Commit Graph

80 Commits

Author SHA1 Message Date
Renovate Bot
22c32fee0d Update dependency mocha to v8.2.0 2020-10-16 21:24:13 +00:00
Renovate Bot
38af1013b7 Update dependency sinon to v9.2.0 2020-10-06 19:10:59 +00:00
Renovate Bot
09a5f584c3 Update dependency @tryghost/string to v0.1.12 2020-09-30 03:05:47 +00:00
Renovate Bot
a7e0e73f16 Update dependency sinon to v9.1.0 2020-09-29 22:07:11 +00:00
Nazar Gargol
1f73b85e5e Published new versions
- @tryghost/adapter-manager@0.1.11
 - @tryghost/bootstrap-socket@0.2.2
 - @tryghost/constants@0.1.1
 - @tryghost/errors@0.2.4
 - @tryghost/image-transform@1.0.4
 - @tryghost/job-manager@0.1.1
 - @tryghost/moleculer-service-from-class@0.2.6
 - @tryghost/mw-session-from-token@0.1.8
 - @tryghost/pretty-cli@1.2.10
 - @tryghost/promise@0.1.1
 - @tryghost/release-utils@0.6.7
 - @tryghost/security@0.2.0
 - @tryghost/session-service@0.1.9
 - @tryghost/vhost-middleware@1.0.9
 - @tryghost/zip@1.1.4
2020-09-22 15:36:49 +12:00
Nazar Gargol
d33b377c6a Corrected "declared in uppper scope" linting errors 2020-09-22 15:33:30 +12:00
Nazar Gargol
07972312ed Extended resetToken.compare return result with reason for comparison failure
refs https://github.com/TryGhost/Ghost/issues/11878

- To be able to identify the reason behind comparison failure on more granular level (like token expiration) had to provide additional information in return result for falsy token comparisons
2020-09-22 15:31:15 +12:00
Nazar Gargol
54f9ff24c2 Extended test coverage for tokens module
refs https://github.com/TryGhost/Ghost/issues/11878

- There are multiple reasons why the token can be invalid. This coverage is meant cover these reasons and pave the way for introduction of more rganular errors causing the invlid token
2020-09-22 13:17:07 +12:00
Renovate Bot
0633b9a7fe Update dependency mocha to v8.1.3 2020-08-28 21:05:06 +00:00
Renovate Bot
155daf42c8 Update dependency mocha to v8.1.2 2020-08-25 20:08:54 +00:00
Renovate Bot
e5ba7185ee Update dependency lodash to v4.17.20 2020-08-13 17:20:11 +00:00
Renovate Bot
cfa076f739 Update dependency @tryghost/string to v0.1.11 2020-08-13 09:25:00 +00:00
Daniel Lockyer
dcc269b9a9 Published new versions
- @tryghost/security@0.1.0
2020-08-11 13:49:57 +01:00
Daniel Lockyer
ccf0f074c7 Added missing dependencies for new @tryghost/security package 2020-08-11 13:47:34 +01:00
Daniel Lockyer
ec0ed397d9 Moved test files to correct name
- `yarn test` will look for files matching `*.test.js`, so this commit
  fixes the name for the tests
2020-08-11 13:45:21 +01:00
Daniel Lockyer
14a53f696e Populated index.js with exports to package components
- pulled lib/index.js up to root and fixed paths
2020-08-11 13:38:44 +01:00
Daniel Lockyer
aa1c597e71 Removed template test file
- real tests have been pulled in so we don't need this
2020-08-11 13:35:40 +01:00
Daniel Lockyer
ff9e980fcb Merged security files and history from TryGhost/Ghost
* included commits:
  Updated var declarations to const/let and no lists
  Move tests from core to root (#11700)
  Updated to use slugify method from SDK for safe string
  Added Node v10 Support (#10058)
  Dynamic Routing: Added migration for routes.yaml file (#9692)
  Fixed missing Bluebird require in `security/password.js` (#9624)
  🔥  Drop Node v4 Support
  Added unit tests for models.Invite.add
  Added lib.security.password lib
  Moved unique identifier generation to lib/security
  Moved tokens, url safe and safe string utility to lib/security
2020-08-11 13:30:09 +01:00
Daniel Lockyer
82a698ec0b Created @tryghost/security package 2020-08-11 13:29:32 +01:00
Hannah Wolfe
36675b6494 Updated var declarations to const/let and no lists
- All var declarations are now const or let as per ES6
- All comma-separated lists / chained declarations are now one declaration per line
- This is for clarity/readability but also made running the var-to-const/let switch smoother
- ESLint rules updated to match

