Commit Graph

67 Commits

Author SHA1 Message Date
Hannah Wolfe
4f5fb3d820 Swapped common for @tryghost/errors in core/server/web
- Update all references to common.errors to use @tryghost/errors
- Use dereferencing to only require used bits of common in each file
2020-04-09 19:40:00 +01:00
Hannah Wolfe
7964c1de79 Updated image middleware to use new shared function
- we have a function for generating _o filenames in @tryghost/image-transform as of v0.2.0
- this  updates our Ghost code to use it
2020-03-30 18:33:59 +01:00
Hannah Wolfe
d9dfdd775e
Replaced image manipulation w/ @tryghost/image-transform (#11687)
- moved image.manipulation lib to a new package called @tryghost/image-transform
- new package has an updated API signature, so the method calls have changed but the underlying code is identical
- removed the optional sharp dependency from Ghost, as this is now optionally required by the image-transform module
2020-03-25 17:33:03 +00:00
Daniel Lockyer
6dcb1094aa Refactored variable name to match intent
no issue
2020-02-20 11:56:01 +00:00
Daniel Lockyer
28071a242a Fixed error reporting to Sentry
no issue

- some errors weren't being reported because they were being passed to
  Sentry before our middleware could populate the error information
- this commit inserts the Sentry middleware into these steps
2020-02-17 13:52:01 +00:00
Kevin Ansfield
02c034068c Fixed error when serving public images from servePublicFile middleware
no issue

- when `servePublicFile` middleware serves an image it resulted in a "Cannot set headers after they are sent to the client" error because `next()` was erroneously called for successful requests which then tripped the `prettyUrls` middleware which tries to perform a redirect
- only calling `next()` when an error is present allows errors to be picked up by later middleware but successful requests end in the `servePublicFile` middleware
2020-02-17 09:24:15 +00:00
Kevin Ansfield
830610d243 Fixed serving of binary public files
no issue

- serving of our public asset images was broken
  - we were reading the binary file in as a string so we could do url transforms, this meant data was lost/corrupted and browsers could not display the served data
  - we were using the wrong mime-type for pngs which meant browsers were triggering downloads rather than displaying images (at least when accessed directly)
- updates uses of `servePublicFile` to have the correct png mimetype
- adjusts `servePublicFile` to treat any mime type starting with `image` as a binary file, passing the file directly through express using `res.sendFile` and skipping the in-memory content caching which is mostly only useful for text files with URL transforms
2020-02-10 09:51:32 +00:00
Daniel Lockyer
a510e075b6 Handled missing file extensions for resized image requests
no issue

- if a request was sent for an resized image URL that didn't contain a
  file extension, the code would eventually end up throwing a 500
- this commit checks for this case and returns a 404
2020-02-04 08:04:22 +00:00
Daniel Lockyer
dbcffe9245 🐛 Handled trailing slashes in resized image URLs
no issue

- requests for resized images with a trailing slash would end up
  throwing a EISDIR error because it got through to writing an
  image buffer to a directory
- we want to cut this off early and disallow trailing slashes
2020-01-18 13:45:22 +07:00
Kevin Ansfield
7284227f1e
🐛 Fixed 404s when using a proxy setup (#11269)
no issue

When using certain proxy setups that result in `host` and `x-forwarded-host` being different, it became impossible to access Ghost because all routes showed generic 404 pages.

- `vhost` module that we are using to separate front-end and admin urls does not use express' `req.hostname` so it does not pick up the `x-forwarded-host` url that express' `'trust proxy'` config gives us
- switched to the forked `@tryghost/vhost-middleware` package which has a one-line change to use `req.hostname || req.host`
- added `'trust proxy'` config to the admin express app and switched to using `req.hostname` in our redirect code to avoid infinite redirect loops
2019-10-28 11:22:05 +00:00
Naz Gargol
0225936292
Removed subscribers from the codebase (#11153)
refs https://github.com/TryGhost/Ghost/pull/11152

