closes https://github.com/TryGhost/Ghost/issues/11078
Problem:
- the admin client makes an XHR request to the `/private/` endpoint when a private site is configured
- when a separate admin URL is configured this was causing 500 errors in the admin client because missing CORS headers on the endpoint was causing browsers to abort the request
- browsers will also look at the CORS headers on any resources that are the result of a redirect and abort the request if they do not allow cross-origin requests, this means allowing all requests on `/private/` is not enough
Solution:
- uses the `cors` middleware with a dynamic options function for the whole of the front-end site app
- dynamic options function allows the following requests through:
- same-origin (browsers and non-browser agents will not send an `Origin` header)
- origin is `localhost` or `127.0.0.1` with any protocol and port
- origin matches the configured `url` hostname+port on any protocol
- origin matches the configured `admin:url` hostname+port on any protocol
no issue
- when too many login attempts were detected for the `/private/` form we were throwing 500 errors instead of the more appropriate 429 error that we use everywhere else for "too many request" type errors
no issue
- @tryghost/url-utils was bumped to 0.3.1 which fixed admin redirects returning relative rather than absolute URLs
- updates tests that were expecting relative URLs rather than absolute URLs
refs #10496
- currently {{asset this/is/not/a.string}} would throw a 500 error
- this commit changes that to make it throw a sensible 400 + incorrect usage error
no-issue
* Installed @tryghost/members-ssr@0.4.0
This now supports caching of the data returned by the members-api
* Renamed cookies set by members-ssr
As discussed with @ErisDS I have prefixed these cookies with `ghost`
no-issue
When installing new packages yarn sorts them alphabetically, this meant
that installing/updating packages would have extra changes which would
be noisy either to developers or the git history.
fixes#10990
- Changed the static router to throw a 400 error for a missing template file, rather than falling back to using the default.hbs file
- Falling back is weird and hard to understand, but throwing an error makes it clear that the user has to provide the matching template
- The new error reads 'Missing template [filename].hbs for route "[route]".'
Assume you have a route.yaml file something like:
```
routes:
/: home
```
- In Ghost v2, if you don't have a home.hbs template, Ghost falls back to using the default.hbs file if it's available
- Most themes have a default.hbs, however this file is a layout file, depended on by other templates, not a template file itself
- In production mode, using the default.hbs as a template causes weird, intermittent layout issues depending on which order pages are loaded
- This is due to this issue: https://github.com/barc/express-hbs/issues/161
- In Ghost v3, we will throw a 400 error for missing template files instead of having a fallback
- In the example above, navigating to '/' would throw the error 'Missing template home.hbs for route "/".'
no-issue
* Installed members-api@0.5.0 members-ssr@0.3.1
* Supported multiple members-forms
* Used members canary api
* Added GET handler to /members/ssr for id token
The identity token will be used to ensure that a payment is linked to the correct member
* Added stripe.js to ghost_head when members enabled
* Added basic support for linking to stripe checkout
* Removed listener to title and icon settings changes
* Added stripe subscription config
no issue
- Drops `ghost_auth_access_token` and `ghost_auth_id` fields since not used anymore
- Adds migration for dropping these columns from users table
- Drops Auth strategy - `ghostStrategy` - since its not used anymore
no issue
- Content API doesn't return primary_tag and primary_author fields by default if authors or tags were not requested
- These fields are still always included in Admin API as a result of having authors and tags loaded (like a sideeffect)
no issue
Current metascraper rule for fetching page metadata in case of bookmark card gives preference to publisher logo over icon tags. This PR updates giving first preference to icon link tags followed by logo.
requires https://github.com/TryGhost/Ghost-Admin/pull/1293
- updates `oembed` endpoint behaviour
- if an oembed provider is not found then we use `metascraper` to populate a metadata object
- when metadata is returned rather than an oembed response the payload will look like this:
```json
{
"url": "...",
"type": "bookmark",
"metadata": {
"url": "...",
"title": "...",
"description": "...",
"author": "...",
"publisher": "...",
"thumbnail": "...",
"icon": "..."
}
}
```
- adds a `bookmark` card which generates output for the bookmark card:
```html
<figure class="kg-card kg-bookmark-card">
<a href="[URL]" class="kg-bookmark-container">
<div class="kg-bookmark-content">
<div class="kg-bookmark-title">[TITLE]</div>
<div class="kg-bookmark-description">[DESCRIPTION]</div>
<div class="kg-bookmark-metadata">
<img src="[ICON]" class="kg-bookmark-icon">
<span class="kg-bookmark-author">[AUTHOR]</span>
<span class="kg-bookmark-publisher">[PUBLISHER]</span>
</div>
</div>
<div class="kg-bookmark-thumbnail">
<img src="[THUMBNAIL]">
</div>
</a>
</figure>
```
- if a particular bit of data does not exist then the associated html element will not be present
closes#10531
- Adds space when encountering closing </p> and <br> tags
- The mobiledoc-to-html conversion produces these tags in this exact
syntax, so there is no need to account for more cases like additional spaces or alternative syntax like <br />
- Added test cases that cover spacing use-casei
- Changed some existing tests to contain more close-to-real-world markup
- The downside of this approach is generating multiple spaces in case there are empty paragraphs in the markup. The same concern is true for current "new line" substitution:
> excerpt.replace(/(\r\n|\n|\r)+/gm, ' ')
but it never has been a concern as in real world when multiple spaces are used inside of the `<p>` tag they are rendered as single space.