Commit Graph

196 Commits

Author SHA1 Message Date
Daniel Lockyer
c4981a71a2
Merged v5.17.2 into main
v5.17.2
2022-10-05 18:33:12 +07:00
Simon Backx
41a0945592
🐛 Prevented member creation when logging in (#15526)
fixes https://github.com/TryGhost/Ghost/issues/14508

This change requires the frontend to send an explicit `emailType` when sending a magic link. We default to `subscribe` (`signin` for invite only sites) for now to remain compatible with the existing behaviour.

**Problem:**
When a member tries to login and that member doesn't exist, we created a new member in the past.

- This caused the creation of duplicate accounts when members were guessing the email address they used.
- This caused the creation of new accounts when using an old impersonation token, login link or email change link that was sent before member deletion.

**Fixed:**
- Trying to login with an email address that doesn't exist will throw an error now.
- Added new and separate rate limiting to login (to prevent user enumeration). This rate limiting has a higher default limit of 8. I think it needs a higher default limit (because it is rate limited on every call instead of per email address. And it should be configurable independent from administrator rate limiting. It also needs a lower lifetime value because it is never reset.
- Updated error responses in the `sendMagicLink` endpoint to use the default error encoding middleware.
- The type (`signin`, `signup`, `updateEmail` or `subscribe`) is now stored in the magic link. This is used to prevent signups with a sign in token.

**Notes:**
- Between tests, we truncate the database, but this is not enough for the rate limits to be truly reset. I had to add a method to the spam prevention service to reset all the instances between tests. Not resetting them caused random failures because every login in every test was hitting those spam prevention middlewares and somehow left a trace of that in those instances (even when the brute table is reset). Maybe those instances were doing some in memory caching.
2022-10-05 18:11:06 +07:00
Simon Backx
e7378520a0
🔒 Prevented member creation when logging in (#15526)
fixes https://github.com/TryGhost/Ghost/issues/14508

This change requires the frontend to send an explicit `emailType` when sending a magic link. We default to `subscribe` (`signin` for invite only sites) for now to remain compatible with the existing behaviour.

**Problem:**
When a member tries to login and that member doesn't exist, we created a new member in the past.

- This caused the creation of duplicate accounts when members were guessing the email address they used.
- This caused the creation of new accounts when using an old impersonation token, login link or email change link that was sent before member deletion.

**Fixed:**
- Trying to login with an email address that doesn't exist will throw an error now.
- Added new and separate rate limiting to login (to prevent user enumeration). This rate limiting has a higher default limit of 8. I think it needs a higher default limit (because it is rate limited on every call instead of per email address. And it should be configurable independent from administrator rate limiting. It also needs a lower lifetime value because it is never reset.
- Updated error responses in the `sendMagicLink` endpoint to use the default error encoding middleware.
- The type (`signin`, `signup`, `updateEmail` or `subscribe`) is now stored in the magic link. This is used to prevent signups with a sign in token.

**Notes:**
- Between tests, we truncate the database, but this is not enough for the rate limits to be truly reset. I had to add a method to the spam prevention service to reset all the instances between tests. Not resetting them caused random failures because every login in every test was hitting those spam prevention middlewares and somehow left a trace of that in those instances (even when the brute table is reset). Maybe those instances were doing some in memory caching.
2022-10-05 12:42:42 +02:00
Fabien "egg" O'Carroll
28de1720c1 🔒 Fixed magic link endpoint sending multiple emails
refs https://github.com/TryGhost/Team/issues/2024

Without validation it was possible to send a string of comma separated
email addresses to the endpoint, and an email would be sent to each
address, bypassing any rate limiting.

This bug does not allow for an authentication bypass exploit. It is purely a
spam email concern.

Credit: Sandip Maity <maitysandip925@gmail.com>
2022-10-05 10:28:13 +01:00
renovate[bot]
2c2ee81adb
Update Test & linting packages 2022-10-05 00:36:08 +00:00
renovate[bot]
9eb3c84a23
Updated @tryghost dependencies (#15434)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-09-27 08:31:35 +07:00
renovate[bot]
225765241c
Updated @tryghost dependencies (#15404)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2022-09-19 12:09:33 +01:00
renovate[bot]
da905b1dff Update dependency @types/nodemailer to v6.4.6 2022-09-13 08:39:26 +01:00
renovate[bot]
fce4b26601 Update dependency @types/jsonwebtoken to v8.5.9 2022-08-24 16:54:58 +02:00
Daniel Lockyer
f51226e5fb Organized package dependencies
- cleaned up unused dependencies
- adds missing dependencies that are used in the code
- this should help us be more explicit about the dependencies a package
  uses
2022-08-18 11:55:49 +02:00
Daniel Lockyer
54aa9f016b Fixed full Admin test suite running during unit tests
- because of how the npm scripts were set up, we were running the full
  Admin integration tests during the unit tests phase of CI
- this commit renames the majority of `test` to `test:unit` in the
  package.json files, and aliases `test` to `test:unit`
- special packages like Admin have no-op'd `test:unit` scripts so we
  don't end up running its tests
2022-08-15 15:34:52 +02:00
Daniel Lockyer
6dde5e40e3
Updated Eslint ECMAScript compatibility to 2022
refs https://github.com/TryGhost/Toolbox/issues/345

