Commit Graph

213 Commits

Author SHA1 Message Date
renovate[bot]
6fc497743d
Updated @tryghost dependencies (#15479)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-10-12 10:16:05 +07:00
Simon Backx
e7378520a0
🔒 Prevented member creation when logging in (#15526)
fixes https://github.com/TryGhost/Ghost/issues/14508

This change requires the frontend to send an explicit `emailType` when sending a magic link. We default to `subscribe` (`signin` for invite only sites) for now to remain compatible with the existing behaviour.

**Problem:**
When a member tries to login and that member doesn't exist, we created a new member in the past.

- This caused the creation of duplicate accounts when members were guessing the email address they used.
- This caused the creation of new accounts when using an old impersonation token, login link or email change link that was sent before member deletion.

**Fixed:**
- Trying to login with an email address that doesn't exist will throw an error now.
- Added new and separate rate limiting to login (to prevent user enumeration). This rate limiting has a higher default limit of 8. I think it needs a higher default limit (because it is rate limited on every call instead of per email address. And it should be configurable independent from administrator rate limiting. It also needs a lower lifetime value because it is never reset.
- Updated error responses in the `sendMagicLink` endpoint to use the default error encoding middleware.
- The type (`signin`, `signup`, `updateEmail` or `subscribe`) is now stored in the magic link. This is used to prevent signups with a sign in token.

**Notes:**
- Between tests, we truncate the database, but this is not enough for the rate limits to be truly reset. I had to add a method to the spam prevention service to reset all the instances between tests. Not resetting them caused random failures because every login in every test was hitting those spam prevention middlewares and somehow left a trace of that in those instances (even when the brute table is reset). Maybe those instances were doing some in memory caching.
2022-10-05 12:42:42 +02:00
renovate[bot]
2c2ee81adb
Update Test & linting packages 2022-10-05 00:36:08 +00:00
renovate[bot]
9eb3c84a23
Updated @tryghost dependencies (#15434)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-09-27 08:31:35 +07:00
renovate[bot]
225765241c
Updated @tryghost dependencies (#15404)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-09-19 12:09:33 +01:00
Elijah
3c94812ee5
Added missing return in create-stripe-update-session
no issue

- Return was missing for `res.end` if an invalid subscription_id was passed
- Added explicit `text/plain` `Content-Type` headers to error messages to avoid MIME sniffing

Signed-off-by: Elijah Conners <business@elijahpepe.com>
Co-authored-by: Simon Backx <simon@ghost.org>
2022-08-29 14:02:58 +02:00
Daniel Lockyer
f51226e5fb Organized package dependencies
- cleaned up unused dependencies
- adds missing dependencies that are used in the code
- this should help us be more explicit about the dependencies a package
  uses
2022-08-18 11:55:49 +02:00
Daniel Lockyer
54aa9f016b Fixed full Admin test suite running during unit tests
- because of how the npm scripts were set up, we were running the full
  Admin integration tests during the unit tests phase of CI
- this commit renames the majority of `test` to `test:unit` in the
  package.json files, and aliases `test` to `test:unit`
- special packages like Admin have no-op'd `test:unit` scripts so we
  don't end up running its tests
2022-08-15 15:34:52 +02:00
Simon Backx
82a3133ace
Added replies/likes count and limited replies to comments (#15206)
refs https://github.com/TryGhost/Team/issues/1723

- Added count.replies to comments
- Added replies endpoint
- Limited returned replies to 3.
- Replaced likes_count with count.likes in comments
- Instead of fetching all the likes of a comment to determine the total count, we'll now use count.likes
- Instead of fetching all the likes of a comment to determine whether a member liked a comment, we'll now use count.liked (which returns the amount of likes of the current member, being 0 or 1). This is mapped to `liked` to make it more natural to work with.

The `members.test.snap` file changed because we no longer include `liked: false` if we didn't fetch the liked relation. And in the comments events of the activity feed the liked property is therefore removed.

These changes requires an update to the `bookshelf-include-count` plugin:
- Updated to also work for nested relations
- This moves the count queries from the `bookshelf-include-count` plugin to the `countRelations` method of each model.
- Updated to keep the counts after saving a model (crud.edit didn't return the counts before)
2022-08-10 16:12:35 +02:00
Daniel Lockyer
5f8b448ab6
Deleted @types/node dependency
- this was originally imported to bring better types in but is no longer
  needed right now
2022-08-05 08:58:49 +02:00
Daniel Lockyer
73bd9a8e1a
Deleted typescript config files
- these aren't needed any more because the packages are in the same repo
  as Ghost, so jsdocs + types should Just Work ™️
2022-08-03 12:49:32 +02:00
Daniel Lockyer
308a28d31a
Tidied up package READMEs
refs https://github.com/TryGhost/Toolbox/issues/354

