closes https://github.com/TryGhost/Ghost/issues/11078
Problem:
- the admin client makes an XHR request to the `/private/` endpoint when a private site is configured
- when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request
- browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough
Solution:
- uses the `cors` middleware with a dynamic options function for the whole of the front-end site app
- dynamic options function allows the following requests through:
- same-origin (browsers and non-browser agents will not send an `Origin` header)
- origin is `localhost` or `127.0.0.1` with any protocol and port
- origin matches the configured `url` hostname+port on any protocol
- origin matches the configured `admin:url` hostname+port on any protocol
no issue
- when too many login attempts were detected for the `/private/` form we were throwing 500 errors instead of the more appropriate 429 error that we use everywhere else for "too many request" type errors
no issue
- @tryghost/url-utils was bumped to 0.3.1 which fixed admin redirects returning relative rather than absolute URLs
- updates tests that were expecting relative URLs rather than absolute URLs
refs #10496
- currently {{asset this/is/not/a.string}} would throw a 500 error
- this commit changes that to make it throw a sensible 400 + incorrect usage error
no-issue
* Installed @tryghost/members-ssr@0.4.0
This now supports caching of the data returned by the members-api
* Renamed cookies set by members-ssr
As discussed with @ErisDS I have prefixed these cookies with `ghost`
no-issue
When installing new packages yarn sorts them alphabetically, this meant
that installing/updating packages would have extra changes which would
be noisy either to developers or the git history.
no-issue
* Installed members-api@0.5.0 members-ssr@0.3.1
* Supported multiple members-forms
* Used members canary api
* Added GET handler to /members/ssr for id token
The identity token will be used to ensure that a payment is linked to the correct member
* Added stripe.js to ghost_head when members enabled
* Added basic support for linking to stripe checkout
* Removed listener to title and icon settings changes
* Added stripe subscription config
no issue
Current metascraper rule for fetching page metadata in case of bookmark card gives preference to publisher logo over icon tags. This PR updates giving first preference to icon link tags followed by logo.
requires https://github.com/TryGhost/Ghost-Admin/pull/1293
- updates `oembed` endpoint behaviour
- if an oembed provider is not found then we use `metascraper` to populate a metadata object
- when metadata is returned rather than an oembed response the payload will look like this:
```json
{
"url": "...",
"type": "bookmark",
"metadata": {
"url": "...",
"title": "...",
"description": "...",
"author": "...",
"publisher": "...",
"thumbnail": "...",
"icon": "..."
}
}
```
- adds a `bookmark` card which generates output for the bookmark card:
```html
<figure class="kg-card kg-bookmark-card">
<a href="[URL]" class="kg-bookmark-container">
<div class="kg-bookmark-content">
<div class="kg-bookmark-title">[TITLE]</div>
<div class="kg-bookmark-description">[DESCRIPTION]</div>
<div class="kg-bookmark-metadata">
<img src="[ICON]" class="kg-bookmark-icon">
<span class="kg-bookmark-author">[AUTHOR]</span>
<span class="kg-bookmark-publisher">[PUBLISHER]</span>
</div>
</div>
<div class="kg-bookmark-thumbnail">
<img src="[THUMBNAIL]">
</div>
</a>
</figure>
```
- if a particular bit of data does not exist then the associated html element will not be present
closes#10531
- Adds space when encountering closing </p> and <br> tags
- The mobiledoc-to-html conversion produces these tags in this exact
syntax, so there is no need to account for more cases like additional spaces or alternative syntax like <br />
- Added test cases that cover spacing use-casei
- Changed some existing tests to contain more close-to-real-world markup
- The downside of this approach is generating multiple spaces in case there are empty paragraphs in the markup. The same concern is true for current "new line" substitution:
> excerpt.replace(/(\r\n|\n|\r)+/gm, ' ')
but it never has been a concern as in real world when multiple spaces are used inside of the `<p>` tag they are rendered as single space.