- Added subscribers table drop migration
- Removed subscribers from schema
- Removed subscribers controllers/routes/regression tests
- Removed subscriber related API code
- Removed subscribers from internal apps
- Removed subscriber importer
- Removed subscriber model
- Removed subscriber related permissions
- Removed webhook code related to subscribers
- When upgrading to v3 it is on the site admin to migrate all zapps or any other webhook clients to use members
- Removed subscriber-specific translation
- Removed subscriber lab flag
2019-10-09 11:47:04 +02:00
Kevin Ansfield
6028fde666 Merge branch 'master' into v3 2019-10-08 13:58:08 +01:00
Hannah Wolfe
0107ac848a Improved x-request-id handling
- Currently, we create a request ID for internal use if one isn't set & this is used in logs
- If a custom request ID is set via X-Request-ID header, this gets logged, however, we don't return this with the response
- Means that a custom ID gets lost on the way back out, and makes tracing requests through a system trickier
- This change ensures that if X-Request-ID is set on the request, it is also set on the response so that requests can be properly traced
- It's easy to set this in e.g. nginx so that the feature becomes available - Ghost doens't need to do this
- Note: also split request id handling out into new middleware
2019-09-22 18:23:45 +01:00
Nazar Gargol
cc8f9bcb98 Marked code property for removal in Ghost 4.0
refs https://github.com/TryGhost/gscan/issues/144
refs https://github.com/TryGhost/gscan/pull/259

- The property hasn't been marked correctly in Ghsot 2.0 so will be able to go away the earliest in Ghost 4.0
2019-09-19 12:15:17 +02:00
Nazar Gargol
f75a8f9aa9 Reworded confusing comment mentioning v0.1 2019-09-12 19:17:35 +02:00
Kevin Ansfield
33fe21f888 Removed all clients and client_trusted_domains related code
no issue

- v0.1 is ☠️ so there's no longer any use of client auth
- removes all code related to `clients` and `client_trusted_domains`
- noops the "add backup client" migration in 1.7 because the referenced fixture no longer exists causing migrations and consequently all regression tests to fail
2019-09-12 15:09:49 +01:00
Kevin Ansfield
7e92b07233 🔒 Added admin:redirects config option for disabling admin redirects
no issue

- adds `config:redirects` config option that defaults to `true`
- when set to `false`
  - `/ghost/` will 404 on the front-end when a separate admin url is configured
  - all `{resource}/edit/` URLs on the front-end will 404
2019-09-12 12:40:12 +01:00
Naz Gargol
5b59c7b542
🔥 Removed v0.1 controllers & routes (#11103)
no issue 

- Removed v0.1 controllers
- Removed 0.1 API unit tests
- Removed 0.1 API app and mount point
- Removed leftover use of v0.1 in entry-lookup test suite
- Removed frontend client API enpoints and related code (middleware)
- Fixed prev/next test suites to use v2 API
- Set default API version to explicit v2 in UrlUtils
- Removed v0.1 API regex from public files middleware
2019-09-11 19:10:10 +02:00
Kevin Ansfield
666a9d371f 🔥 Removed all non-/ghost/ redirects to the admin
no issue

- we used to redirect paths such as `/logout/` and `/signin/` to the admin but they are no longer desired
  - with the introduction of members these URLs can be confused with front-end member related actions
  - we want to be able to optionally "turn off" redirects to the admin to help mask the admin url when it's configured to be separate to the front-end
2019-09-11 14:55:00 +01:00
Kevin Ansfield
b46f9b1dc2 🔒 Fully separated front-end and admin app urls
no issue

- uses `vhost` in parent-app to properly split front-end and admin/api apps when a separate admin url is configured
2019-09-10 15:47:49 +01:00
Kevin Ansfield
88659e5a52 Switched private login brute errors to correct error status code
no issue

- when too many login attempts were detected for the `/private/` form we were throwing 500 errors instead of the more appropriate 429 error that we use everywhere else for "too many request" type errors
2019-09-09 16:02:21 +01:00
Hannah Wolfe
708927335b Added error handling for weird handlebars syntax
refs #10496