- this commit bumps `eslint-plugin-ghost`, which bumps compatiblity to
  2022
- this also removes a lot of the manually-added
  `parserOptions.ecmaVersion` that we had in imported packages, in favor
  of the value set in `eslint-plugin-ghost`
2022-08-09 15:51:40 +02:00
Daniel Lockyer
5f8b448ab6
Deleted @types/node dependency
- this was originally imported to bring better types in but is no longer
  needed right now
2022-08-05 08:58:49 +02:00
renovate[bot]
ef588daa9a Update dependency @types/nodemailer to v6.4.5 2022-08-05 08:34:39 +02:00
Daniel Lockyer
73bd9a8e1a
Deleted typescript config files
- these aren't needed any more because the packages are in the same repo
  as Ghost, so jsdocs + types should Just Work ™️
2022-08-03 12:49:32 +02:00
Daniel Lockyer
308a28d31a
Tidied up package READMEs
refs https://github.com/TryGhost/Toolbox/issues/354

- these READMEs were migrated over from when each package was in a
  different repo
- they also assume you're going to be publishing the packages because it
  mentions install instructions
- only a few of them contain custom content
- this commit deletes the majority of these files because they're now
  not useful
- any that contained other instructions have been cut down
2022-07-25 15:17:12 +02:00
Daniel Lockyer
61125d7605
Removed repository from component package.json files
refs https://github.com/TryGhost/Toolbox/issues/354

- these repository links made sense when they were in different repos
  and published to NPM but we don't publish these packages any more
- this commit deletes those keys from the files
2022-07-25 11:15:16 +02:00
Daniel Lockyer
d73d7da7ef
Deleted non-root LICENSE files
- these were copied over during the monorepo conversion but we're not
  going to be publishing these packages so the top-level LICENSE file
  covers all packages here
2022-07-25 08:35:59 +02:00
renovate[bot]
d228144c27 Pin dependencies 2022-07-21 16:27:57 +02:00
Daniel Lockyer
48fd5ca8cb
Removed posttest linting step
- linting is done as a separate step in CI and it's a git hook upon
  pushing locally, so we don't need to run it after tests
2022-07-21 10:09:36 +02:00
Daniel Lockyer
9ec83a6e21
Disabled publishing for Members packages
- we don't want to publish these anymore so this commit disables the
  ability to
- also fixes up a missing version that wasn't reset
2022-07-21 09:26:04 +02:00
Daniel Lockyer
376ee24600
Switched to unversioned Members packages
- these packages are split apart for local development, but will be
  bundled into Ghost when publishing
- therefore, these packages won't be published so we are resetting the
  versions to make them cleaner
2022-07-21 09:15:29 +02:00
renovate[bot]
16d3045997 Update dependency @types/node to v16.11.45 2022-07-20 18:08:14 +02:00
renovate[bot]
bc4aebf163 Update Test & linting packages 2022-07-19 18:55:22 +00:00
Fabien "egg" O'Carroll
0ff47d4b51 Published new versions
- @tryghost/magic-link@1.1.0
 - @tryghost/members-api@8.3.0
 - @tryghost/members-stripe-service@0.10.6
2022-07-15 11:03:57 +01:00
Fabien 'egg' O'Carroll
f3130d9538 Passed request referrer to magic link service (#408)
refs https://github.com/TryGhost/Team/issues/1174

This paves the way for Ghost to be able to redirect to the referrer
page when dealign with signup magic links. We pass the referrer for
all types of magic links however, to allow extension of this
functionality in the future.

