Commit Graph

3050 Commits

Author SHA1 Message Date
Ghost CI
46cb819feb v5.83.0 2024-05-31 16:04:36 +00:00
renovate[bot]
418316959c Update dependency mysql2 to v3.10.0 2024-05-30 19:28:02 +00:00
Steve Larson
65b929d1d8
Added JSDoc to stripe-mocker (#20282)
no ref
2024-05-29 17:38:24 -05:00
renovate[bot]
d507c5c6c2 Update Koenig packages 2024-05-29 22:28:20 +01:00
Kevin Ansfield
55015ccbcc
Added '@' internal link shortcut to editor (#20272)
closes https://linear.app/tryghost/issue/MOM-83

- added additional labs flag to allow internal testing prior to private beta release
- bumped Koenig packages containing support for @-link feature
2024-05-29 18:13:52 +01:00
Sanne de Vries
acac7801f4
Split subhead feature into two feature flags (#20279)
REF MOM-119
- Split subhead feature flag into two: editorSubtitle and
newsletterSubtitle
- Updated UI copy, feature flag names and class names from subhead to
subtitle
2024-05-29 17:59:25 +02:00
renovate[bot]
4ef1dd2146 Update dependency mysql2 to v3.9.9 2024-05-29 15:14:00 +00:00
Ronald Langeveld
fddcf3ffee
Added Subheads behind a flag (#20265)
refs MOM-152 MOM-148 MOM-151

- Added Subheads behind a flag + toggle in settings.
- Removes Excerpt fields from post settings if flag is enabled.
- Added subhead toggle in newsletter settings.
- Loads of styling

---------

Co-authored-by: Sanne de Vries <sannedv@protonmail.com>
2024-05-29 09:53:40 +00:00
Steve Larson
e6fcbf45a1
Added sanitization for svg uploads (#20264)
ref https://linear.app/tryghost/issue/ENG-856
- svgs were not previously sanitized and could contain scripts
2024-05-28 08:58:16 -05:00
Ronald Langeveld
d799f2ecb1
Added show_subhead column to newsletters table (#20268)
refs MOM-152

Adds `show_subhead` column to newsletter table. False by default.
2024-05-28 16:29:20 +07:00
Fabien 'egg' O'Carroll
6a8ae57a24
Used a base64 encoded string for hmac secret (#20269)
We want to use a randomly generated 64 byte secret for the hmac, and
utf8 encoding isn't nice to work with for this, so we're going to use a
base64 string and decode it into a buffer for the secret.
2024-05-28 14:12:48 +07:00
renovate[bot]
3ebe206ea7 Update TryGhost packages 2024-05-27 16:58:32 +02:00
renovate[bot]
6ff08c5c14 Update dependency mysql2 to v3.9.8 2024-05-27 08:04:34 +00:00
Daniel Lockyer
ecc6053e5d Cleaned up jsdom dependency usage
- we don't need this in `ghost/core` as it's not used in there
- we need to declare this dependency for the apps, as they use it for
  running tests
- this doesn't change the lockfile but it means we're declaring the
  dependency in the right places now
2024-05-27 09:49:43 +02:00
renovate[bot]
3e3bcb81fd Update dependency jsdom to v24 2024-05-27 09:07:18 +02:00
Ghost CI
43e25f44dc v5.82.12 2024-05-27 06:39:20 +00:00
Chris Raible
98d49f57d5
Added experimental headers to allow caching members content (#20200)
ref
https://linear.app/tryghost/issue/KTLO-45/deploy-members-caching-solution-to-a-single-site-to-validate-and-test

Currently we only cache publicly available content. Any content that is
accessed by a logged in member is only cached for that specific member
based on their cookie. As a result, almost all requests from logged in
members bypass our caching layer and reach Ghost, which adds unnecessary
load to Ghost and its database.

This change adds experimental headers that allow our CDN to understand
which tier to cache the content against, and securely tell the CDN which
tier a logged in member has access to. With these changes, we can cache
the member content against the tier, rather than the individual member,
which should result in a higher cache HIT ratio and reduce the load on
Ghost.

For requests to the frontend of the site, Ghost will set a custom
`X-Member-Cache-Tier` header to the ID of the tier of the member who is
accessing the content. This tells the CDN which tier to cache the
content against.

For requests to either `/members/?token=...` endpoint (the magic link
endpoint) or `/members/api/member`, Ghost will set a `ghost-access` and
`ghost-access-hmac` cookie with the ID of the tier of the logged in
member. With these two pieces of information, our CDN can serve cached
content to logged in members.

