Commit Graph

9698 Commits

Author SHA1 Message Date
Kevin Ansfield
7e92b07233 🔒 Added admin:redirects config option for disabling admin redirects
no issue

- adds `config:redirects` config option that defaults to `true`
- when set to `false`
  - `/ghost/` will 404 on the front-end when a separate admin url is configured
  - all `{resource}/edit/` URLs on the front-end will 404
2019-09-12 12:40:12 +01:00
Naz Gargol
95ea5265d5
🔥 Removed v0.1 auth services (#11104) 2019-09-11 19:40:48 +02:00
Naz Gargol
5b59c7b542
🔥 Removed v0.1 controllers & routes (#11103)
no issue 

- Removed v0.1 controllers
- Removed 0.1 API unit tests
- Removed 0.1 API app and mount point
- Removed leftover use of v0.1 in entry-lookup test suite
- Removed frontend client API enpoints and related code (middleware)
- Fixed prev/next test suites to use v2 API
- Set default API version to explicit v2 in UrlUtils
- Removed v0.1 API regex from public files middleware
2019-09-11 19:10:10 +02:00
Nazar Gargol
ad070c7200 Fixed lint rule 2019-09-11 18:37:30 +02:00
Nazar Gargol
0f75a8d0bc ⚠️ Skiped Scheduler initialization logic and it's tests
no issue

- This commit is to be reverted once Scheduler migration is completed.
- Should not ever land in master!
2019-09-11 18:27:57 +02:00
Kevin Ansfield
666a9d371f 🔥 Removed all non-/ghost/ redirects to the admin
no issue

- we used to redirect paths such as `/logout/` and `/signin/` to the admin but they are no longer desired
  - with the introduction of members these URLs can be confused with front-end member related actions
  - we want to be able to optionally "turn off" redirects to the admin to help mask the admin url when it's configured to be separate to the front-end
2019-09-11 14:55:00 +01:00
Kevin Ansfield
5fc101136f Fixed urls in output when accessing front-end via https
no issue

- `vhost` as used in b46f9b1dc2 does not pass down the `trust proxy` setting to child apps so it's required to be called explicitly in each child app
- fixed URLs being output as http:// instead of https:// when the front-end is accessed with `x-forwarded-proto: 'https'`
2019-09-11 14:50:55 +01:00
Nazar Gargol
4876f5fc13 Fixed AMP test for 'static pages'
no issue

- 'static pages' (post of a page type) were not supported in v0.1 API
- this is where the 404 is comming from  - df7e64fafa/core/frontend/apps/amp/lib/router.js (L66). and it was handled in rather late stage before - df7e64fafa/core/frontend/apps/amp/lib/router.js (L24)
- after moveing to v2 API the later stage doesn't happen so the entry lookup helper doesn't have anough infomration to tell if it's a 'Post' or 'Page' is being requested
2019-09-11 15:48:23 +02:00
Kevin Ansfield
c411795741 Fixed parent-app unit tests
no issue

- updated to reflect the changes in 717567995b
2019-09-11 14:27:09 +01:00
Kevin Ansfield
717567995b Fixed 404 handling for {admin url}/content/* routes
no issue

- added our theme error handling middleware to {admin}/content/ so that cache headers are properly set for 404s
- only registered {admin}/content when a separate admin url is configured so that we're not overriding {site}/content
2019-09-11 14:18:31 +01:00
Nazar Gargol
6feeb67d84 🔥 Removed v0.1 API regression test suite 2019-09-11 14:57:10 +02:00
Naz Gargol
b8b0a5ea18
💡Migrated session controllers for compatibility with "frame" (#11101)
no issue

- Session controllers were using API v1 http method which bypassed "frame" introduced with API v2. 
- Changes here are just a long-awaited cleanup to allow completely remove v0.1 code
2019-09-11 11:28:55 +02:00
Nazar Gargol
465ee0e609 Fixed failing regression test suite to do with "frontend"
- Theme fixtures don't have "ghost-api" which still fallbacks to v0.1 and have to have it hardcoded for now. When v0.1 removal is complete and v2 becomes the default this can be reverted
2019-09-10 20:02:10 +02:00
Naz Gargol
91984b54ca
🔥 Removed ghost-sdk client for v0.1 API (#11100)
no issue

- As v0.1 API is dropped there is no need to keep an API client around
- Removed references to ghost-sdk in regression test suite
- Removed routes to /public/ghost-sdk.js
- Removed reference to ghost-sdk in grunt build process
2019-09-10 17:15:53 +02:00
Kevin Ansfield
b46f9b1dc2 🔒 Fully separated front-end and admin app urls
no issue

- uses `vhost` in parent-app to properly split front-end and admin/api apps when a separate admin url is configured
2019-09-10 15:47:49 +01:00
Kevin Ansfield
58b9aea00d Added publicAdminApi middleware stack
refs https://github.com/TryGhost/Ghost/issues/11083

