fixes https://github.com/TryGhost/Product/issues/3738https://www.notion.so/ghost/Member-Session-Invalidation-13254316f2244c34bcbc65c101eb5cc4
- Adds the transient_id column to the members table. This defaults to
email, to keep it backwards compatible (not logging out all existing
sessions)
- Instead of using the email in the cookies, we now use the transient_id
- Updating the transient_id means invalidating all sessions of a member
- Adds an endpoint to the admin api to log out a member from all devices
- Added the `all` body property to the DELETE session endpoint in the
members API. Setting it to true will sign a member out from all devices.
- Adds a UI button in Admin to sign a member out from all devices
- Portal 'sign out of all devices' will not be added for now
Related changes (added because these areas were affected by the code
changes):
- Adds a serializer to member events / activity feed endpoints - all
member fields were returned here, so the transient_id would also be
returned - which is not needed and bloats the API response size
(`transient_id` is not a secret because the cookies are signed)
- Removed `loadMemberSession` from public settings browse (not used
anymore + bad pattern)
Performance tests on site with 50.000 members (on Macbook M1 Pro):
- Migrate: 6s (adding column 4s, setting to email is 1s, dropping
nullable: 1s)
- Rollback: 2s
refs https://github.com/TryGhost/DevOps/issues/104
- `info` is very verbose as it prints all files and their sizes
- we often don't care about this, so we can do away with `info` in favor
of `warn`
refs https://vitejs.dev/config/build-options.html#build-reportcompressedsize
- this should make building a little bit quicker because it doesn't have
to calculate the gzip size (I don't think we're likely to hit this
because we don't have large projects, but it's still nice to clean up
the output)
refs https://ghost.slack.com/archives/C02G9E68C/p1699391515110759
When the unsubscribe page first showed, member is set to `undefined`. This cause the normal NewsletterManagement page to be visible, but with the wrong settings. This caused the switches to quickly change between on/off state, making it look like some setting was changed when it was not.
To fix this, I added a loading page to the unsubscribe page.
Apart from this, the current error page now will get shown correctly when the uuid in the url is invalid. And the toast message on the top will be hidden if the newsletter uuid in the url is missing or invalid.
fixes https://github.com/TryGhost/Product/issues/4005
We no longer use the 'reason' of a recommendation, but allow a flexible
description instead. Because this is a breaking change in the API, we do
this before making this feature GA.
- Added new database utils for renaming a column
- Added new migration to rename the column
- Updated all references in code
no issue
- During the one click subscribe flow, the outboundLinkTagging should
affect whether we send a history or not to the signup endpoint. But for
internal history this is the members_track_sources setting. This happens
in the backend normally.
- Do not send a (constructed) history to external sites (= one click
subscribe flow in recommendations) if outboundLinkTagging is false
- Do always send a history internally for local signups (backend handles
whether to store it based on the members_track_sources setting that is
currently not exposed in the frontend). The history is not built if this
setting is disabled, but we could have an old history entry if this
setting was enabled in the past.
refs https://github.com/TryGhost/Product/issues/3963
The subscription status text was incorrect when a subscription was
comped and a member had multiple subscriptions (i.e a cancelled sub and
a comped sub). This was because the methods used to determine the status
of a subscription only took into account the status of the first
subscription associated with a member.
no issue
- Do not set ?ref in recommendations if analytics is disabled
- Do not send url_history if analytics is disabled
- Expose outboundLinkTagging as a public setting
no refs
When `data-members-newsletter` was used with checkboxes, if no
checkboxes were selected then the backend would subscribe the member to
the default newsletters which is not what we want - We want to subscribe
the members only to the newsletters they have selected
