Commit Graph

3394 Commits

Author SHA1 Message Date
Michael Barrett
8a86db4ea5 Updated response code for re-sending verification 2024-10-21 11:01:40 +01:00
Michael Barrett
916b2aef9d Added tests for auth code middleware 2024-10-21 11:01:40 +01:00
Sam Lord
0b852bcb38 Added check for verified sessions
refs ENG-1610
2024-10-21 11:01:40 +01:00
Michael Barrett
7a18e829c5 Added endpoints for supporting 2FA
no refs

- Added `POST /session/verify` to send the user a verification code
- Added `PUT /session/verify` to verify the user's verification code
2024-10-21 11:01:40 +01:00
Princi Vershwal
51fa21324d Added logic for generating and verifying otp 2024-10-21 11:01:40 +01:00
Princi Vershwal
1106d64706 Added API for sendingAuthCode 2024-10-21 11:01:40 +01:00
Sam Lord
8f7c81ac84 Added "verified" status to session
refs ENG-1622

Currently unused by the API, this session variable will be used to
confirm whether the user has authenticated their session with an email
OTP. The verified status is not removed on logout, so sessions are now
retained instead of being destroyed.
2024-10-21 11:01:40 +01:00
Kevin Ansfield
698e42433c Added staff2fa labs flag 2024-10-21 11:01:40 +01:00
Steve Larson
d1db417495
Reduced apps package size (#21349)
ref 324211f
- this includes changes to improve package size

Package size was found to be bloated due to expanding i18n strings. We
were packing all i18n strings instead of just the ones relevant to the
package. Thanks to @cathysarisky for identifying this!
2024-10-20 13:47:15 +00:00
Ghost CI
e42ed553dc v5.97.0 2024-10-18 15:05:19 +00:00
Steve Larson
2e0293c99f
🐛 Fixed NQL filters for single letter slugs (#21340)
fixes https://github.com/TryGhost/Ghost/issues/20133
- includes fix to support single letter slugs
2024-10-17 15:35:26 +00:00
Aileen Booker
3eb6503849 Added migration for new settings keys 2024-10-17 05:51:38 -04:00
Chris Raible
0e10f500aa
Added target dependencies to test scripts in ghost/core (#21332)
no issue

- The `test:*` commands in `ghost/core` are all implicitly dependent on
the TS packages in the whole monorepo being built, but we hadn't
explicitly declared this dependency to NX.
- Now if you run `yarn nx run ghost:test:e2e` (or any other `test:*`
commands in ghost), NX will know that it needs to rebuild the TS
packages, unless they are cached and haven't changed.
- With this, you should be able to directly clone the repo and run `yarn
nx run ghost:test:e2e` to run e2e tests, without running `yarn dev` or
`yarn nx run-many -t build:ts` first.
- This is especially useful for getting tests to run properly in docker
2024-10-16 14:12:20 -07:00
Chris Raible
14d762ddc9
Added @tryghost/metrics-server to package.json (#21330)
no issue

- I apparently never added @tryghost/metrics-server as a dependency to
ghost/core/package.json. It worked in most cases as a 'phantom
dependency' — yarn installs all node_modules in a flat structure, so
even though it wasn't a dependency in package.json, it still resolved to
the correct package, as long as the typescript packages were all built
first.
- This passed CI because we explicitly run ts:build on all packages
before running tests, and it worked in production because we build the
TS packages as part of the docker build. However, when trying to run
tests locally, it would sometimes fail unless you explicitly ran nx
run-many -t build:ts at the top level before running the tests.
- Adding it as a dependency in package.json fixes this problem.
2024-10-16 12:38:54 -07:00
Steve Larson
63f25ece6d
Added unsubscribe_url to member api response (#21207)
ref https://linear.app/tryghost/issue/ONC-387/

With some recent changes, we added validation to unsubscribe URLs to verify the source, allowing us to cut down on spam and improving security, as the underlying key could be re-generated should the need arise. This had the side effect of making unsubscribe URLs difficult to reconstruct when using third-party/downstream integrations, such as ActiveCampaign, which fills a gap in the current Ghost feature set.

Now any authenticated query to `/api/members` will return an `unsubscribe_url` field that can be used directly.
2024-10-16 14:00:31 -05:00
Steve Larson
ea70631a29
Added created_at field to member fixtures for consistent sort (#21325)
no ref

When running tests, occasionally we'll see some varying sort in the
members api response because members are generally all created with the
same timestamp. While `ObjectId` should be progressive, and our defalut
sort is `ORDER BY created_at desc, id desc`, we still would sometimes
see issues. This ought to remove any flakiness.
2024-10-16 16:45:22 +00:00
Steve Larson
cf2b429436
Stubbed ghost core unit test errors (#21324)
no ref

Stubbed expected test errors. In general, we should be expecting these
errors in the tests as we write them as that is the expected behavior
(or that behavior should change).
2024-10-16 15:31:57 +00:00
Cathy Sarisky
73a39ead9a
Fixed members/signin_urls endpoint to take admin api key (#21284)
closes #16748 

The members/:member_id/signin_urls endpoint currently only does
cookie-based authentication. When #21249 is merged, turning on 2FA is
going to break any 3rd party processes that use it (including my social
sign-in offering).