- the `/api/v2/admin/site/` endpoint is "public" and as such was not using the `authAdminApi` middleware stack so it did not act like other API endpoints with protocol or trailing-slash redirects
- adds `publicAdminApi` middleware array and uses it for the `/site/` endpoint in both v2 and canary API versions
2019-09-10 15:47:49 +01:00
Naz Gargol
7dc38e2078
🔥 Removed V1 code/references in frontend resources/routing layer (#11087)
no issue

- Removed v1 'author' leftover in include statement for preview controller
- Removed v1 'author' leftover in include statement for preview controller
- Removed v1 'author' leftover in include statement in entry lookup routing helper
- Migrated related test to use v2 API controller
- Removed v0.1 routing confif
- Removed v0.1 url config
- Fixed tests that had to do with url's in resources after removing v0.1 resources from URL cache
- Removed v1 'author' leftover in include statement in static routing helper
- Modified the test to use v2 API
- Removed v1 specific condition with 'page' in context helper
- Fixed dynamic routing spec after theme switch to v2. All tested users have to have at least one published post to be shown as an author
- Fixed URL Service spec to use theme engine v2
2019-09-10 11:41:42 +02:00
Naz Gargol
a9050f68ea
🔥 Removed V1 code/references in frontend helpers/meta layers (#11080)
no issue

- Removed deprecated 'blog' reference from frontend data. The alias (site->blog) stays till next version (v4) as it's not leaving much of technical debt but would ease the migration process for anybody still using it. 
- The follow up to this is substitute of all references to `options.data.blog` with `options.data.site` in "frontend"
- Fixed test utils helper to use `site` instead of `blog`
- Removed 0.1 flag checks in {{get}} helper
- Removed user aliasing from {{get}} helper
- Removed unused translation for {{get}} helper
- Added a note to excerpt changes in metadata for future reference
- Removed page alias used in description helper. The mix of page context with post object in the metadata was only possible in v0.1
- Changed mock in ghost_head helper to use v2
- Removed unneeded test for body class helper
2019-09-10 11:37:04 +02:00
Kevin Ansfield
1752132051 Merge branch 'master' into v3 2019-09-10 09:50:15 +01:00
renovate[bot]
c3eb5c291c Lock file maintenance (#11061) 2019-09-10 09:45:45 +01:00
renovate[bot]
74fab21eb5 Update dependency mobiledoc-dom-renderer to v0.7.0 (#10937) 2019-09-10 09:36:43 +01:00
renovate[bot]
aa22de4db8 Update dependency nock to v11 (#11093) 2019-09-10 09:13:26 +01:00
renovate[bot]
07448ce034 Update dependency sqlite3 to v4.1.0 (#11034) 2019-09-10 08:58:35 +01:00
renovate[bot]
68af109d8e Update dependency bookshelf-relations to v1.3.0 (#11065) 2019-09-10 08:57:56 +01:00
Kevin Ansfield
2c5fb3d7b8 Version bump to 2.31.0 2019-09-09 17:47:56 +01:00
Kevin Ansfield
e8188f8f6b Updated Ghost-Admin to 2.31.0 2019-09-09 17:47:56 +01:00
Kevin Ansfield
ba3c26ef5c
🐛 Fixed "View site" screen in admin on private sites with separate admin url (#11098)
closes https://github.com/TryGhost/Ghost/issues/11078

Problem:
- the admin client makes an XHR request to the `/private/` endpoint when a private site is configured
- when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request
- browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough

Solution:
- uses the `cors` middleware with a dynamic options function for the whole of the front-end site app
- dynamic options function allows the following requests through:
  - same-origin (browsers and non-browser agents will not send an `Origin` header)
  - origin is `localhost` or `127.0.0.1` with any protocol and port
  - origin matches the configured `url` hostname+port on any protocol
  - origin matches the configured `admin:url` hostname+port on any protocol
2019-09-09 17:42:55 +01:00
Kevin Ansfield
88659e5a52 Switched private login brute errors to correct error status code
no issue

- when too many login attempts were detected for the `/private/` form we were throwing 500 errors instead of the more appropriate 429 error that we use everywhere else for "too many request" type errors
2019-09-09 16:02:21 +01:00
Kevin Ansfield
5be63958b9 Reverted dependency oembed-parser to 1.2.2
no issue

- 1.3.1 is breaking the oembed regression tests
2019-09-09 16:00:04 +01:00
Kevin Ansfield
be71afa07d Fixed regression tests expecting relative URLs for admin redirects
no issue

- @tryghost/url-utils was bumped to 0.3.1 which fixed admin redirects returning relative rather than absolute URLs
- updates tests that were expecting relative URLs rather than absolute URLs
2019-09-09 15:52:26 +01:00
Hannah Wolfe
708927335b Added error handling for weird handlebars syntax
refs #10496

- handlebars if and unless helpers throw weird, unhelpful syntax errors
- for now, catch these errors and do something helpful with them
2019-09-09 13:03:04 +01:00
Hannah Wolfe
9abffe4396 Added guard to asset helper for missing paths
refs #10496