- handlebars if and unless helpers throw weird, unhelpful syntax errors
- for now, catch these errors and do something helpful with them
2019-09-09 13:03:04 +01:00
Rish
13a77363de Updated uncapitalise check to work with canary
no issue

Previously uncapitalise check was based on fixed api endpoint format - v[NUMBER], this updates it to work with canary endpoint
2019-08-09 20:46:49 +05:30
Aileen Nowak
d11fd4210b Updated docs api links to be version-less 2019-07-25 15:17:23 +08:00
Aileen Nowak
496f873ac4
Updated links to docs (#10941)
no issue
2019-07-22 18:17:50 +08:00
Christoph Tavan
834a5a0521 Replaced v1 for v4 uuids (#10871)
* Swapped v1 with v4 UUID as requestId when logging

no issue

v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.

Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.

* Swapped v1 with v4 UUID when creating a temporary contentFolder

no issue

v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.

Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.

* Swapped v1 with v4 UUID when creating a temporary exportFolder

no issue

v1 UUID are based on current time and the hardware MAC address of the
machine where they are being generated. As such they have much more
complex semantics than v4 UUIDs which are simply randomly generated.

Unless there's a specific requirement for the special semantics of v1
UUIDs it is simpler and less error prone to simply go for v4 UUIDs
whenever just a unique identifier is needed.
2019-07-15 14:01:02 +08:00
renovate[bot]
db53ac0721 Update Test & linting packages (major) (#10858)
no issue 

- Updated Test & linting packages
- Updated use of hasOwnProperty
- Using Object.prototype.hasOwnProperty instead (ref. eslint.org/docs/rules/no-prototype-builtins)
- Removed already defined built-in global variable Intl
- Applied `--fix` with lint command on `core/test` folder
- The rules were broken because some of them were made stricter for `eslint: recommended` ruleset (ref. https://eslint.org/docs/user-guide/migrating-to-6.0.0#eslint-recommended-changes)
- Removed redundant global variable declarations to pass linting
2019-07-05 13:40:43 +02:00
Fabien O'Carroll
0e2ce29468 Moved members static mount point to /ghost/members
no-issue

This alleviates the CORS requests failing for members when the admin is
hosted on a different domain than the site
2019-06-25 15:13:52 +07:00
Nazar Gargol
22f56c95a8 Fixed redirects.json file validation
refs #10790

- Reference to method previously used to validate wasn't updated during refactoring done in be27db46eb
2019-06-24 10:56:30 +02:00
Naz Gargol
df7e64fafa
Extracted frontend folder (#10780)
refs #10790

- Moved /core/apps into core/frontend
- Moved /core/server/helpers to /core/frontend/helpers along with /core/server/services/themes
- Changed helper location in overrides
- Moved /core/server/services/routing to /core/frontend/services
- Moved /core/server/services/url to /core/frontend/services
- Moved /core/server/data/meta to /core/frontend/meta
- Moved /core/server/services/rss to /core/frontend/services
- Moved /core/server/data/xml to /core/frontend/services
2019-06-19 11:30:28 +02:00
Naz Gargol
abda6e6338
Migrated to use url-utils from Ghost-SDK (#10787)
closes #10773

- The refactoring is a substitute for `urlService.utils` used previously throughout the codebase and now extracted into the separate module in Ghost-SDK
- Added url-utils stubbing utility for test suites
- Some tests had to be refactored to avoid double mocks (when url's are being reset inside of rested 'describe' groups)
2019-06-18 15:13:55 +02:00
Timothy Stapleton
f2e60806da 🐛 Fixed redirects to absolute URLs (#10777)
closes #10776

When the "to" property of the redirect includes a host (implying an external or fully qualified url) we skip replacing any paths and redirect straight to it, rather than modifying the URL with the sites sub-directory.
2019-06-10 12:48:37 +07:00
Fabien O'Carroll
ed1a42f7f3 Exported raw middleware from serve-public-file
no-issue

The current public file middleware handles route matching itself, which
means it is applied to express via the use method. Due to use being a
"global" application of middleware, this means it is not possible to
apply a labs middleware before the public file serving middleware
without it affecting the entire route stack.

