Commit Graph

20 Commits

Author SHA1 Message Date
Sam Lord
8856822092 Prevent errors during the verification trigger tests
no issue

These tests were erroring because they subscribed to events but didn't have the handler injected.
2023-03-24 12:32:28 +00:00
Sam Lord
59df99388c Made verification trigger depend on the number of members
no issue

This change makes the verification trigger behave closer to the original idea. As well as having a threshold to trigger email verification, the trigger should also rely on the number of "organic" / verified members. This means that large publications will not trigger the verification flow when they import members, but spammers / suspicious sites worth verifying will not have the organic member count to allow for larger imports.
2023-03-21 18:00:20 +00:00
Simon Backx
819d0d884c
Improved email verification required checks (#16060)
fixes https://github.com/TryGhost/Team/issues/2366
refs https://ghost.slack.com/archives/C02G9E68C/p1670232405014209

Probem described in issue.

In the old MEGA flow:
- The `email_verification_required` check is now repeated inside the job

In the new email service flow:
- The `email_verification_required` is now checked (didn't happen
before)
- When generating the email batch recipients, we only include members
that were created before the email was created. That way it is
impossible to avoid limit checks by inserting new members between
creating an email and sending an email.
- We don't need to repeat the check inside the job because of the above
changes

Improved handling of large imports:
- When checking `email_verification_required`, we now also check if the
import threshold is reached (a new method is introduced in
vertificationTrigger specifically for this usage). If it is, we start
the verification progress. This is required for long running imports
that only check the verification threshold at the very end.
- This change increases the concurrency of fastq to 3 (refs
https://ghost.slack.com/archives/C02G9E68C/p1670232405014209). So when
running a long import, it is now possible to send emails without having
to wait for the import. Above change makes sure it is not possible to
get around the verification limits.

Refactoring:
- Removed the need to use `updateVerificationTrigger` by making
thresholds getters instead of fixed variables.
- Improved awaiting of members import job in regression test
2023-01-04 11:22:12 +01:00
Simon Backx
5c2f0b9a4b
Removed getCreatedEvents and added verification trigger test (#15832)
refs https://github.com/TryGhost/Team/issues/2266

This removes the deprecated `getCreatedEvents` method in the event
repository and adds tests to the verification trigger to see if we don't
break anything.

Changes extracted from https://github.com/TryGhost/Ghost/pull/15831
2022-11-18 15:05:15 +01:00
Fabien "egg" O'Carroll
f761bd36b4
Fixed verification trigger usage of Event Repository
refs https://github.com/TryGhost/Team/issues/2192

The method signatures of the Event Repository have been updated to
take mongo filter objects, but this call-site was not updated.

Long term we should really be using NQL filter strings for our
filtering API and the mongo filter objects should be an implementation
detail, however we don't have time right now to rectify this.
2022-11-01 13:00:42 +07:00
Naz
5e9d1d3178 Swapped member limit verification trigger event
closes https://github.com/TryGhost/Toolbox/issues/399

- The MemberCreatedEvent event is more accurate representation of the limit nature - counting the number of members created. The previous MemberSubscribeEvent was slightly hacky solution because a member could be subscribed/unsubscribed multiple times and distorting the limit counts.
2022-10-07 09:20:29 +08:00
Naz
6e76fcc36a Parameterized api sourced verification threshold
refs https://github.com/TryGhost/Toolbox/issues/387

- The limit values should be as configurable as possible to adjust verification thresholds dinamically per-usecase. This solves a problem of doing a separate version release when we need to adjust the verification thresholds.
- Before this "importThreshold" was the same concept as "apiThreshold", which makes it hard&confusing to reason about and hard to parameterize each specific case.
2022-08-25 17:07:10 +08:00
Naz
e9393ba38c Fixed tests
fixes 7e3b8ff404
refs https://github.com/TryGhost/Toolbox/issues/387

- The tests were not run properly after the referenced changes were made.
2022-08-25 15:38:26 +08:00
Naz
7e3b8ff404 Added email verification trigger for admin requests
refs https://github.com/TryGhost/Toolbox/issues/387

- When members are added through the Admin client they have to be a part of instance validation process to prevent service misuse.
2022-08-25 14:26:44 +08:00
Naz
7cae68baaa Renamed trigger amount variable
refs https://github.com/TryGhost/Toolbox/issues/387

- Similar reasoning as to previous renames - the variables were named with a single trigger source in mind and now would be confusing with multiple verification trigger sources.
2022-08-25 14:26:44 +08:00
Naz
1e96ef849f Renamed verification parameters
refs https://github.com/TryGhost/Toolbox/issues/387

- The "amountImported" was to specific to one verification trigger source. There can be multiple sources that start the verification process.
- Changed `startVerificationProcess` method signature to reflect it's a private method that's only used internally - exposed for testing purposes only.
2022-08-25 14:26:44 +08:00
Naz
780faf990b Fixed typo 2022-08-25 14:26:44 +08:00
Naz
8892a60948 Renamed verification threshold parameter
refs https://github.com/TryGhost/Toolbox/issues/387

- There will three distinct verification limits soon. To keep the naming clear "configThreshold" would be too generic/confusing to use.
- Introduced jsdoc descriptions for the "source" parameter, which will be corelating with each new config parameter ("apiTriggerThreshold", "importTriggerThreshold", "adminTriggerThreshold", etc.). This should give a better visibility into parameters we are dealing in this area.
2022-08-25 14:26:44 +08:00
Daniel Lockyer
a9b011ad4b Avoided loading newsletter subscription events if threshold is Infinity
- if the threshold is Infinity, we shouldn't be loading the newsletter
  subscription events because we are saying there is no threshold
- the code has a quick path to avoid comparing the values, but it still
  loads the events upfront
- this commit moves the quick path up to return earlier
- this has the nice side-effect of producing 100% coverage on this
  package
2022-08-01 09:23:04 +02:00
Sam Lord
b3595efa86 Patch test 2022-04-13 17:36:48 +01:00
Sam Lord
455778662c Email verification for imports based on 30 days of import
refs: https://github.com/TryGhost/Toolbox/issues/293

Things needed to create this:
* MemberSubscriptionEvent now has an import source
* Importer now creates events with this type
* Verification trigger logic changed to use 30 day window of imports
2022-04-13 17:35:30 +01:00
Sam Lord
865b77b115 Fixed verification trigger test
no issue
2022-02-04 12:03:59 +00:00
Sam Lord
bf9070f945 Add API verification trigger with new filter
no issue

Previous API verification trigger didn't work because the way filters work also changed. Re-implemented with a new filter.
2022-02-03 15:02:33 +00:00
Fabien 'egg' O'Carroll
96cd96a4f6 Removed API verification logic (#362)
no-issue

There is a bug in the event repository code where filters are not
correctly applied, this results in the api verification being extremely
trigger happy. For now we're removing the logic, with the plan to revert
this commit once the event repository is fixed.
2022-02-02 17:06:31 +02:00
Sam Lord
3c5cf21274 Added email verification trigger package
refs: https://github.com/TryGhost/Toolbox/issues/166

New package handles the email verification workflow to prevent spammers. It currently handles MembersSubscribeEvent to detect potential abuse of the API to add members, and exposes methods for checking the threshold / starting the verification process for use by other areas of the code (at the moment - just member imports).

The import package no longer needs to handle anything related to verification since it can be handled in the wrapper function in Ghost, and the API package doesn't need to do anything other than dispatch the new event.
2022-01-27 10:57:51 +00:00