We've also removed the concept of `requestSrc` which has been unused
for a while now.
2022-07-15 11:02:58 +01:00
Fabien "egg" O'Carroll
c41f067ea8 Published new versions
- @tryghost/domain-events@0.1.14
 - @tryghost/express-dynamic-redirects@0.2.13
 - @tryghost/magic-link@1.0.26
 - @tryghost/member-analytics-service@0.1.16
 - @tryghost/member-events@0.4.6
 - @tryghost/members-analytics-ingress@0.1.17
 - @tryghost/members-api@8.0.0
 - @tryghost/members-csv@1.2.15
 - @tryghost/members-events-service@0.4.3
 - @tryghost/members-importer@0.5.14
 - @tryghost/members-ssr@1.0.28
 - @tryghost/members-offers@0.11.6
 - @tryghost/members-payments@0.3.6
 - @tryghost/members-stripe-service@0.10.5
 - @tryghost/verification-trigger@0.2.5
2022-05-16 19:29:05 +01:00
Renovate Bot
a599830920 Update dependency c8 to v7.11.3 2022-05-16 05:20:36 +00:00
Aileen Nowak
152a2ea41f Published new versions
- @tryghost/domain-events@0.1.13
 - @tryghost/express-dynamic-redirects@0.2.12
 - @tryghost/magic-link@1.0.25
 - @tryghost/member-analytics-service@0.1.15
 - @tryghost/member-events@0.4.5
 - @tryghost/members-analytics-ingress@0.1.16
 - @tryghost/members-api@7.0.1
 - @tryghost/members-csv@1.2.14
 - @tryghost/members-events-service@0.4.2
 - @tryghost/members-importer@0.5.13
 - @tryghost/members-ssr@1.0.27
 - @tryghost/members-offers@0.11.5
 - @tryghost/members-payments@0.3.5
 - @tryghost/members-stripe-service@0.10.4
 - @tryghost/verification-trigger@0.2.4
2022-05-10 11:40:41 -04:00
Renovate Bot
7af0eb6fdf Update dependency sinon to v14 2022-05-09 04:41:01 +00:00
Simon Backx
0111e23fb7 Published new versions
- @tryghost/domain-events@0.1.12
 - @tryghost/express-dynamic-redirects@0.2.11
 - @tryghost/magic-link@1.0.24
 - @tryghost/member-analytics-service@0.1.14
 - @tryghost/member-events@0.4.4
 - @tryghost/members-analytics-ingress@0.1.15
 - @tryghost/members-api@6.3.1
 - @tryghost/members-csv@1.2.13
 - @tryghost/members-events-service@0.4.1
 - @tryghost/members-importer@0.5.12
 - @tryghost/members-ssr@1.0.26
 - @tryghost/members-offers@0.11.4
 - @tryghost/members-payments@0.3.4
 - @tryghost/members-stripe-service@0.10.3
 - @tryghost/verification-trigger@0.2.3
2022-05-03 16:40:39 +02:00
Renovate Bot
bddc9a5159 Update dependency c8 to v7.11.2 2022-05-02 21:39:21 +00:00
Fabien "egg" O'Carroll
b8545d2912 Published new versions
- @tryghost/domain-events@0.1.11
 - @tryghost/express-dynamic-redirects@0.2.10
 - @tryghost/magic-link@1.0.23
 - @tryghost/member-analytics-service@0.1.13
 - @tryghost/member-events@0.4.3
 - @tryghost/members-analytics-ingress@0.1.14
 - @tryghost/members-api@6.3.0
 - @tryghost/members-csv@1.2.12
 - @tryghost/members-events-service@0.4.0
 - @tryghost/members-importer@0.5.11
 - @tryghost/members-ssr@1.0.25
 - @tryghost/members-offers@0.11.3
 - @tryghost/members-payments@0.3.3
 - @tryghost/members-stripe-service@0.10.2
 - @tryghost/verification-trigger@0.2.2
2022-05-02 19:11:55 +01:00
Renovate Bot
cddf87863e Update dependency mocha to v10 2022-05-02 02:29:13 +00:00
Simon Backx
a0a50f7acc Published new versions
- @tryghost/domain-events@0.1.10
 - @tryghost/express-dynamic-redirects@0.2.9
 - @tryghost/magic-link@1.0.22
 - @tryghost/member-analytics-service@0.1.12
 - @tryghost/member-events@0.4.2
 - @tryghost/members-analytics-ingress@0.1.13
 - @tryghost/members-api@6.2.0
 - @tryghost/members-csv@1.2.11
 - @tryghost/members-events-service@0.3.4
 - @tryghost/members-importer@0.5.9
 - @tryghost/members-ssr@1.0.24
 - @tryghost/members-offers@0.11.2
 - @tryghost/members-payments@0.3.2
 - @tryghost/members-stripe-service@0.10.1
 - @tryghost/verification-trigger@0.2.1
2022-04-27 19:08:40 +02:00
Renovate Bot
a49bb037c4 Update Test & linting packages 2022-04-27 12:16:56 +00:00
Thibaut Patel
c37021c575 Published new versions
- @tryghost/domain-events@0.1.9
 - @tryghost/express-dynamic-redirects@0.2.7
 - @tryghost/magic-link@1.0.21
 - @tryghost/member-analytics-service@0.1.11
 - @tryghost/member-events@0.4.1
 - @tryghost/members-analytics-ingress@0.1.12
 - @tryghost/members-api@5.3.0
 - @tryghost/members-csv@1.2.7
 - @tryghost/members-events-service@0.3.2
 - @tryghost/members-importer@0.5.4
 - @tryghost/members-ssr@1.0.23
 - @tryghost/members-offers@0.10.9
 - @tryghost/members-payments@0.1.11
 - @tryghost/members-stripe-service@0.9.1
 - @tryghost/verification-trigger@0.1.6
2022-03-11 22:45:26 +01:00
Renovate Bot
0ad973c8b5 Update dependency mocha to v9.2.2 2022-03-11 18:04:58 +00:00
Thibaut Patel
dafda42e0a Published new versions
- @tryghost/domain-events@0.1.8
 - @tryghost/express-dynamic-redirects@0.2.6
 - @tryghost/magic-link@1.0.20
 - @tryghost/member-analytics-service@0.1.10
 - @tryghost/member-events@0.4.0
 - @tryghost/members-analytics-ingress@0.1.11
 - @tryghost/members-api@5.0.4
 - @tryghost/members-csv@1.2.6
 - @tryghost/members-events-service@0.1.0
 - @tryghost/members-importer@0.5.3
 - @tryghost/members-ssr@1.0.22
 - @tryghost/members-offers@0.10.8
 - @tryghost/members-payments@0.1.10
 - @tryghost/members-stripe-service@0.8.4
 - @tryghost/verification-trigger@0.1.5
2022-03-01 10:36:48 +01:00
Daniel Lockyer
db696a9272 Added --all to c8 command
refs https://github.com/TryGhost/Toolbox/issues/203

