Ghost Release: 3.17.0

TL;DR

Ghost 3.17.0 introduces a new Admin API endpoint for member statistics, enhances member management capabilities, and improves accessibility. This release focuses on empowering site owners with better tools to understand their membership growth while also addressing security and usability concerns with password reset emails. The update includes several code refactoring improvements and dependency updates that enhance the overall stability of the platform.

Highlight of the Release

• New Admin API endpoint for basic member statistics with date range filtering
• Added member update endpoint with session authentication
• Fixed password reset emails to show full URLs instead of truncated links
• Improved accessibility by removing incorrect ARIA roles from navigation template
• Extensive code refactoring to use destructuring for common lib imports

Migration Guide

No breaking changes have been introduced in this release that would require migration steps. The updates are backward compatible and should work seamlessly with existing Ghost installations.

If you're developing custom integrations with the Members API, note that there are new endpoints available for member statistics and profile updates that you may want to leverage in your applications.

Upgrade Recommendations

This release is recommended for all Ghost users, especially those who:

1. Use the Members feature and want improved analytics capabilities
2. Care about accessibility compliance
3. Want to provide better self-service options for their members

The upgrade process follows the standard Ghost update procedure and should be straightforward with no breaking changes to be concerned about.

Bug Fixes

Fixed Password Reset Email URLs

Password reset emails now show the full URL instead of a truncated link. This important fix addresses both security and usability concerns, as users can now properly see where the link leads and can copy/paste the URL if needed.

Removed Incorrect Accessibility Roles

Incorrect ARIA roles have been removed from the navigation template. These roles were hiding actual links from accessibility aids and were not appropriate in this context. This fix improves the experience for users of screen readers and other assistive technologies.

Fixed Stripe Webhook Processing

Removed global bodyParser middleware for the members app and added it only to specific endpoints. This resolves an issue with Stripe webhook processing, as Stripe expects raw data to be passed down to the /webhooks endpoint rather than parsed JSON.

New Features

Member Statistics API Endpoint

A new Admin API endpoint has been added that provides basic member statistics. This moves the generation of member stats for admin graphs from the client to the server, improving performance and reliability. The endpoint outputs totals across requested date ranges (30, 90, 365 days, or all time) and is optimized for performance even with large datasets.

Example request:

GET /ghost/api/canary/members/stats/?days=30

Example response:

{
    "total": 100000,
    "total_in_range": 20000,
    "total_on_date": {
        "2020-04-25": 19000,
        "2020-04-26": 19500,
        // continues until today's date
    },
    "new_today": 200
}

Member Update Endpoint with Session Authentication

Members can now update their profile information when logged in with a valid session. This includes:

• Updating name
• Changing email address
• Managing newsletter subscription status

The implementation includes:

• New utility method for formatted member responses
• Common middlewares for body/bool parsing and maintenance
• Addition of subscribed status to member responses

Label Filter for Members

Added support for filtering members by label in the Admin API. This includes:

• Updated filter plugin with appropriate label relationship
• Configuration for NQL replacements
• Enhanced member and label fixture data for testing

Security Updates

Enhanced Password Reset Security

The fix for password reset emails now shows the full URL instead of a truncated link. This security improvement allows users to verify the destination of password reset links before clicking, reducing the risk of phishing attacks that might exploit users' inability to see the full URL.

Performance Improvements

Optimized Member Statistics Queries

The new member statistics API endpoint has been optimized to handle large datasets efficiently. Testing with 100,000 members showed query performance under 100ms, ensuring that even sites with large member bases can quickly retrieve analytics data.

Improved Code Structure

Extensive refactoring of the codebase to use destructuring for common library imports has improved code readability and potentially reduced memory usage. This modernization of the codebase affects multiple areas including:

• Core frontend apps and services
• Server adapters and data handling
• Models and API layers
• Test infrastructure

Impact Summary

Ghost 3.17.0 significantly enhances the Members feature with new API endpoints for statistics and profile management. Site administrators gain valuable insights through the new statistics endpoint, which provides member growth data across different time periods. Members benefit from improved self-service capabilities, allowing them to update their profiles and subscription preferences.

The accessibility improvements make Ghost more inclusive by fixing navigation template issues that previously affected screen reader users. Security and usability are enhanced with the fix to password reset emails, ensuring users can see and copy the full reset URL.

Behind the scenes, extensive code refactoring improves maintainability and sets the foundation for future development. The targeted middleware approach for body parsing resolves issues with Stripe webhook processing.

Overall, this release strengthens Ghost's capabilities as a membership platform while addressing important usability, security, and accessibility concerns.

Full Release Notes