- these READMEs were migrated over from when each package was in a
  different repo
- they also assume you're going to be publishing the packages because it
  mentions install instructions
- only a few of them contain custom content
- this commit deletes the majority of these files because they're now
  not useful
- any that contained other instructions have been cut down
2022-07-25 15:17:12 +02:00
Daniel Lockyer
61125d7605
Removed repository from component package.json files
refs https://github.com/TryGhost/Toolbox/issues/354

- these repository links made sense when they were in different repos
  and published to NPM but we don't publish these packages any more
- this commit deletes those keys from the files
2022-07-25 11:15:16 +02:00
Daniel Lockyer
d73d7da7ef
Deleted non-root LICENSE files
- these were copied over during the monorepo conversion but we're not
  going to be publishing these packages so the top-level LICENSE file
  covers all packages here
2022-07-25 08:35:59 +02:00
renovate[bot]
d228144c27 Pin dependencies 2022-07-21 16:27:57 +02:00
Daniel Lockyer
03cb00e7fb
Unified some package scripts
- reworked lint script to follow the format of others
- deleted posttest linting from members-ssr
2022-07-21 09:51:16 +02:00
Daniel Lockyer
9ec83a6e21
Disabled publishing for Members packages
- we don't want to publish these anymore so this commit disables the
  ability to
- also fixes up a missing version that wasn't reset
2022-07-21 09:26:04 +02:00
Daniel Lockyer
376ee24600
Switched to unversioned Members packages
- these packages are split apart for local development, but will be
  bundled into Ghost when publishing
- therefore, these packages won't be published so we are resetting the
  versions to make them cleaner
2022-07-21 09:15:29 +02:00
renovate[bot]
16d3045997 Update dependency @types/node to v16.11.45 2022-07-20 18:08:14 +02:00
renovate[bot]
bc4aebf163 Update Test & linting packages 2022-07-19 18:55:22 +00:00
Fabien "egg" O'Carroll
c41f067ea8 Published new versions
- @tryghost/domain-events@0.1.14
 - @tryghost/express-dynamic-redirects@0.2.13
 - @tryghost/magic-link@1.0.26
 - @tryghost/member-analytics-service@0.1.16
 - @tryghost/member-events@0.4.6
 - @tryghost/members-analytics-ingress@0.1.17
 - @tryghost/members-api@8.0.0
 - @tryghost/members-csv@1.2.15
 - @tryghost/members-events-service@0.4.3
 - @tryghost/members-importer@0.5.14
 - @tryghost/members-ssr@1.0.28
 - @tryghost/members-offers@0.11.6
 - @tryghost/members-payments@0.3.6
 - @tryghost/members-stripe-service@0.10.5
 - @tryghost/verification-trigger@0.2.5
2022-05-16 19:29:05 +01:00
Renovate Bot
a599830920 Update dependency c8 to v7.11.3 2022-05-16 05:20:36 +00:00
Aileen Nowak
152a2ea41f Published new versions
- @tryghost/domain-events@0.1.13
 - @tryghost/express-dynamic-redirects@0.2.12
 - @tryghost/magic-link@1.0.25
 - @tryghost/member-analytics-service@0.1.15
 - @tryghost/member-events@0.4.5
 - @tryghost/members-analytics-ingress@0.1.16
 - @tryghost/members-api@7.0.1
 - @tryghost/members-csv@1.2.14
 - @tryghost/members-events-service@0.4.2
 - @tryghost/members-importer@0.5.13
 - @tryghost/members-ssr@1.0.27
 - @tryghost/members-offers@0.11.5
 - @tryghost/members-payments@0.3.5
 - @tryghost/members-stripe-service@0.10.4
 - @tryghost/verification-trigger@0.2.4
2022-05-10 11:40:41 -04:00
Renovate Bot
7af0eb6fdf Update dependency sinon to v14 2022-05-09 04:41:01 +00:00
Simon Backx
0111e23fb7 Published new versions
- @tryghost/domain-events@0.1.12
 - @tryghost/express-dynamic-redirects@0.2.11
 - @tryghost/magic-link@1.0.24
 - @tryghost/member-analytics-service@0.1.14
 - @tryghost/member-events@0.4.4
 - @tryghost/members-analytics-ingress@0.1.15
 - @tryghost/members-api@6.3.1
 - @tryghost/members-csv@1.2.13
 - @tryghost/members-events-service@0.4.1
 - @tryghost/members-importer@0.5.12
 - @tryghost/members-ssr@1.0.26
 - @tryghost/members-offers@0.11.4
 - @tryghost/members-payments@0.3.4
 - @tryghost/members-stripe-service@0.10.3
 - @tryghost/verification-trigger@0.2.3
2022-05-03 16:40:39 +02:00
Renovate Bot
bddc9a5159 Update dependency c8 to v7.11.2 2022-05-02 21:39:21 +00:00
Fabien "egg" O'Carroll
b8545d2912 Published new versions
- @tryghost/domain-events@0.1.11
 - @tryghost/express-dynamic-redirects@0.2.10
 - @tryghost/magic-link@1.0.23
 - @tryghost/member-analytics-service@0.1.13
 - @tryghost/member-events@0.4.3
 - @tryghost/members-analytics-ingress@0.1.14
 - @tryghost/members-api@6.3.0
 - @tryghost/members-csv@1.2.12
 - @tryghost/members-events-service@0.4.0
 - @tryghost/members-importer@0.5.11
 - @tryghost/members-ssr@1.0.25
 - @tryghost/members-offers@0.11.3
 - @tryghost/members-payments@0.3.3
 - @tryghost/members-stripe-service@0.10.2
 - @tryghost/verification-trigger@0.2.2
2022-05-02 19:11:55 +01:00
Renovate Bot
cddf87863e Update dependency mocha to v10 2022-05-02 02:29:13 +00:00
Simon Backx
a0a50f7acc Published new versions
- @tryghost/domain-events@0.1.10
 - @tryghost/express-dynamic-redirects@0.2.9
 - @tryghost/magic-link@1.0.22
 - @tryghost/member-analytics-service@0.1.12
 - @tryghost/member-events@0.4.2
 - @tryghost/members-analytics-ingress@0.1.13
 - @tryghost/members-api@6.2.0
 - @tryghost/members-csv@1.2.11
 - @tryghost/members-events-service@0.3.4
 - @tryghost/members-importer@0.5.9
 - @tryghost/members-ssr@1.0.24
 - @tryghost/members-offers@0.11.2
 - @tryghost/members-payments@0.3.2
 - @tryghost/members-stripe-service@0.10.1
 - @tryghost/verification-trigger@0.2.1
2022-04-27 19:08:40 +02:00
Renovate Bot
a49bb037c4 Update Test & linting packages 2022-04-27 12:16:56 +00:00
Thibaut Patel
c37021c575 Published new versions
- @tryghost/domain-events@0.1.9
 - @tryghost/express-dynamic-redirects@0.2.7
 - @tryghost/magic-link@1.0.21
 - @tryghost/member-analytics-service@0.1.11
 - @tryghost/member-events@0.4.1
 - @tryghost/members-analytics-ingress@0.1.12
 - @tryghost/members-api@5.3.0
 - @tryghost/members-csv@1.2.7
 - @tryghost/members-events-service@0.3.2
 - @tryghost/members-importer@0.5.4
 - @tryghost/members-ssr@1.0.23
 - @tryghost/members-offers@0.10.9
 - @tryghost/members-payments@0.1.11
 - @tryghost/members-stripe-service@0.9.1
 - @tryghost/verification-trigger@0.1.6
2022-03-11 22:45:26 +01:00
Renovate Bot
0ad973c8b5 Update dependency mocha to v9.2.2 2022-03-11 18:04:58 +00:00
Thibaut Patel
dafda42e0a Published new versions
- @tryghost/domain-events@0.1.8
 - @tryghost/express-dynamic-redirects@0.2.6
 - @tryghost/magic-link@1.0.20
 - @tryghost/member-analytics-service@0.1.10
 - @tryghost/member-events@0.4.0
 - @tryghost/members-analytics-ingress@0.1.11
 - @tryghost/members-api@5.0.4
 - @tryghost/members-csv@1.2.6
 - @tryghost/members-events-service@0.1.0
 - @tryghost/members-importer@0.5.3
 - @tryghost/members-ssr@1.0.22
 - @tryghost/members-offers@0.10.8
 - @tryghost/members-payments@0.1.10
 - @tryghost/members-stripe-service@0.8.4
 - @tryghost/verification-trigger@0.1.5
2022-03-01 10:36:48 +01:00
Daniel Lockyer
db696a9272 Added --all to c8 command
refs https://github.com/TryGhost/Toolbox/issues/203

