Update #2
Merged
Update #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We want to use a randomly generated 64 byte secret for the hmac, and utf8 encoding isn't nice to work with for this, so we're going to use a base64 string and decode it into a buffer for the secret.
refs MOM-152 Adds `show_subhead` column to newsletter table. False by default.
Got some code for us? Awesome 🎊! Please include a description of your change & check your PR against this list, thanks! - [ ] There's a clear use-case for this code change, explained below - [ ] Commit message has a short title & references relevant issues - [ ] The build will pass (run `yarn test:all` and `yarn lint`) We appreciate your contribution! --------- Co-authored-by: Ryan Feigenbaum <[email protected]>
ref https://linear.app/tryghost/issue/ENG-856 - svgs were not previously sanitized and could contain scripts
REF MOM-146 - These styling changes are a general newsletter template improvement, and are also laying the groundwork for including a subhead in the newsletter header. Both the newsletter template as well as the newsletter preview in settings have been updated.
ref https://linear.app/tryghost/issue/SLO-128 - Sentry will record session replays when errors happen in Admin (Settings, Editor) to facilitate debugging - The recorded sessions mask sensitive information (input fields, media items, content in the editor, metrics in the dashboard)
refs https://ghost.slack.com/archives/C06TQR9SHSM/p1716816764653789?thread_ts=1716795330.737919&cid=C06TQR9SHSM MOM-158 - adds a new `hasFeature` helper for adding content behind a flag within Email Templates. - Usage: `{{#hasFeature 'flagname'}} <p>html behind flag</p> {{/hasFeature}}` - Added additional testing for testing the helpers
refs MOM-152 MOM-148 MOM-151 - Added Subheads behind a flag + toggle in settings. - Removes Excerpt fields from post settings if flag is enabled. - Added subhead toggle in newsletter settings. - Loads of styling --------- Co-authored-by: Sanne de Vries <[email protected]>
REF MOM-146 - Added subhead to email template behind a flag and and wired it up to the subhead newsletter setting.
REF MOM-119 - Split subhead feature flag into two: editorSubtitle and newsletterSubtitle - Updated UI copy, feature flag names and class names from subhead to subtitle
closes https://linear.app/tryghost/issue/MOM-83 - added additional labs flag to allow internal testing prior to private beta release - bumped Koenig packages containing support for @-link feature
no issue - the signup flow tests check whether the benefits of the available tiers are rendering correctly. The test is based on a text match, which sometimes fails because of duplicate benefit descriptions - this fix makes the benefit descriptions less likely to be the same, by using a timestamp in the randomisation function
#20288) … the editor REF MOM-167
REF MOM-168 - Updated the settings order to reflect the newsletter order - Hid the subtitle setting if post title section is toggled off
REF MOM-147 - Updated newsletter preview in settings to match the newsletter template - Updated spacing for a few edge-case newsletter template combinations
closes https://linear.app/tryghost/issue/MOM-172 - staff users with no posts won't have a front-end URL so it can be confusing for them to appear in the internal link search results within the editor - added filtering for `/404/` in staff URLs so we don't list unlinkable staff members
no issue When enabled the URL inputs in the link toolbar and bookmark card will search for posts, pages, authors, and tags, allowing for faster link creation and less interruption to workflow. - moved internal linking feature from private to public beta
no issue - added `name` prop to `<Toggle>` component that corresponds to the checkbox's `name` attribute - updated `<FeatureToggle>` to set the `name` prop on it's `<Toggle>` component to the feature flag that was passed in so all feature toggles get a useful name attribute without having to manually specify one
refs [ENG-1238](https://linear.app/tryghost/issue/ENG-1238/🔒-webhook-signatures-dont-include-timestamp-in-the-signature) Added timestamp to the webhook signature hash to prevent replay attacks. This is a breaking change for webhook consumers as signature verification logic will need to be updated to account for the timestamp in the hash, for example: ```js const crypto = require('crypto'); // Webhook secret from Ghost Admin const WEBHOOK_SECRET = 'FOOBARBAZ' // Sample incoming webhook request object const req = { headers: { 'x-ghost-signature': 'sha256=fc9749d5b3333109bd779f65d4b1b891576bc5c92febea3b1d186a7f946d0745, t=1719842984367' }, body: { tag: { current: { id: '6682b8a8e10cc04306284330', name: 'test', slug: 'test', description: null, feature_image: null, visibility: 'public', og_image: null, og_title: null, og_description: null, twitter_image: null, twitter_title: null, twitter_description: null, meta_title: null, meta_description: null, codeinjection_head: null, codeinjection_foot: null, canonical_url: null, accent_color: null, created_at: '2024-07-01T14:09:44.000Z', updated_at: '2024-07-01T14:09:44.000Z', url: 'http://localhost:2368/404/' }, previous: {} } } }; // Get the request body as a JSON string const reqBodyJSON = JSON.stringify(req.body); // Extract the hash and timestamp from the x-ghost-signature header const {sha256: hash, t: timestamp} = req.headers['x-ghost-signature'] .split(', ') .map((x) => x.split('=')) .reduce((acc, [key, value]) => ({ ...acc, [key]: value }), {}) // Recreate the hash using the secret, request body, and timestamp and compare it to the hash from the header const isValid = crypto.createHmac('sha256', WEBHOOK_SECRET).update(`${reqBodyJSON}${timestamp}`).digest('hex') === hash if (isValid) { console.log('Valid signature!') } ```
DES-27 Updated buttons in integrations from [Cancel] and [Save & close] to [Close] and [Save] to be consistent with the rest of the Settings UI.
