OpenSourceArk/Ghost
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e7378520a0
Ghost/ghost/portal
History
Simon Backx e7378520a0
🔒 Prevented member creation when logging in (#15526) 
fixes https://github.com/TryGhost/Ghost/issues/14508

This change requires the frontend to send an explicit `emailType` when sending a magic link. We default to `subscribe` (`signin` for invite only sites) for now to remain compatible with the existing behaviour.

**Problem:**
When a member tries to login and that member doesn't exist, we created a new member in the past.

- This caused the creation of duplicate accounts when members were guessing the email address they used.
- This caused the creation of new accounts when using an old impersonation token, login link or email change link that was sent before member deletion.

**Fixed:**
- Trying to login with an email address that doesn't exist will throw an error now.
- Added new and separate rate limiting to login (to prevent user enumeration). This rate limiting has a higher default limit of 8. I think it needs a higher default limit (because it is rate limited on every call instead of per email address. And it should be configurable independent from administrator rate limiting. It also needs a lower lifetime value because it is never reset.
- Updated error responses in the `sendMagicLink` endpoint to use the default error encoding middleware.
- The type (`signin`, `signup`, `updateEmail` or `subscribe`) is now stored in the magic link. This is used to prevent signups with a sign in token.

**Notes:**
- Between tests, we truncate the database, but this is not enough for the rate limits to be truly reset. I had to add a method to the spam prevention service to reset all the instances between tests. Not resetting them caused random failures because every login in every test was hitting those spam prevention middlewares and somehow left a trace of that in those instances (even when the brute table is reset). Maybe those instances were doing some in memory caching.
2022-10-05 12:42:42 +02:00
..
public Removed input auto-zoom for mobile 2022-03-28 15:53:25 +02:00
scripts Removed extraneous logging from Portal dev script 2022-10-05 15:13:34 +07:00
src 🔒 Prevented member creation when logging in (#15526) 2022-10-05 12:42:42 +02:00
.editorconfig
.env
.env.development.local.example
.eslintignore
.gitignore
.yarnrc Added quotes to version-tag-prefix 2022-10-05 15:27:20 +07:00
package.json Removed main from yarn ship 2022-10-05 16:47:39 +07:00
README.md Updated Portal README and repository link 2022-10-05 15:22:17 +07:00
webpack.config.js

README.md

Portal

npm version

Drop-in script to make the bulk of Ghost membership features work on any theme.

Usage

Ghost automatically injects Portal script on all sites running Ghost 4 or higher.

Alternatively, Portal can be enabled on non-ghost pages directly by inserting the below script on the page.

<script defer src="https://unpkg.com/@tryghost/portal@latest/umd/portal.min.js" data-ghost="https://mymemberssite.com"></script>

The data-ghost attribute expects the URL for your Ghost site, which is the only input Portal needs to work with your site's membership data via Ghost APIs.

Custom trigger button

By default, the script adds a default floating trigger button on the bottom right of your page which is used to trigger the popup on screen.

Its possible to add custom trigger button of your own by adding data attribute data-portal to any HTML tag on page, and also specify a specific page to open from it by using it as data-portal=signup.

The script also adds custom class names to this element for open and close state of popup - gh-portal-open and gh-portal-close, allowing devs to update its UI based on popup state.

Refer the docs to read about ways in which Portal can be customized for your site.

Basic Setup

This section is mostly relevant for core team only for active Portal development. Always use the unpkg link for testing/using latest released portal script.

  • Run yarn start:dev to start Portal in development mode
  • Open http://localhost:3000 to view it in the browser.
  • To use the local Portal script in a local Ghost site
    • Update config.local.json in Ghost repo to add "portal" config pointing to local dev server url as instructed on terminal.
    • By default, this uses port 5368 for loading local Portal script on Ghost site. It's also possible to specify a custom port when running the script using - --port=xxxx.

Available Scripts

In the project directory, you can also run:

yarn start

Runs the app in the development mode.
Open http://localhost:3000 to view it in the browser.

The page will reload if you make edits.
You will also see any lint errors in the console.

yarn build

Creates the production single minified bundle for external use in umd/portal.min.js.

yarn test

Launches the test runner in the interactive watch mode.
See the section about running tests for more information.

Publish

Run yarn ship to publish new version of script.

yarn ship is an alias for npm publish

(Core team only)

Learn More

This project was bootstrapped with Create React App. You can learn more in the Create React App documentation.