- without `--all`, c8 ignores files that should be included in the
  coverage score but aren't used in tests
- this means we have artificially high scores in places where this isn't
  used
- this commit adds `--all` where previously missing
- where this fails `--check-coverage`, that has been removed for now
2022-02-21 13:08:55 +01:00
Renovate Bot
d813510a07 Update dependency mocha to v9.2.1 2022-02-21 00:05:27 +00:00
Fabien "egg" O'Carroll
6c1081df23 Published new versions
- @tryghost/magic-link@1.0.19
 - @tryghost/members-api@5.0.2
 - @tryghost/members-csv@1.2.5
 - @tryghost/members-importer@0.5.2
 - @tryghost/members-ssr@1.0.21
 - @tryghost/members-stripe-service@0.8.2
2022-02-17 14:05:22 +02:00
Daniel Lockyer
f229d1077d Fixed repository link in old packages
- these are some of our first packages here and use `master` in their
  repository link
- we've since switched the repo to use `main` but these links were not
  updated
- this commit updates the links
2022-02-16 09:32:32 +01:00
Daniel Lockyer
a0f716f475 Published new versions
- @tryghost/domain-events@0.1.7
 - @tryghost/express-dynamic-redirects@0.2.5
 - @tryghost/magic-link@1.0.18
 - @tryghost/member-analytics-service@0.1.9
 - @tryghost/member-events@0.3.5
 - @tryghost/members-analytics-ingress@0.1.10
 - @tryghost/members-api@5.0.1
 - @tryghost/members-csv@1.2.4
 - @tryghost/members-importer@0.5.1
 - @tryghost/members-ssr@1.0.20
 - @tryghost/members-offers@0.10.7
 - @tryghost/members-payments@0.1.9
 - @tryghost/members-stripe-service@0.8.1
 - @tryghost/verification-trigger@0.1.4
2022-02-15 13:42:23 +01:00
Renovate Bot
463317eb76 Update dependency sinon to v13 2022-02-15 13:39:43 +01:00
Renovate Bot
5e91609abb Update Test & linting packages 2022-02-15 13:35:28 +01:00
Hannah Wolfe
3dcf85d5e4 Ensured correct usage of @tryghost/errors everywhere
refs: 23b383bedf

