Ghost Release: 1.0.0-alpha.9

TL;DR

Ghost 1.0.0-alpha.9: Major Database Architecture Changes

This ninth alpha release introduces significant architectural changes to Ghost's database structure, moving from auto-incrementing integer IDs to ObjectIDs for primary keys. This fundamental change improves database scalability and distribution capabilities while maintaining backward compatibility with existing systems. The release also includes improvements to the storage adapter API, fixes for brute force protection, and continued development of the new Ghost Editor.

This is a development-only release and should not be used in production environments.

Highlight of the Release

• Switched from auto-incrementing integer IDs to ObjectIDs for database primary keys
• Removed uuid columns from most tables/models (except Posts where it's still used for previews)
• Added a read method to local file storage adapter (breaking change for storage adapters)
• Fixed several issues with brute force protection middleware
• Improved URL consistency with new urlJoin implementation
• Simplified invites system by moving roles into a field on the invites table

Migration Guide

Storage Adapter Migration

If you've developed a custom storage adapter, you'll need to implement the new required read method:

// Example implementation for a custom storage adapter
read(options) {
  // options.path contains the path to the file
  return new Promise((resolve, reject) => {
    // Read the file and return its contents as a Buffer
    fs.readFile(options.path, (err, data) => {
      if (err) {
        return reject(err);
      }
      resolve(data);
    });
  });
}

ObjectID Migration

If you have custom code that interacts with Ghost's database:

1. Update any code that assumes numeric IDs to handle string ObjectIDs
2. Modify any ID validation to accept the new ObjectID format
3. Be aware that the special IDs 1 (owner) and 0 (external) are still supported in both string and numeric form
4. Remove any dependencies on the uuid field except for Posts where it's still used for previews

Invite System Changes

The invite system has been simplified by moving roles into a field on the invites table:

• If you were accessing invite.roles, you should now use invite.role_id instead
• The relationship between invites and roles has been removed

Upgrade Recommendations

This is an alpha release intended for development and testing only. Do not use this version in production environments.

For developers working with the alpha series:

1. Backup your development database before upgrading
2. Update any custom storage adapters to implement the new read method
3. Test thoroughly, especially if you have custom code that interacts with Ghost's database
4. Report any issues you encounter to the Ghost GitHub repository

For production sites, continue using the latest stable release (0.11.x) until Ghost 1.0.0 is officially released.

Bug Fixes

Brute Force Protection Fixes

• Schema Fix: Corrected the brute schema to use dateTime instead of timestamp type to avoid MySQL compatibility issues
• Error Handling: Fixed an issue where Ghost would hang if handleStoreError was called by ensuring errors are properly thrown
• Token Exchange: Fixed issue where token exchanges were logged with undefined email addresses causing lockouts
• Dependency Fix: Switched from git dependency to tarball for brute-knex to avoid requiring git during deployment

Permission Fixes

• Editor Invites: Fixed missing invite permissions for the Editor role
• Brute-knex Fixes: Resolved issues with database access in the constructor and error handling

Other Fixes

• URL Handling: Improved URL consistency by implementing urlJoin instead of string concatenation

New Features

Database Architecture Improvements

• ObjectID Implementation: Replaced auto-incrementing integer IDs with ObjectIDs for all database primary keys, improving scalability for distributed systems
• Base Model Enhancement: Added automatic ObjectID generation on the onCreating event for all models
• Centralized Attach Method: Implemented a cleaner approach for attaching models with proper ObjectID handling

Storage Adapter Enhancements

• Read Method: Added a new read method to the local file storage adapter that reads the bytes of a target image
• Breaking Change: All storage adapters now require implementation of the read method

Error Handling Improvements

• Error Inheritance: Improved error handling with better stack trace preservation
• String Error Support: Added support for handling string errors in options

Security Updates

Brute Force Protection

• Fixed issues with the brute force protection middleware that could potentially allow attackers to bypass rate limiting
• Improved error handling and logging for authentication attempts
• Enhanced token exchange security by fixing undefined email address issues that could cause lockouts

Database Security

• The switch to ObjectIDs provides better security by making IDs less predictable compared to sequential integers

Performance Improvements

Database Performance

• ObjectID Implementation: The switch to ObjectIDs provides better performance for distributed database systems and eliminates potential bottlenecks from sequential ID generation
• Optimized Schema: Removal of redundant uuid columns from most tables reduces database size and improves query performance

Dependency Updates

• Updated several dependencies to newer versions for better performance:
  • fs-extra to version 1.0.0
  • moment to version 2.16.0
  • lodash to version 4.17.2
  • archiver to version 1.2.0
  • ghost-editor to version 0.1.5

Impact Summary

Ghost 1.0.0-alpha.9 represents a significant architectural shift in how Ghost handles database identifiers, moving from auto-incrementing integers to ObjectIDs. This fundamental change improves scalability and distribution capabilities while maintaining backward compatibility with existing systems.

The most impactful changes are:

1. Database Architecture: The switch to ObjectIDs affects how data is stored and referenced throughout the system, providing better performance and scalability for distributed systems.

2. Storage Adapter API: The addition of a required read method to storage adapters is a breaking change that requires updates to any custom adapters.

3. Brute Force Protection: Multiple fixes to the brute force protection middleware improve security and stability.

4. Invite System Simplification: The restructuring of the invites table simplifies the data model and improves performance.

These changes lay important groundwork for Ghost 1.0.0's final release, focusing on architectural improvements that will benefit the platform's long-term scalability and maintainability. Developers should pay particular attention to the ID format changes and storage adapter requirements when testing with this alpha release.

Full Release Notes