How this was done:

- npm install -g jscodeshift
- git clone https://github.com/cpojer/js-codemod.git
- git clone git@github.com:TryGhost/Ghost.git shallow-ghost
- cd shallow-ghost
- jscodeshift -t ../js-codemod/transforms/unchain-variables.js . -v=2
- jscodeshift -t ../js-codemod/transforms/no-vars.js . -v=2
- yarn
- yarn test
- yarn lint / fix various lint errors (almost all indent) by opening files and saving in vscode
- grunt test-regression
- sorted!
2020-04-29 16:51:13 +01:00
Hannah Wolfe
b57ecbcc4a Move tests from core to root (#11700)
- move all test files from core/test to test/
- updated all imports and other references
- all code inside of core/ is then application code
- tests are correctly at the root level
- consistent with other repos/projects

Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk>
2020-03-30 16:26:47 +01:00
Rish
58084ac96e Updated to use slugify method from SDK for safe string
refs #10618

- Updated lib safe string security method
2019-05-07 15:33:07 +05:30
Katharina Irrgang
7fb0b96f3e Added Node v10 Support (#10058)
* Added Node v10 Support

no issue

Signed-off-by: kirrg001 <katharina.irrgang@googlemail.com>

* Bump amperize to version 0.3.8

no issue

* Bump mysql to version 2.16.0

no issue

- mysql 2.15.0 uses a deprecated notation for timers
- e.g. timers.unenroll()

* Bump sub dependencies

no issue

- e.g. knex-migrator used mysql 2.15.0

* Bump dependencies

no issue

* Replaced `new Buffer` with `Buffer.from`

no issue

- Buffer() is deprecated due to security and usability issues.
- https://nodejs.org/en/docs/guides/buffer-constructor-deprecation/
2018-10-30 15:45:51 +07:00
Katharina Irrgang
7d9e2a21ad Dynamic Routing: Added migration for routes.yaml file (#9692)
refs #9601

- the home.hbs behaviour for the index collection (`/`) is hardcoded in Ghost
- we would like to migrate all existing routes.yaml files
- we only replace the file if the contents of the routes.yaml file equals the old routes.yaml format (with home.hbs as template)
- updated README of settings folder
- if we don't remove the home.hbs template from the default routes.yaml file, home.hbs will be rendered for any page of the index collection
  - the backwards compatible behaviour was different
  - only render home.hbs for page 1
- remember: the default routes.yaml file reflects how Ghost was working without dynamic routing
2018-06-22 20:28:01 +02:00
Ivan Akulov
e9d1d34739 Fixed missing Bluebird require in security/password.js (#9624)
no issue
2018-05-28 23:01:01 +02:00
kirrg001
c19a0c9942 🔥 Drop Node v4 Support
no issue

- support ends today
- see https://github.com/nodejs/Release
- removed `use strict`
2018-05-01 14:06:18 +02:00
kirrg001
a0ee411e6e Added unit tests for models.Invite.add
no issue

- replaced token creation by `lib.common.security`
- added unit tests for adding invites
- allow a different invite status for internal access
2018-04-25 11:56:45 +02:00
kirrg001
5d1a4418bd Added lib.security.password lib
no issue

- move password hashing and password comparison to lib/security/password
- added two unit test
- FYI: password hashing takes ~100ms
  - we could probably mock password hashing in certain cases when unit testing
2018-02-15 21:13:04 +01:00
kirrg001
72911862e7 Moved unique identifier generation to lib/security
refs #9178
2017-12-14 13:52:20 +01:00
kirrg001
411ce69006 Moved tokens, url safe and safe string utility to lib/security
refs #9178

- we could now also move any crypto usages to lib/security, but no priority
- the main goal is to tidy up our utils folder
2017-12-14 13:38:00 +01:00