41a0945592
fixes https://github.com/TryGhost/Ghost/issues/14508 This change requires the frontend to send an explicit `emailType` when sending a magic link. We default to `subscribe` (`signin` for invite only sites) for now to remain compatible with the existing behaviour. **Problem:** When a member tries to login and that member doesn't exist, we created a new member in the past. - This caused the creation of duplicate accounts when members were guessing the email address they used. - This caused the creation of new accounts when using an old impersonation token, login link or email change link that was sent before member deletion. **Fixed:** - Trying to login with an email address that doesn't exist will throw an error now. - Added new and separate rate limiting to login (to prevent user enumeration). This rate limiting has a higher default limit of 8. I think it needs a higher default limit (because it is rate limited on every call instead of per email address. And it should be configurable independent from administrator rate limiting. It also needs a lower lifetime value because it is never reset. - Updated error responses in the `sendMagicLink` endpoint to use the default error encoding middleware. - The type (`signin`, `signup`, `updateEmail` or `subscribe`) is now stored in the magic link. This is used to prevent signups with a sign in token. **Notes:** - Between tests, we truncate the database, but this is not enough for the rate limits to be truly reset. I had to add a method to the spam prevention service to reset all the instances between tests. Not resetting them caused random failures because every login in every test was hitting those spam prevention middlewares and somehow left a trace of that in those instances (even when the brute table is reset). Maybe those instances were doing some in memory caching. |
||
|---|---|---|
| .github | ||
| ghost | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| LICENSE | ||
| package.json | ||
| PRIVACY.md | ||
| README.md | ||
| SECURITY.md | ||
| yarn.lock | ||
Ghost.org •
Forum •
Docs •
Contributing •
Twitter
Love open source? We're hiring Node.js engineers to work on Ghost full-time.
The easiest way to get a production instance deployed is with our official Ghost(Pro) managed service. It takes about 2 minutes to launch a new site with worldwide CDN, backups, security and maintenance all done for you.
For most people this ends up being the best value option cause of how much time it saves — and 100% of revenue goes to the Ghost Foundation; funding the maintenance and further development of the project itself. So you’ll be supporting open source software and getting a great service!
If you prefer to run on your own infrastructure, we also offer official 1-off installs and managed support and maintenance plans via Ghost(Valet) - which can save a substantial amount of developer time and resources.
Quickstart install
If you want to run your own instance of Ghost, in most cases the best way is to use our CLI tool
npm install ghost-cli -g
Then, if installing locally add the local flag to get up and running in under a minute - Local install docs
ghost install local
or on a server run the full install, including automatic SSL setup using LetsEncrypt - Production install docs
ghost install
Check out our official documentation for more information about our recommended hosting stack & properly upgrading Ghost, plus everything you need to develop your own Ghost themes or work with our API.
Contributors & advanced developers
For anyone wishing to contribute to Ghost or to hack/customize core files we recommend following our full development setup guides: Contributor guide • Developer setup • Admin App dev guide
Ghost sponsors
We'd like to extend big thanks to our sponsors and partners who make Ghost possible. If you're interested in sponsoring Ghost and supporting the project, please check out our profile on GitHub sponsors ❤️
Getting help
You can find answers to a huge variety of questions, along with a large community of helpful developers over on the Ghost forum - replies are generally very quick. Ghost(Pro) customers also have access to 24/7 email support.
To stay up to date with all the latest news and product updates, make sure you subscribe to our blog — or you can always follow us on Twitter, if you prefer your updates bite-sized and facetious. 🎷🐢
Copyright & license
Copyright (c) 2013-2022 Ghost Foundation - Released under the MIT license. Ghost and the Ghost Logo are trademarks of Ghost Foundation Ltd. Please see our trademark policy for info on acceptable usage.