Commit Graph

1258 Commits

Author SHA1 Message Date
Tim Gates
270af89ee2
Fixed typo tempalte -> template (#11722)
no issue

- Fixes al typo in test/regression/site/site_spec.js. Should read `template` rather than `tempalte`.
2020-04-08 14:26:50 +12:00
Kevin Ansfield
2642405595
Merge pull request from GHSA-q6jp-j3gg-3mxr
no issue

- backports fixes implemented in https://github.com/TryGhost/Ghost/commit/477393967 from the v3/api endpoint to the v2 endpoint
2020-04-07 11:05:48 +01:00
Joseph Coffland
67b8fbf6cf Added raw handlebars helper
- Allows using the 4-bracket raw block syntax e.g: {{{{raw}}}}{{{{/raw}}}}
- This allows you to include handlebars inside a template that is not compiled and executed
- The common usecase is if you want to include client-side handlebars templates inside server-side ones
2020-04-06 17:26:50 +01:00
Fabien O'Carroll
a701ee7023
Added support for token session to /ghost (#11709)
no-issue

* Added default for getting origin of request

This function is used to attach the origin of the request to the
session, and later check that requests using the session are coming from
the same origin. This protects us against CSRF attacks as requests in
the browser MUST originate from the same origin on which the user
logged in.

Previously, when we could not determine the origin we would return
null, as a "safety" net.

This updates the function to use a secure and sensible default - which
is the origin of the Ghost-Admin application, and if that's not set -
the origin of the Ghost application.

This will make dealing with magic links simpler as you can not always
guaruntee the existence of these headers when visiting via a hyperlink

* Removed init fns and getters from session service

This simplifies the code here, making it easier to read and maintain

* Moved express-session initialisation to own file

This is complex enough that it deserves its own module

* Added createSessionFromToken to session service

* Wired up the createSessionFromToken middleware
2020-04-06 11:49:14 +02:00
Fabien O'Carroll
1f68d8dc20 Refactored existing adapters to use adapter-manager
no-issue

This removes duplications and reduces maintentence going forward.
2020-04-05 21:13:47 +02:00
Fabien O'Carroll
23154f0739
Refactored session service (#11701)
* Refactored SessionStore to use @tryghost/errors

no-issue

* Updated tests to test exposed API

no-issue

This will make refactoring easier, as we only have the "public" contract to maintain

* Refactored session functionality to SessionService

no-issue

This splits the session logic away from the HTTP responding logic,
which will allows us to decouple session creation/modification from the
API. Eventually this can be used to create sessions based on magiclink
style tokens.

* Instantiated and exported the new SessionService

no-issue

* Refactored session middleware to take session service

no-issue

This removes duplication of code and makes the middleware more explicit
that it's just a wrapper around the session service.

* Updated to use external @tryghost/session-service

no-issue
2020-04-02 16:27:31 +02:00
Hannah Wolfe
573850ddd7 Removed fixture yarn.lock file
- This theme fixture is confusing GitHub's security tooling into thinking we have a tonne of insecure dependencies that we don't
2020-03-31 12:56:15 +01:00
Hannah Wolfe
7f1d3ebc07
Move tests from core to root (#11700)
- move all test files from core/test to test/
- updated all imports and other references
- all code inside of core/ is then application code
- tests are correctly at the root level
- consistent with other repos/projects

Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk>
2020-03-30 16:26:47 +01:00