closes https://linear.app/tryghost/issue/ENG-1617/
closes https://linear.app/tryghost/issue/ENG-1619/
- updated cookie authenticator's `authenticate` method to accept an `{identification, pasword, token}` object
- if `token` is provided, hit our `PUT /session/verify/` endpoint passing through the token instead of hitting the `POST /session/` endpoint
- added `signin/verify` route
- displays a 2fa code input field, including required attributes for macOS auto-fill from email/messages to work
- uses `session.authenticate({token})` when submitted
- updated signin routine to detect token-required state
- detects a `403` response with a `2FA_TOKEN_REQUIRED` code property when authenticating
- if detected transitions to the `signin/verify` route
no issue
Having `session.user` return a promise made dealing with it in components difficult because you always had to remember it returned a promise rather than a model and had to handle the async behaviour. It also meant that you couldn't use any current user properties directly inside getters which made refactors to Glimmer/Octane idioms harder to reason about.
`session.user` was a cached computed property so it really made no sense for it to be a promise - it was loaded on first access and then always returned instantly but with a fulfilled promise rather than the underlying model.
Refactoring to a synchronous property that is loaded as part of the authentication flows (we load the current user to check that we're logged in - we may as well make use of that!) means one less thing to be aware of/remember and provides a nicer migration process to Glimmer components. As part of the refactor, the auth flows and pre-load of required data across other services was also simplified to make it easier to find and follow.
- refactored app setup and `session.user`
- added `session.populateUser()` that fetches a user model from the current user endpoint and sets it on `session.user`
- removed knowledge of app setup from the `cookie` authenticator and moved it into = `session.postAuthPreparation()`, this means we have the same post-authentication setup no matter which authenticator is used so we have more consistent behaviour in tests which don't use the `cookie` authenticator
- switched `session` service to native class syntax to get the expected `super()` behaviour
- updated `handleAuthentication()` so it populate's `session.user` and performs post-auth setup before transitioning (handles sign-in after app load)
- updated `application` route to remove duplicated knowledge of app preload behaviour that now lives in `session.postAuthPreparation()` (handles already-authed app load)
- removed out-of-date attempt at pre-loading data from setup controller as that's now handled automatically via `session.handleAuthentication`
- updated app code to not treat `session.user` as a promise
- predominant usage was router `beforeModel` hooks that transitioned users without valid permissions, this sets us up for an easier removal of the `current-user-settings` mixin in the future
refs 10b48b1d6d
refs 1531712d92
- the tour feature is no longer used so all associated code can be removed
- removes `liquid-tether` dependency as it was only used by the tour throbbers/popovers
no issue
- adds `whats-new` service that fetches the changelog from ghost.org and exposes the latest changelog entries
- trigger a background fetch of the changelog from ghost.org when first loading the admin when logged in, or after signing in
- adds a "What's new" menu item next to the user popup menu
- adds an indicator to the user menu button and what's new menu item if there are unseen changelog entries
- closing the changelog modal will update the "last seen date", clearing both indicators
closes https://github.com/TryGhost/Ghost/issues/10995
- when first loading the site preview, if private mode is enabled submit the login form in the background to get the cookie before loading the iframe
- refactors post-authentication preloading to ensure it occurs before post-authentication route hooks are called
- adds `showSuccess` attribute to `<GhTaskButton>` so that when set to `false` it can stay in the running state after "success" to avoid state change flashes whilst waiting for a transition
refs #9865
- removed all `oauth2` and token-based ESA auth
- added new `cookie` authenticator which handles session creation
- updated the session store to extend from the `ephemeral` in-memory store and to restore by fetching the currently logged in user and using the success/failure state to indicate authentication state
- ESA automatically calls this `.restore()` method on app boot
- the `session` service caches the current-user query so there's no unnecessary requests being made for the "logged in" state
- removed the now-unnecessary token refresh and logout routines from the `application` route
- removed the now-unnecessary token refresh routines from the `ajax` service
- removed `access_token` query param from iframe file downloaders
- changed Ember Data adapters and `ghost-paths` to use the `/ghost/api/v2/admin/` namespace
no issue
- disabled Ember Simple Auth's default token revocation
- we trigger session invalidation on a 401 which means our token isn't valid so the revoke requests will also fail
- renamed application route's `invalidateSession` to `logout` in order to distinguish it from any ESA methods
- added the token revocation requests to this action, we can be fairly sure at this point that the current tokens will be valid so the requests will succeed
- added check to `ajax.handleResponse` so that we don't invalidate the session for requests to external services
- removed pointless assertion from the ajax integration test
no issue
Automated tools, code generators, and editor integrations are increasingly standardising on the import style used in `ember-modules-codemod`. Our import style differed a little with regards to service/controller injection imports which meant we were starting to see inconsistent naming.