This commit exports a piece of raw middleware that can be used with the
get method of express, so that we can attach middleware beforehand.

This will be used to conditionally serve the members specific public
files, based on the labs flag for members.
2019-04-24 12:46:00 +02:00
Fabien O'Carroll
235d6a0366 Refactored labs middleware to remove duplication
no-issue

Also exposes a generic interface now.
2019-04-24 12:46:00 +02:00
Nazar Gargol
b9eaf27e56 🐛 Fixed admin error page on startup
closes #10616

- The check should be on empty object because that's the default state of expresses 'engines' property - 3ed5090ca9/lib/application.js (L59)
- The bug was introduced with 5e963935f9 (diff-04cc23b216e11161ab7267d69f13d004R142)
2019-04-01 15:06:00 +08:00
Nazar Gargol
0d89acd910 🐛 Fixed redirects to external URL
closes #10623

- The ability to redirect to external URLs was broken with 7e211a307c
- Added test coverage for external URL case
2019-04-01 12:33:29 +08:00
Nazar Gargol
3baf52fba9 Added 'property' field to errors returned from API
refs #10438
2019-02-26 13:41:13 +07:00
Nazar Gargol
f558b58c89 Combined /images* endpoints into /images/upload
- refs #10438

- /images/upload now accepts all the image uploads and distinguishes their purpuse using new `purpose` form data field
2019-02-25 19:15:16 +07:00
Nazar Gargol
50ea7f0eff Added user friendly error messages to Admin API
refs #10438

- Adds new fields to errors returned from API:  help, code, and id
- Makes `message` more descriptive towards non technical users
2019-02-25 10:40:35 +07:00
Nazar Gargol
76c6f96aed Changed error type for missing file in /uploads
refs #10438
2019-02-14 20:52:51 +00:00
John O'Nolan
ae5ed03488
Update admin redirects
Refs https://github.com/TryGhost/Ghost/pull/10079
2019-02-07 17:59:35 +07:00
Rishabh Garg
8fd4b3f09f
Added new admin API for members (#10435)
no issue

- Added read and browse admin API for members
2019-01-30 17:06:09 +05:30
notanengineercom
631716053a 🐛 Fixed files staying in temp directory after upload is done
closes #10174

- Introduced upload middleware that cleans up temporary files stored by mutler after the request is finished
- Removed redundant fs.remove calls as this work is now handled in newly introduced middleware
2019-01-30 09:24:29 +00:00
Rishabh Garg
3200ede8b1
🐛 Fixed crash on startup when no active theme (#10426)
closes #10416

- Updated to use default theme engine values when no active theme is found
2019-01-28 22:36:47 +05:30
Hannah Wolfe
909f9012ed
Updated docs links to best equivalents (#10386)
* Updated docs links to best equivalents
   - Our documentation has been overhauled, this updates the all the old links sprinkled through Ghost
* Update integrity hash
2019-01-17 06:57:37 +00:00
Greg Hart
418e958c69 🐛Fixed custom redirects to forward hashes correctly (#10319)
closes #10290
2019-01-15 23:26:18 +01:00
Katharina Irrgang
732f97a074
De-aliased api versions in codebase (#10375)
closes #10357
2019-01-14 19:49:55 +01:00
Fabien O'Carroll
9837df0b6f
Added brute protection to content api (#10362)
* Revert "Removed brute force middleware form content api (#10353)"

This reverts commit 63c8c310fb.

* Updated content api spam prevention to use memory store

* Used TooManyRequestsError instead of InternalServer
2019-01-14 14:11:48 +01:00
Fabien O'Carroll
935b0f6d49 🎨 Use unoptimised image when possible for dynamic images (#10314)
closes #10283 

Updated middleware for dynamic image sizes to attempt to read the unoptimized image first, taking into account the `-n` suffix for duplicate image names, by using a regex.
2019-01-08 10:00:15 +00:00
Fabien O'Carroll
d5bf6dc1c8
Updated comment for globalBlock spam prevention (#10342)
no-issue

Just made it more clear it's not global across the entire api.
2019-01-07 20:21:26 +07:00