- without `--all`, c8 ignores files that should be included in the
  coverage score but aren't used in tests
- this means we have artificially high scores in places where this isn't
  used
- this commit adds `--all` where previously missing
- where this fails `--check-coverage`, that has been removed for now
2022-02-21 13:08:55 +01:00
Renovate Bot
d813510a07 Update dependency mocha to v9.2.1 2022-02-21 00:05:27 +00:00
Fabien "egg" O'Carroll
6c1081df23 Published new versions
- @tryghost/magic-link@1.0.19
 - @tryghost/members-api@5.0.2
 - @tryghost/members-csv@1.2.5
 - @tryghost/members-importer@0.5.2
 - @tryghost/members-ssr@1.0.21
 - @tryghost/members-stripe-service@0.8.2
2022-02-17 14:05:22 +02:00
Daniel Lockyer
f229d1077d Fixed repository link in old packages
- these are some of our first packages here and use `master` in their
  repository link
- we've since switched the repo to use `main` but these links were not
  updated
- this commit updates the links
2022-02-16 09:32:32 +01:00
Daniel Lockyer
a0f716f475 Published new versions
- @tryghost/domain-events@0.1.7
 - @tryghost/express-dynamic-redirects@0.2.5
 - @tryghost/magic-link@1.0.18
 - @tryghost/member-analytics-service@0.1.9
 - @tryghost/member-events@0.3.5
 - @tryghost/members-analytics-ingress@0.1.10
 - @tryghost/members-api@5.0.1
 - @tryghost/members-csv@1.2.4
 - @tryghost/members-importer@0.5.1
 - @tryghost/members-ssr@1.0.20
 - @tryghost/members-offers@0.10.7
 - @tryghost/members-payments@0.1.9
 - @tryghost/members-stripe-service@0.8.1
 - @tryghost/verification-trigger@0.1.4
2022-02-15 13:42:23 +01:00
Renovate Bot
463317eb76 Update dependency sinon to v13 2022-02-15 13:39:43 +01:00
Renovate Bot
5e91609abb Update Test & linting packages 2022-02-15 13:35:28 +01:00
Hannah Wolfe
3dcf85d5e4 Ensured correct usage of @tryghost/errors everywhere
refs: 23b383bedf

- @tryghost/error constructors take an object, not a string - the expectation is that message, context & help should all be set
- This does the bare minimum and just ensures message is set correctly
2022-02-15 12:30:36 +00:00
Renovate Bot
7c43b14f18 Update dependency @types/node to v16 2022-02-15 12:57:04 +01:00
Thibaut Patel
bb1d5de381 Published new versions
- @tryghost/domain-events@0.1.6
 - @tryghost/magic-link@1.0.17
 - @tryghost/member-analytics-service@0.1.7
 - @tryghost/members-analytics-ingress@0.1.8
 - @tryghost/members-api@4.5.0
 - @tryghost/members-ssr@1.0.19
 - @tryghost/members-offers@0.10.6
 - @tryghost/members-payments@0.1.8
2022-01-21 17:57:25 +01:00
renovate[bot]
d3dbc81bd3 Update dependency @types/jsonwebtoken to v8.5.8 (#287)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-01-21 15:57:51 +02:00