fixes https://linear.app/tryghost/issue/ENG-1256 - when a member changes their email address, surface it in Member Activity
ref https://linear.app/tryghost/issue/ONC-111 - changed posts fetching/display behavior to be client-side instead of server-side - admin will issue (potentially multiple) requests based on the desired status(es) - updated admin acceptance test for missing coverage I've pulled the sort from the database query as this triple sort performs very poorly at scale (taking ~4s+ past ~20k posts sometimes). Instead, we now split up the fetch to grab only one status at a time and use the front-end logic to handle displaying scheduled, then drafts, then published. This should result in a much more responsive view. We will separately change the default sort on the Admin API as that was the ultimate intent for this change.
… Docs (#20505) closes https://linear.app/tryghost/issue/ENG-1255 - updated Koenig packages including: - addition of `/preview` for public preview card - fix for HTML import from Google Docs - fix for embed thumbnails being cut off in email - fix for wide image card width on medium screens - multiple fixes for unhandled (but non user-visible) errors causing noise in console and error logging
fix https://linear.app/tryghost/issue/ENG-779/%F0%9F%90%9B-cmds-does-not-save-member-profile-changes - previously, pressing Cmd+S on a member profile would save the profile, but the dirty attributes weren't being cleaned, so the application would trigger the leave confirmation when exiting - now, we've fixed the code to keep a dynamic scratch member, - long term, we should get rid of the scratch model, but this still allows us to fix the bug for now
- the existing code creates a new moment instance, takes away some days and then formats the result - this is run for every entry of the member attribution stats, which means dashboards for big sites with a lot of attribution data become slow - this value doesn't change across each iteration of the filter, so we can just extract it out and calculate it once - this commit removes this code block from the flamegraph completely
fixes https://linear.app/tryghost/issue/ENG-642 - When a subscription is in the `canceled` state the corresponding Member has no access to the Ghost site. The only time a Member will continue to have access if their subscription is due to cancel at the period end is if it is still in an active state, which is one of `active` `trialing` `unpaid` or `past_due` - When a subscription is canceled immediately (i.e. before the end of the current billing period), we now render "Ended" without a date, because we don't store the cancellation date in the subscription object. We previously used "Ended {current_period_end}" which would sometimes lead to dates in the future - Bonus: refactored code and added unit tests --------- Co-authored-by: Sag <[email protected]>
ref https://linear.app/tryghost/issue/ONC-111 This reverts commit 3d9d552. This commit broke bulk post actions which we do not have tests for, so we will need to address that as well as add tests.
refs [ENG-709](https://linear.app/tryghost/issue/ENG-709/%F0%9F%90%9B-bad-redirects-causing-container-tear-down) Added validation to prevent RegEx's susceptible to ReDoS from being used with custom redirects. Also moved error details out of `context` and into `errorDetails` to be consistent with error logging elsewhere as well as fix issue in admin-x where blank screen would be shown when an error occurred during redirects upload (due to logic not accounting for `context` being an object)
…ow be updated(#20518) fixes https://linear.app/tryghost/issue/ENG-447/🐛-urls-sent-in-emails-containing-a-percent-can-not-be-updated URLs were decoded before making a search query to the db. This is the reason the `%2F` character gets converted to `/`. This decoding is not required.
…rofile" This reverts commit 186c6f3.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Got some code for us? Awesome 🎊!
Please include a description of your change & check your PR against this list, thanks!
yarn test:allandyarn lint)We appreciate your contribution!