-utils to core/shared/url-utils (#11856) 
* moved url-utils from server to shared
* updated imports of url-utils
 2020-05-28 11:57:02 +01:00
Vikas Potluri
15d9a77092
Moved config from server to shared (#11850) 
* moved `server/config` to `shared/config`
* updated config import paths in server to use shared
* updated config import paths in frontend to use shared
* updated config import paths in test to use shared
* updated config import paths in root to use shared
* trigger regression tests
* of course the rebase broke tests
 2020-05-27 18:47:53 +01:00
Fabien O'Carroll
a701ee7023
Added support for token session to /ghost (#11709) 
no-issue

* Added default for getting origin of request

This function is used to attach the origin of the request to the
session, and later check that requests using the session are coming from
the same origin. This protects us against CSRF attacks as requests in
the browser MUST originate from the same origin on which the user
logged in.

Previously, when we could not determine the origin we would return
null, as a "safety" net.

This updates the function to use a secure and sensible default - which
is the origin of the Ghost-Admin application, and if that's not set -
the origin of the Ghost application.

This will make dealing with magic links simpler as you can not always
guaruntee the existence of these headers when visiting via a hyperlink

* Removed init fns and getters from session service

This simplifies the code here, making it easier to read and maintain

* Moved express-session initialisation to own file

This is complex enough that it deserves its own module

* Added createSessionFromToken to session service

* Wired up the createSessionFromToken middleware
 2020-04-06 11:49:14 +02:00