Ghost Release: 3.34.0

TL;DR

Ghost 3.34.0 introduces Stripe promo code support, improved magic link authentication with single-use tokens, better error messaging for password resets, and various bug fixes. This release enhances the membership experience with more secure authentication flows and developer-focused improvements to the codebase structure.

Highlight of the Release

• Added support for Stripe promo codes in membership configuration
• Implemented single-use tokens for more secure magic links with 4-hour expiry
• Improved error messaging for password reset process
• Added new Portal config flag for conditional enabling
• Fixed members chart missing start date issue

Migration Guide

No breaking changes have been introduced in this release that would require migration steps. The new features like Stripe promo codes and Portal configuration are opt-in and backward compatible.

If you're a developer working with the codebase:

1. Note that the ordering functionality has been extracted into a separate bookshelf plugin
2. Magic link authentication now uses single-use tokens with a 4-hour expiry
3. The new Portal config flag can be used to conditionally enable Portal features

Upgrade Recommendations

This is a recommended upgrade for all Ghost users. The release includes important security enhancements for magic links, bug fixes for the admin interface, and new features like Stripe promo code support.

There are no breaking changes, making this a safe upgrade for all installations. The update process follows the standard Ghost upgrade procedure.

Bug Fixes

Password Reset Process

• Improved error messaging around password reset tokens
• Added detection for when password tokens have invalid structure, have expired, or have already been used
• Fixed failing regression tests related to password reset functionality

Email and Ownership Verification

• Updated ownership verification email flow to use a different From address to prevent emails being flagged as spam
• When verifying an email that's the same as the site's noreply address, the system now uses a slightly different address format to bypass same-address restrictions

UI and Admin Experience

• Fixed missing start date in members chart
• Fixed Ctrl/Cmd+S triggering browser save when tags or authors input has focus
• Removed unmatched closing span tag on AMP pages
• Updated button copy for logged-in free members on default content CTA
• Added blog domain for default support address in members site data

New Features

Stripe Promo Codes Support

Ghost now supports Stripe promo codes in the membership configuration, allowing site owners to offer discounts on memberships. This feature can be configured through the site's configuration settings.

Single-Use Token System

A new tokens table and SingleUseToken model have been added to improve security for magic links:

• Tokens are now 192 bits (32 characters) for enhanced security
• Magic links now expire after 4 hours
• Tokens are single-use and automatically destroyed after being read

Portal Configuration Flag

A new Portal config flag has been added that allows conditionally enabling the Portal feature through configuration. This provides more flexibility for developers and site owners to control when Portal is available. The flag currently defaults to false as Portal is still considered a beta feature.

Security Updates

Enhanced Authentication Security

• Implemented single-use tokens for magic links with a 4-hour expiry period
• Increased token length to 192 bits (32 characters) for better security
• Updated the token system to automatically destroy tokens after they've been used once
• Improved the ownership verification email flow to prevent emails from being flagged as spam by email clients

Performance Improvements

Code Organization and Performance

• Extracted ordering functionality into a separate bookshelf plugin for better code organization and maintainability
• Introduced separate orderAttributes function which returns only fields that are orderable
• Corrected data generator fixture with posts_meta fields
• Fixed posts_meta relation in test fixtures
• Removed unused messages from i18n file to keep the codebase tidy

Impact Summary

Ghost 3.34.0 enhances the membership and authentication experience with Stripe promo code support and more secure magic links. Site owners gain more control over the Portal feature with a new configuration flag, while developers benefit from improved code organization through the extraction of ordering functionality into a separate bookshelf plugin.

The security improvements to magic links—making them single-use with a 4-hour expiry—strengthen the authentication system without disrupting the user experience. Error messaging for password resets has been clarified, helping members troubleshoot authentication issues more effectively.

Several quality-of-life fixes improve the admin experience, including fixes for the members chart and keyboard shortcuts when editing content. Overall, this release balances new features with important refinements to existing functionality.

Full Release Notes