This patch gives admin API keys 'read' permission on this endpoint, and
enables 3rd party processes to handle user logins the right way, instead
of via a staff member's email/password.

Migration included.  Feedback appreciated.

I have the wrong name on my migration. I can see it doesn't follow the
naming convention, but I'm not sure how the names are generated.

---------

Co-authored-by: Michael Barrett <mike182uk@gmail.com>
2024-10-16 14:30:36 +01:00
Daniel Lockyer
7fc4dfaac1 Reverted "Stripped moment from BaseSiteMapGenerator"
refs https://ghost.slack.com/archives/C02G9E68C/p1729083762579479

- this reverts commit 30220aa6ef.
2024-10-16 15:25:47 +02:00
Daniel Lockyer
1068f6ed13 Reverted "Stripped moment from data-manipulation.fixDatesWhenFetch"
refs https://ghost.slack.com/archives/C02G9E68C/p1729083762579479

- this reverts commit 96f6adecac.
2024-10-16 15:25:47 +02:00
Ghost CI
27e1a89e58 Merged v5.96.2 into main 2024-10-16 09:31:44 +00:00
Ghost CI
42fcd385a6 v5.96.2 2024-10-16 09:31:42 +00:00
Sag
00f70a445b 🐛 Fixed missing incoming recommendations (#21317)
ref https://linear.app/tryghost/issue/ONC-433

- due to a regression introduced in commit 871d21a, incoming
recommendations were not rendering in Admin Settings anymore, as they
were marked as deleted
- this commit updates the refresh logic of incoming recommendations on
boot: previously deleted incoming recommendations are refetched, and if
now available, restored
- when a recommendation is restored, we don't send a staff email
notification
2024-10-16 11:14:58 +02:00
Sag
cab655289f Revert "Fixed fetching and storing bookmark card icons and thumbnails" (#21316)
ref https://linear.app/tryghost/issue/ONC-433
ref https://linear.app/tryghost/issue/ENG-904

- the reverted commit (871d21acaf) caused
a regression for recommendations: incoming recommendations were marked
as deleted and did not render in Admin Settings anymore
2024-10-16 11:14:46 +02:00
Sag
6ee3d05da5
🐛 Fixed missing incoming recommendations (#21317)
ref https://linear.app/tryghost/issue/ONC-433

- due to a regression introduced in commit 871d21a, incoming
recommendations were not rendering in Admin Settings anymore, as they
were marked as deleted
- this commit updates the refresh logic of incoming recommendations on
boot: previously deleted incoming recommendations are refetched, and if
now available, restored
- when a recommendation is restored, we don't send a staff email
notification
2024-10-16 11:00:47 +02:00
Sag
a3b84e8cd1
Revert "Fixed fetching and storing bookmark card icons and thumbnails" (#21316)
ref https://linear.app/tryghost/issue/ONC-433
ref https://linear.app/tryghost/issue/ENG-904

- the reverted commit (871d21acaf) caused
a regression for recommendations: incoming recommendations were marked
as deleted and did not render in Admin Settings anymore
2024-10-16 08:42:35 +00:00
Daniel Lockyer
b3cf23ebd8 Optimized Bookshelf plugin sanitize.permittedOptions
- concat is too heavy of a function to call on the hotpath, so we can
  just replace it with a native spread, which is much faster
- this cuts ~1.5% from boot time for sites with a lot of posts
2024-10-16 10:38:25 +02:00
renovate[bot]
b70bb13fb4 Update sentry-javascript monorepo to v7.119.2 2024-10-15 15:57:58 +02:00
renovate[bot]
a8f9b45038 Update dependency @actions/core to v1.11.1 2024-10-15 14:54:31 +02:00
renovate[bot]
7dc0415439 Update sentry-javascript monorepo to v7.119.1 2024-10-15 14:37:04 +02:00
Daniel Lockyer
8fd32f012b Lazyloaded jsdom dependency
- we can move this later into the code to prevent it from being eagerly
  loaded and taking up CPU time and memory
2024-10-15 11:27:22 +02:00
Daniel Lockyer
1c9e55cf7b Added metrics + monitoring to DatabaseStateManager
ref https://linear.app/tryghost/issue/DEV-32/remove-migratejs-script