These headers are experimental, and can only be enabled via Ghost's
config. To enable these headers, set `cacheMembersContent:enabled` to
`true` and provide an HMAC key in `cacheMembersContent:hmacSecret`.
2024-05-23 19:06:45 -07:00
renovate[bot]
d302d4049c Update Koenig packages 2024-05-23 19:13:38 +01:00
Daniel Lockyer
4a02938774 Reverted "Enabled includeLocalVariables option in Sentry"
refs https://app.incident.io/ghost/incidents/73
refs https://blog.sentry.io/local-variables-for-nodejs-in-sentry/

- this reverts commit cc76fda3e8
- it turns out that enabling this causes the entire program to pause
  whilst it collects local variables
- this was only added to aid with debugging, so it's not critical to
  have and can be disabled
2024-05-23 12:04:10 +02:00
renovate[bot]
ad48d8eb25 Update sentry-javascript monorepo to v7.116.0 2024-05-21 14:24:23 +01:00
Steve Larson
9d9a421b54
Added a column disallow list in the content API posts serializer (#20207)
ref https://linear.app/tryghost/issue/CFR-29
- Removed the mobiledoc and lexical columns from the posts input
serializer, meaning they will no longer be queried for.

Get helpers are essentially a gateway to the Content API. We already
strip out the mobiledoc and lexical fields in the output
serializer/returned response, but this means we're passing the mobiledoc
and lexical fields back from the db. This is pointless and these fields
are substantial in size - by far the largest fields in the whole ghost
db - leading to slowed performance.

I've updated the posts input serializer to strip out the lexical and mobiledoc
columns so we stop doing a `select *` with every query.
2024-05-20 08:25:20 -05:00
Ronald Langeveld
e5056d8d9d
🐛 Fixed External Image URLs being incorrectly prefixed (#20226)
ref ENG-824

- the bug is causing resize prefixes being added to images served from
outside of Ghost.
- this now would only append the prefex to images served by Ghost and
other images urls' would get served as is.
- we can determine that by checking whether imageName doesn't exist,
meaning the source is a third party.
- this mostly affect edge case users, eg where a feature image url was
passed in via the API and doesn't get served by Ghost.
2024-05-20 18:06:03 +08:00
Ronald Langeveld
9a60254cd2
🐛 Fixed redundant member data loading for static assets (#20031)
refs CFR-21

Reorganised middleware execution so that member data is not redundantly loaded for static assets or the sitemap.

---------

Co-authored-by: Michael Barrett <mike@ghost.org>
2024-05-20 13:55:45 +08:00
Ghost CI
589793f0c5 v5.82.11 2024-05-17 16:04:53 +00:00
renovate[bot]
239b5b6369
🐛 Fixed certain snippets not inserting correctly (#20129)
ref https://linear.app/tryghost/issue/ONC-26/support-escalation-template-bug
ref https://github.com/TryGhost/Ghost/issues/18948

- bumps `@tryghost/koenig-lexical` to version that doesn't crash during snippet insertion when last node doesn't match expectations for inserting a trailing paragraph
- bumps all Koenig packages to ensure internal dependencies are pinned to prevent potential issues from mixed versions caused by yarn resolution
2024-05-16 11:39:03 +00:00
Ghost CI
b7efe4ff8e Merged v5.82.10 into main 2024-05-16 02:19:02 +00:00
Ghost CI
f6f04792ea v5.82.10 2024-05-16 02:19:00 +00:00
Galdin Raphael
93eaee7e08
Added missing <html> opening tag to the maintenance page (#20203)
- this was previously missing
2024-05-15 09:10:37 +02:00
Laurent Goderre
d67fc8c353
Added jackspeak resolution to core to fix ESM + CJS compat issue (#20199)
refs #20197

- adds a jackspeak resolution to Ghost core so we can try and ensure the compatible version of jackspeak/string-width is used when the lockfile is regenerated
2024-05-15 08:47:04 +02:00
Fabien O'Carroll
e98f505ae3 Added body parsing to the frontend
ref https://linear.app/tryghost/issue/MOM-73

We need to add body parsing middleware here, so that NestJS has access to it.
We also attach the rawBody which is used to validate the HTTP Signatures
2024-05-15 12:41:34 +07:00
Sodbileg Gansukh
60da243d0c
Updated signup and private page forms for consistency (#20208)
ref TRI-92
2024-05-15 04:47:02 +00:00
Kevin Ansfield
d2da9d3c17
Updated metadata shown on hover in internal link lists (#20204)
closes https://linear.app/tryghost/issue/MOM-80

- updated internal linking search results items
  - removed visibility text from meta data
  - added additional icon for paid/specific tier visibility
  - added titles to icons
- bumped `@tryghost/koenig-lexical` to include support for meta icon titles
- bumped other Koenig packages due to sub-dependency updates
2024-05-14 16:07:04 +00:00
Steve Larson
842290cbef
Improved performance for filter strings with multiple neq statements (#20198)
ref https://linear.app/tryghost/issue/CFR-27
- updated packages to include performance improvement for NQL filter
strings including multiple neq filters for the same resource
- bumped `bookshelf-plugins`
- bumped NQL versions

We identified a performance fix that allows us to combine not equal
(neq) filters for the same resource in a logically-equivalent way that
also has far more performant resulting SQL.