refs https://github.com/TryGhost/Ghost/issues/8958
- Ghost OAuth isn't coming back, time for the code to disappear and simply all the things
- fixes the `Usage of router is deprecated` notices that flood the console/test logs when testing
no issue
- add eslint-plugin-ember, configure no-old-shims rule
- run `eslint --fix` on `app`, `lib`, `mirage`, and `tests` to move imports to the new module imports
- further cleanup of Ember globals usage
- remove event-dispatcher initializer now that `canDispatchToEventManager` is deprecated
no issue
- adds `eslint-plugin-sort-imports-es6-autofix` dependency
- implements ESLint's base `sort-imports` rule but has a distinction in that `import {foo} from 'bar';` is considered `multiple` rather than `single`
- fixes ESLint's autofix behaviour so `eslint --fix` will actually fix the sort order
- updates all unordered import rules by using `eslint --fix`
With the increased number of `import` statements since Ember+ecosystem started moving towards es6 modules I've found it frustrating at times trying to search through randomly ordered import statements. Recently I've been sorting imports manually when I've added new code or touched old code so I thought I'd add an ESLint rule to codify it.
no issue
- updates `oauth2-ghost` authenticator to reflect the fact that `makeRequest` now returns a ember-ajax and matches the `oauth2` authenticator behaviour
- handle `UnauthorizedError` errors in application route's error handler to avoid tests breaking from unhandled exceptions
no issue
- switch `jscs` and `jshint` inline config to `eslint` config
- fix eslint errors, predominantly in tests where the config now the main app config more closely
no issue
- drop `jshint`, `jscs`, and `ember-suave` dependencies
- remove `grunt` related linting dependencies and tasks
- remove linting build from Travis so that linting can be performed as part of the normal test suite (refs TryGhost/Ghost#7427)
- add `ember-cli-eslint` and `eslint-plugin-ember-suave` dependencies
- configure `eslint` to match our previous coding style
- update config to run eslint tests as part of the normal test run
- add `npm run lint` command to only run linter tests
issue TryGhost/Ghost#7562
- removes the custom endpoint so that we always use `/authentication/token`
- adds missing `grant_type` attribute to our auth data so that the server can switch appropriately
issue TryGhost/Ghost#7452, requires TryGhost/Ghost#7451
- use a `ghostOAuth` config flag to switch between the old-style per-install auth and centralized OAuth auth based on config provided by the server
- add OAuth flows for:
- setup
- sign-in
- sign-up
- re-authenticate
- add custom `oauth-ghost` authenticator to support our custom data structure
- add test helpers to stub successful/failed oauth authentication
- hide change password form if using OAuth (temporary - a way to change password via oauth provider will be added later)
closesTryGhost/Ghost#6868
- token is refreshed when internet connectivity is established provided the session is still active
- Added navigator.online handler which listens for browser's online status.
- _refreshAccessTokens() is explicitly called when browser becomes online
no issue
- add ember-suave dependency
- upgrade grunt-jscs dependency
- add a new .jscsrc for the client's tests directory that extends from client's base .jscsrc
- separate client tests in Gruntfile jscs task so they pick up the test's .jscsrc
- standardize es6 usage across client
no issue
- added ghost-admin client_id to admin
- added ghost-admin client_secret to admin
- added client.read() api endpoint
- added random generation of client_secret to migration
- removed addClientSecret method
- updated tests
issue #5751
- moves `makeRequest` override of simple-auth's OAuth authenticator into our own custom authenticator (previously our override was not taking effect until after ember-simple-auth's initial authentication routines, hence why it was working for post-login token refreshes but failing on app-boot)