- we want to switch to using this code path instead of our separate
  migrate.js script on Pro
- the main things we're missing are metrics + monitoring for when things
  go wrong, so this adds that to the DatabaseStateManager
- this allows us to eventually delete the script without losing
  functionality
2024-10-15 10:33:23 +02:00
Daniel Lockyer
6dd821bd41
Fixed setting minification ready state upon failure (#21294)
- this will prevent the `ready` variable from being set to true if there
is an error with minification, as we have not correctly generated the
assets yet
2024-10-14 14:09:50 +00:00
Daniel Lockyer
f1638b869c Added more exclusion fields from URL service config
- we don't need any of these fields to do URL service calculations, so
  we can exclude them from being fetched, which improves performance of
  URL service init
- ultimately, we should switch this to an include list to make this more
  explicit
2024-10-14 14:37:54 +02:00
Daniel Lockyer
96f6adecac Stripped moment from data-manipulation.fixDatesWhenFetch
- we don't need moment here and we can produce the same result in JS
  Date, which is a lot faster than moment
2024-10-14 14:37:54 +02:00
Daniel Lockyer
7bd70a3ab2 Deferred heavy permittedAttributes call unless needed
- this code is on the hotpath for the URL service and has shown to be
  slow for sites with a lot of posts
- this is due to the overhead of the lodash functions we use here
- we can take advantage of how JS executes if-statements and move the
  variable into the if-statement, which lazy evaluates it (for the URL
  service, this branch is not hit, so it's a big win)
- this cuts about 2% from CPU time
2024-10-14 14:37:54 +02:00
Daniel Lockyer
dd68fca968 Replaced lodash.{pick,union} with native JS
- this code is a hotpath for the URL service and has shown to be slow
  for sites with a lot of posts
- this is because of the overhead of lodash
- we can just do away with lodash and use native JS, which has
  a negligible performance cost
- this cuts about 5% CPU time during boot of large sites
2024-10-14 14:37:54 +02:00
Daniel Lockyer
30220aa6ef Stripped moment from BaseSiteMapGenerator
- moment calls are unbelievably heavy and we should do away with it
  where possible
- this code doesn't need moment and we can just use native JS Date here
- this saves about 5% CPU time when booting sites with a lot of posts
2024-10-14 14:37:54 +02:00
Daniel Lockyer
b376585c64 Optimized Resources constructor
- this code has shown to be chronically slow, due to the `Object.assign`
- we don't really need this, as we can just use a normal assign in this
  case
- this cuts 15% CPU from boot time for sites with a lot of resources
  (posts)
2024-10-14 14:37:54 +02:00
Daniel Lockyer
90fbbe135f Deferred URL generation until after filter
- it turns out we it the false case of this if-statement quite a lot,
  and _generateUrl is heavy enough that we should try and do it less
- by moving it into the if-statement, we cut 4% CPU time from boot on
  heavy sites
2024-10-14 14:37:54 +02:00
Daniel Lockyer
70eb96f33a Replaced lodash.each with native JS in raw_knex
- lodash adds non-negligible runtime to this loop, so we can just
  replace it with native JS and cut 3% CPU time from boot for sites
  with a large number of posts
2024-10-14 14:37:54 +02:00
Daniel Lockyer
b0cf15cb94 Refactored Resources._fetch to async-await
- aids with readability
2024-10-14 14:37:54 +02:00
Daniel Lockyer
df76883378 Optimized date + boolean deserialization code
- we have to deserialize the values from the DB to turn them into moment + boolean values
- the use of lodash adds unnecessary overhead to the function, and writing it in native JS
  is a low faster
- also fixes the naming of the functions to make it clearer in flamegraphs
2024-10-14 14:37:54 +02:00
renovate[bot]
346f41991f Update dependency yjs to v13.6.20 2024-10-14 00:24:37 +00:00
Ghost CI
b7409ff3d2 v5.96.1 2024-10-11 15:05:17 +00:00
Kevin Ansfield
54a7f70a3c Removed lodash usage from config helpers
no issue

- config helpers are required early during boot and it requiring lodash added some unnecessary require+compile time
- switched to using an inlined escapeRegExp function in place of requiring lodash
2024-10-10 17:44:24 +01:00
Kevin Ansfield
8d4d6b6516 Removed lodash usage from config utils
no issue

- config utils are required early during boot and it requiring lodash added some unnecessary require+compile time
- switched to using native JS for the few lodash methods we used
2024-10-10 17:26:19 +01:00
Kevin Ansfield
e97717a0cc Added flag to skip gscan checks during boot
no issue

- bumped gscan version to provide `skipChecks` flag to `check` function
- added `optimization:themes:skipBootChecks` config flag defaulting to `false` to maintain current behaviour
  - updated theme service initialization to use `skipChecks: true` when the config flag is set
  - we only want to skip the checks during boot in specific cases to improve performance, they are still useful for general development and any production use-cases where themes get edited directly on the server
- updated our theme validate module to accept and pass through `skipChecks` option
- switched the `isZip` positional argument of `validate.check()` to an options object property to make usage cleaner
2024-10-10 16:27:43 +01:00
Daniel Lockyer
b092929bba Lazy-minified assets at first request
- right now, we minify the assets on boot. This is wasteful because they're not even needed
- this commit implements a change which lazy-minifies these assets and
  allows for cache invalidation when the theme changes
- it also introduces some middleware that each asset calls to ensure
  that the assets are minified before serving
2024-10-10 14:36:28 +01:00
Daniel Lockyer
0862989b2e Lazyloaded dependencies
- these dependencies do not need to be eagerly loaded so we can move
  them down to where they are used
2024-10-10 13:38:56 +01:00