We're effectively automatically combining strings like
'tag:-tag1+tag:-tag2` into 'tag:-[tag1,tag2]'.
2024-05-13 10:35:27 -05:00
Daniel Lockyer
e3fa095c80 Fixed misc JSDoc types
- nothing crazy, but cleans up a few editor warnings
2024-05-13 14:53:53 +02:00
Ghost CI
b1c5a2985c v5.82.9 2024-05-13 07:01:15 +00:00
renovate[bot]
fc41947738 Update dependency semver to v7.6.2 2024-05-10 08:30:32 +02:00
renovate[bot]
512c3e1413 Update CSS preprocessors 2024-05-09 10:36:59 +02:00
renovate[bot]
4c1ecabfc7 Update sentry-javascript monorepo to v7.114.0 2024-05-09 10:16:37 +02:00
Ghost CI
88ad62558a Merged v5.82.8 into main 2024-05-08 19:30:39 +00:00
Ghost CI
f303432ba9 v5.82.8 2024-05-08 19:30:37 +00:00
Daniel Lockyer
7e9d82655e Added extra validation for reset_password endpoint
fix https://linear.app/tryghost/issue/SLO-104/cannot-read-properties-of-undefined-reading-0-an-unexpected-error

- if the request body didn't contain the correct keys, it'd just HTTP
  500 out of there
- this adds some optional chaining so we end up with undefined if
  anything isn't as expected, and the following if-statement does the
  rest of the check for us
- this also adds a breaking test (the first E2E test for authentication, yay!)
2024-05-08 18:05:04 +02:00
Daniel Lockyer
76c6e92006
Handled invalid files when uploading DB zips (#20165)
fix
https://linear.app/tryghost/issue/SLO-103/invalid-comment-length-expected-7-found-0-an-unexpected-error-occurred

- similar to
e8e3447f15,
this captures a specific error from yauzl and throws a user-friendly
error
- perhaps in the future we can just look for yauzl errors and always
return user-friendly errors, but let's monitor that first
- also includes a breaking test
2024-05-08 14:59:34 +02:00
Daniel Lockyer
f276abf9e8 Condensed logic for determining whether to send Sentry events
refs https://docs.sentry.io/platforms/javascript/configuration/filtering/#using--1%20

- this simplifies our logic to determine whether we should send events
  by moving the code to `beforeSend`
- `errorHandler` is going away in Sentry v8 so this results in a shorter
  diff in the future
- the logic should be the same, always send non-Ghost errors, and only
  send HTTP 500 Ghost errors
2024-05-08 14:25:00 +02:00
Daniel Lockyer
77fc66340a Refactored Sentry beforeSend code
- this tidies up the implementation by removing the very verbose ternary
  operator, and also uses the optional chaining operator
2024-05-08 14:25:00 +02:00
Daniel Lockyer
c4ad593a5a Added JSDoc types to Sentry
- this helps editors with identifying what the types of parameters are
2024-05-08 14:25:00 +02:00
Daniel Lockyer
e8e3447f15 Fixed handling empty zip file uploads
fix https://linear.app/tryghost/issue/SLO-102/end-of-central-directory-record-signature-not-found-an-unexpected

- previously, uploading an empty zip would result in a HTTP 500 error
  because yauzl would error and we'd bubble that up as an
  InternalServerError
- now, we catch the specific error message and return a more user
  friendly error
- also includes tests and sample zip file
2024-05-08 11:19:47 +02:00
Daniel Lockyer
d82b136a6a Handled uploads with invalid form bodies
fix https://linear.app/tryghost/issue/SLO-101/http-500-with-invalid-multipart-data

- previously, busboy would error out if we supplied a body that was
  invalid (such as an empty FormData)
- we would then return a HTTP 500 to the user, which causes all manner
  of problems
- now we catch errors from busboy and return a nice BadRequestError
2024-05-08 11:19:47 +02:00
Daniel Lockyer
ae88dc8548 Handled invalid timestamp format in filters
fix https://linear.app/tryghost/issue/SLO-85/fix-http-500-on-contentposts

- in the event we give the incorrect format in a filter, MySQL will
  throw an error and we'll throw a HTTP 500 error
- we can capture this error and return a more useful error to the user
- ideally we'd do this in a validation step before attempting the query,
  but parsing this out of NQL and detecting which columns are DATETIME
  could be quite tricky
2024-05-08 09:28:56 +02:00
Daniel Lockyer
82c612bad9 Rolled out API framework JSDoc typing to more places
- this updates a bunch of places where we're just using Object to cheat
  the system
- doing this means editor autocomplete and basic type checking is better
  because we now have proper types in place
- functionality should not change, these are just comments
2024-05-08 09:28:31 +02:00
renovate[bot]
1fea2fc616 Update dependency semver to v7.6.1 2024-05-08 09:04:44 +02:00