- @tryghost/error constructors take an object, not a string - the expectation is that message, context & help should all be set
- This does the bare minimum and just ensures message is set correctly
2022-02-15 12:30:36 +00:00
Renovate Bot
7c43b14f18 Update dependency @types/node to v16 2022-02-15 12:57:04 +01:00
Thibaut Patel
bb1d5de381 Published new versions
- @tryghost/domain-events@0.1.6
 - @tryghost/magic-link@1.0.17
 - @tryghost/member-analytics-service@0.1.7
 - @tryghost/members-analytics-ingress@0.1.8
 - @tryghost/members-api@4.5.0
 - @tryghost/members-ssr@1.0.19
 - @tryghost/members-offers@0.10.6
 - @tryghost/members-payments@0.1.8
2022-01-21 17:57:25 +01:00
renovate[bot]
90efe73e5b Update dependency keypair to v1.0.4 [SECURITY] (#339)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-01-21 16:00:22 +02:00
renovate[bot]
4d77c41858 Update dependency @types/cookies to v0.7.7 (#293)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-01-21 15:58:23 +02:00
Fabien "egg" O'Carroll
883945886c Published new versions
- @tryghost/domain-events@0.1.5
 - @tryghost/express-dynamic-redirects@0.2.4
 - @tryghost/magic-link@1.0.16
 - @tryghost/member-analytics-service@0.1.6
 - @tryghost/member-events@0.3.3
 - @tryghost/members-analytics-ingress@0.1.7
 - @tryghost/members-api@4.2.0
 - @tryghost/members-csv@1.2.3
 - @tryghost/members-importer@0.4.1
 - @tryghost/members-ssr@1.0.18
 - @tryghost/members-offers@0.10.5
 - @tryghost/members-payments@0.1.7
 - @tryghost/members-stripe-service@0.6.3
2022-01-20 17:49:29 +02:00
Renovate Bot
a2bcff314f Update dependency c8 to v7.11.0 2022-01-20 14:30:04 +00:00
Fabien "egg" O'Carroll
379fbc7f13 Published new versions
- @tryghost/domain-events@0.1.4
 - @tryghost/express-dynamic-redirects@0.2.3
 - @tryghost/magic-link@1.0.15
 - @tryghost/member-analytics-service@0.1.5
 - @tryghost/member-events@0.3.2
 - @tryghost/members-analytics-ingress@0.1.6
 - @tryghost/members-api@3.0.0
 - @tryghost/members-csv@1.2.1
 - @tryghost/members-importer@0.3.6
 - @tryghost/members-ssr@1.0.17
 - @tryghost/members-stripe-service@0.5.2
 - @tryghost/members-offers@0.10.4
 - @tryghost/members-payments@0.1.6
2022-01-10 17:56:12 +02:00
John O'Nolan
b7cd251d5c 2022 2022-01-06 10:09:25 +00:00
Sam Lord
f0c1107de4 Published new versions
- @tryghost/members-api@2.8.4
 - @tryghost/members-ssr@1.0.16
 - @tryghost/members-stripe-service@0.5.1
2021-12-02 14:52:59 +00:00