Ghost Release: 1.0.0-alpha.8

TL;DR

Ghost 1.0.0-alpha.8: Strengthening Authentication, Database Management, and Core Architecture

This eighth alpha release continues Ghost's progress toward version 1.0 with significant improvements to authentication security, database management, and internal architecture. Key updates include a new brute force protection middleware, enhanced Ghost Auth client registration, a switch to MySQL as the default database, and continued refinement of the user model. This release also introduces IPC messaging for better process management with Ghost-CLI and updates to the Ghost-Editor.

Not for production use - This is a development and testing release only.

Highlight of the Release

• New brute force protection middleware for enhanced security
• MySQL is now the default database engine instead of SQLite
• Improved Ghost Auth client registration with better error handling
• IPC messaging for better process management with Ghost-CLI
• Enhanced knex-migrator integration with additional commands like 'reset'
• Continued refactoring of the User model for cleaner architecture

Migration Guide

Database Changes

• MySQL is now the default database engine instead of SQLite. If you're using SQLite in development, you may need to switch to MySQL or explicitly configure SQLite.

User Model Changes

• Token logic has been removed from the User model. If you have custom code that relies on User model functions like validateToken, generateToken, or resetPassword, you'll need to update your code to use the new controlling unit approach.

Authentication Changes

• If you're using custom authentication flows, be aware that the password reset and token validation logic has changed significantly. Review the new implementation in the controlling unit.

Settings Cache

• The settings cache API has changed. Use the new methods to access cached settings instead of directly manipulating the cache object.

Upgrade Recommendations

As this is an alpha release (1.0.0-alpha.8), it is not recommended for production environments. This release is strictly for development and testing purposes only.

For developers and testers:

• Update your development environment to use MySQL as the default database
• Test thoroughly any custom code that interacts with user authentication, token validation, or password resets
• If you're developing Ghost themes or extensions, test them against this alpha to ensure compatibility with the upcoming 1.0.0 release

For production sites, continue using the latest stable release (0.11.x) which is the current LTS version. More information about the LTS version and v1.0 plans can be found in the LTS blog post.

Bug Fixes

• URL Mismatch Error: Fixed redirect_uri URL mismatch by using urlJoin to properly handle URL concatenation (#7663, closes #7656)
• Post Deletion: Fixed an issue with deleting posts
• Access Rules Plugin: Fixed description comment in access-rules plugin (changed Bookshelf.Model.force to Bookshelf.Model.forge) (#7665)
• Spam Prevention: Fixed potential crash in spam prevention middleware when validation hadn't occurred
• Authentication: Fixed Ghost Auth to handle email instead of email_address in responses

New Features

Enhanced Authentication Security

• Brute Force Protection: Implemented new brute-express middleware with brute-knex adapter to store persisted data for spam prevention
• Protection Coverage: Added brute force protection for password/token exchange, password resets, and private blogging access

Improved Database Management

• Knex-migrator v2: Enhanced integration with additional commands like reset
• Database Hooks: Added support for migration hooks

Ghost Auth Improvements

• Enhanced Client Registration: Added support for blog_uri, client name, and description in Ghost Auth registration
• Background Authentication: Auth initialization now runs in the background to avoid blocking the bootstrap process

Process Management

• IPC Messaging: Added IPC messaging on Ghost startup success/error for better integration with Ghost-CLI

Settings Management

• Settings Cache: Made settings cache available throughout the application with improved API
• Client Registration: Now uses blog title and description from settings cache for Ghost Auth registration

Security Updates

• Brute Force Protection: Replaced memory-based spam prevention with brute-express middleware using brute-knex adapter for persistent storage
• Password Reset Security: Enhanced security for password reset flows with improved token validation
• Authentication Security: Strengthened security measures in the authentication process with better error handling and validation

Performance Improvements

• Background Authentication: Auth initialization now runs in the background, preventing blocking of the bootstrap process
• Settings Cache: Improved settings cache implementation for more efficient access to settings data
• Token Logic: Refactored token logic out of the User model for better separation of concerns and improved maintainability

Impact Summary

Ghost 1.0.0-alpha.8 represents a significant step forward in the platform's security, architecture, and developer experience. The introduction of brute force protection enhances security across authentication flows, while the switch to MySQL as the default database aligns with Ghost-CLI's recommended system stack.

The refactoring of the User model and token logic improves code maintainability and separation of concerns, setting the stage for a more modular and extensible authentication system. The enhanced knex-migrator integration provides developers with more powerful database management tools.

For Ghost-CLI users, the new IPC messaging system enables better process management and status reporting. Content creators benefit from bug fixes related to post deletion and improvements to the Ghost-Editor.

This alpha release continues to build toward a more secure, maintainable, and developer-friendly Ghost 1.0.0, though it remains unsuitable for production environments at this stage.

Full Release Notes