- currently {{asset this/is/not/a.string}} would throw a 500 error
- this commit changes that to make it throw a sensible 400 + incorrect usage error
2019-09-09 13:02:45 +01:00
renovate[bot]
5c8efd087e Update dependency @tryghost/html-to-mobiledoc to v0.6.0 (#11092) 2019-09-09 10:45:30 +01:00
renovate[bot]
fa0a399345 Update dependency oembed-parser to v1.3.1 (#10983) 2019-09-09 10:44:13 +01:00
Fabien O'Carroll
b8fc0d2bd1
Cached member data in ghost-members-ssr-cache cookie (#11096)
no-issue

* Installed @tryghost/members-ssr@0.4.0
  This now supports caching of the data returned by the members-api

* Renamed cookies set by members-ssr
  As discussed with @ErisDS I have prefixed these cookies with `ghost`
2019-09-09 17:39:46 +08:00
Fabien O'Carroll
9447165e0a Alphabetically sorted dependencies in package.json
no-issue

When installing new packages yarn sorts them alphabetically, this meant
that installing/updating packages would have extra changes which would
be noisy either to developers or the git history.
2019-09-09 17:33:47 +08:00
Renovate Bot
01f2f36547 Update dependency @tryghost/url-utils to v0.3.1 2019-09-09 02:34:18 +00:00
Renovate Bot
af021921e7 Update dependency @tryghost/helpers to v1.1.9 2019-09-09 01:28:16 +00:00
Hannah Wolfe
a4464d0137 Return correct error codes from storage adapter
no issue

- malformed paths such as http://localhost:2368/content/images/2018/02/%c0%af were throwing 500 errors, instead of 500 errors
- this code catches the error and handles it correctly
2019-09-06 17:40:55 +01:00
Hannah Wolfe
623c65c509 💡Changed static router - throw 400 for missing tpl
fixes #10990

- Changed the static router to throw a 400 error for a missing template file, rather than falling back to using the default.hbs file
- Falling back is weird and hard to understand, but throwing an error makes it clear that the user has to provide the matching template
- The new error reads 'Missing template [filename].hbs for route "[route]".'

Assume you have a route.yaml file something like:

```
routes:
  /: home
```

- In Ghost v2, if you don't have a home.hbs template, Ghost falls back to using the default.hbs file if it's available
- Most themes have a default.hbs, however this file is a layout file, depended on by other templates, not a template file itself
- In production mode, using the default.hbs as a template causes weird, intermittent layout issues depending on which order pages are loaded
- This is due to this issue: https://github.com/barc/express-hbs/issues/161
- In Ghost v3, we will throw a 400 error for missing template files instead of having a fallback
- In the example above, navigating to '/' would throw the error 'Missing template home.hbs for route "/".'
2019-09-06 15:41:42 +01:00
Fabien O'Carroll
78505f86ef
Updated members.js & members.min.js (#11082)
no-issue

* Converted member.js to es5
* Updated member.min.js
2019-09-06 16:07:46 +08:00
Fabien O'Carroll
f63577fa4f
Implemented stripe checkout handling for members
no-issue

* Installed members-api@0.5.0 members-ssr@0.3.1
* Supported multiple members-forms
* Used members canary api
* Added GET handler to /members/ssr for id token
The identity token will be used to ensure that a payment is linked to the correct member
* Added stripe.js to ghost_head when members enabled
* Added basic support for linking to stripe checkout
* Removed listener to title and icon settings changes
* Added stripe subscription config
2019-09-06 15:14:21 +08:00
Fabien O'Carroll
49672a1e4d Updated members service to use magic-link signin
no-issue
2019-09-05 11:14:50 +08:00
Fabien O'Carroll
ef78fe7bab Updated members-api@0.4.1 members-ssr@0.3.0
no-issue

These versions contain the necessary changes for magic link signin
2019-09-05 11:14:50 +08:00
Fabien O'Carroll
edca4138ff Updated getMember to return null rather than throw
no-issue

This allows members code to remove try/catch statements without having
to pass the Ghost/bookshelf specific `require: false` option
2019-09-05 11:14:50 +08:00
Fabien O'Carroll
294f3769cb Removed name and password columns from members table
no-issue

We have no need for these right now and it is easier to drops the
columns, rather than to modify the name column to nullable
2019-09-05 11:14:50 +08:00
Fabien O'Carroll
7382967613 Added createColumnMigration helper
no-issue
2019-09-05 11:14:50 +08:00
Rishabh Garg
b875cc339d
🔥 Dropped unused ghost_auth_* user fields
no issue

- Drops `ghost_auth_access_token` and `ghost_auth_id` fields since not used anymore
- Adds migration for dropping these columns from users table
- Drops Auth strategy - `ghostStrategy` - since its not used anymore
2019-09-03 20:48:42 +05:30
Rishabh Garg
303046bc0a
💡Added v3 API endpoint (#11073)
no issue

- Adds new /v3/ endpoint which currently aliases canary code
2019-09-03 12:33:31 +05:30
Kevin Ansfield
bc18aee3b4 Removed unused admin serviceworker endpoint
no issue

- Ghost-Admin serviceworker support was removed a long time ago but the URL handling was never removed
2019-09-02 16:58:06 +01:00