Ghost/core/server
Naz c84866dda7
Improved password reset and session invalidation for "locked" users (#11790)
- Fixed session invalidation for "locked" user
  - Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message.
  - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password

- Fixed error message returned by session API
  - Instead of returning generic 'access' denied message when error happens during `User.check` we want to return more specific error thrown inside of the method, e.g.: 'accountLocked' or 'accountSuspended'
  - Fixed messaging for 'accountLocked' i18n, which not corresponds to the
actual UI available to the end user

- Added automatic password reset email to locked users on sign-in
  - uses alternative email for required password reset so it's clear that this is a security related reset and not a user-requested reset

- Backported the auto sending of required password reset email to v2 sign-in route
  - used by 3rd party clients where the email is necessary for users to know why login is failing

Co-authored-by: Kevin Ansfield <kevin@lookingsideways.co.uk>
2020-05-05 19:37:53 +01:00
..
adapters Added Router etc to shared/express + use everywhere 2020-05-01 19:32:57 +01:00
api Improved password reset and session invalidation for "locked" users (#11790) 2020-05-05 19:37:53 +01:00
config Moved members API out of backend 2020-04-30 18:18:39 +01:00
data Updated var declarations to const/let and no lists 2020-04-29 16:51:13 +01:00
lib Improved password reset and session invalidation for "locked" users (#11790) 2020-05-05 19:37:53 +01:00
models Improved password reset and session invalidation for "locked" users (#11790) 2020-05-05 19:37:53 +01:00
public Renamed members ssr + api endpoints 2020-04-30 19:00:37 +01:00
services Improved password reset and session invalidation for "locked" users (#11790) 2020-05-05 19:37:53 +01:00
translations Improved password reset and session invalidation for "locked" users (#11790) 2020-05-05 19:37:53 +01:00
views Update default 404 page 2019-07-15 14:47:01 +02:00
web Added new endpoint for refreshing api key secret (#11791) 2020-05-05 23:36:21 +05:30
analytics-events.js Refactor common pattern in service files 2020-04-30 20:48:42 +01:00
ghost-server.js Refactor common pattern in service files 2020-04-30 20:48:42 +01:00
index.js Refactor common pattern in service files 2020-04-30 20:48:42 +01:00
overrides.js Disabled bluebird debug logs 2018-08-13 14:01:31 +02:00
update-check.js Refactor common pattern in service files 2020-04-30 20:48:42 +01:00