Sign-in changes are afoot
Changes to the members API may break your stuff! Here's some details.
Below are some sketchy notes on changes to the members API. If you're interacting with it programmatically (not just through native Ghost), here are some things to look out for!
Item #1: Integrity tokens are now required for getting a magic link
This change went in weeks ago, without fanfare. Requiring integrity tokens is a great idea, and might help reduce spam via the magic link endpoint.
However, if you were using the magic link endpoint, you might need updates, as Ghost is now rejecting requests to this endpoint that don't include the integrityToken.
What works
// get an integrity token from the server
let result = await fetch(GHOST_FRONTEND_DOMAIN + '/members/api/integrity-token/',
{ headers: {
'app-pragma': 'no-cache',
'x-ghost-version': '5.98'
},
method: 'GET'
}
);
integrityToken = await result.text();
// NOW get a magic link (should error check the thing above, really... )
let response = await fetch(GHOST_FRONTEND_DOMAIN + '/members/api/send-magic-link', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(
{email: USER_EMAIL,
emailType: 'signin',
integrityToken: integrityToken
})
});
if (response.status === 201) {
target.innerText = 'Now check your email and click the link we sent you.';
} else {
let json = await response.json();
if (json.errors) {
target.innerText = json.errors[0].message;
} else {
target.innerText = 'An error occurred. Please try again later.';
}
}
Item #2: members/signin_urls endpoint updated
This endpoint will now take an API key. No more faking a Ghost cookie to get logged in!
This is work that I did a couple weeks ago:
This should open up opportunities to do more third party integrations with Ghost memberships. I'll be switching SSO for Ghost over.
Item #3: Upcoming 2FA changes
Github gazing of the Ghost repo show that 2FA authentication is coming for staff users. (No, I don't know when.) This is a much-wanted feature. BUT... it's going to break any integrations that are currently doing staff authentication via cookie. The Ghost team was kind enough to warn me that it was coming, which is why item #2 happened.
If you have an integration using cookie authentication (instead of the 'right way' of using an API key), you'll need to switch over. If you can't switch over, because the endpoint doesn't take an API key, then that'll need a PR. My signin_urls PR above might be a good starting point.