Ghost: RSS feeds for private blogs

Created on 12 Sep 2017  路  9Comments  路  Source: TryGhost/Ghost

At the moment, private blogs serve an RSS feed at /rss/. This only works if you already logged in
such that your browser provides a cookie, and is basically useless for anything RSS might be used for 馃榿 .

Meanwhile, we've seen a few times that even though a site is private, the RSS feed would still be useful to have in some capacity. People with access to the site may wish to subscribe, and the feed is useful for setting up email news letters using things like MailChimp's RSS-to-email feature.

Problem: we want to provide an RSS feed, but keep it private. That means that we can't include the passphrase in the url, or use HTTP basic auth, etc.

Solution: to work around this, we will instead expose the RSS feed on a private, unguessable URL e.g. blogdomain.com/<unguessable string>/rss/.

Some requirements:

  • The string used should be:

    • an unguessable set of characters

    • stored in the settings table along with other private blogging info

    • The old blogdomain.com/rss/URL should cease to exist on private blogs (e.g. require auth and THEN 404).

    • The new private rss route should not require the passphrase.

    • The private blogging UI in the admin needs to be updated to display the URL:

Some small things to think about:

  • Does it makes sense to also use the same pattern for our tag rss feeds? e.g. blogdomain.com/tag/tag-name/<unguessable string>/rss/ or blogdomain.com/<unguessable string>/tag/tag-name/rss/.
  • Do we need a way to force regenerate the string? (I think no to start, can be manually changed in the DB if needed, if we get requests, add this feature later).
  • Bonus: can we disable the generation of sitemaps for private blogs?

Extra background info

Previously, when you enabled private blogging, the sitemap & rss feed were set to 404. We recently realised this can expose some information about your blog (because themes can pull data into the 404 template) and changed it so that these redirect to the passphrase screen, as every other part of the site does (Raised in #8990, fixed in #8999).

The original intention of the private blogging feature was that RSS and sitemaps should be fully disabled for private blogs, as they create unnecessary overhead. Sitemaps in particular, never need to be generated, as the site is not going to be indexed.

  • [x] use settings cache in private blogging app (https://github.com/TryGhost/Ghost/pull/9086)
  • [x] 404 for all rss page if private blogging is enabled and session is authenticated
  • [x] add a new random public hash to the settings table
  • [x] show hash in the admin UI
  • [x] be able to serve the rss feed via a public hashed url (for the main rss url for now)
  • [x] delegate docs update for help.ghost.org
feature server / core
Source
picture ErisDS

Most helpful comment

@nuclearpengy We don't have a concept of users for the content part of the site - so there cannot be a user-specific token at this time.

@jomahoney let us know if there are any problems getting this implemented 馃槉

picture ErisDS on 19 Sep 2017
👍3

All 9 comments

If you're happy to have the <unguessable string> as a product of something like 

crypto.randomBytes(20, function(err, buf) {
  var unguessable = buf.toString('hex');
  . . .
});

then I'm sure I could achieve this.

jxhn picture jxhn on 15 Sep 2017

@jomahoney Thanks for your interest.

There are many ways to generate an unguessable string. I think if private blogging is enabled, the requirements for the string are:

  • contains uppercase/lowercase letters
  • contains numbers
  • is minimum 12 characters

We have a utility which generates a random string (in core/server/utils/index e.g. utils.uid(12)), which you could use.

See also http://password-checker.online-domain-tools.com/.

If you have any questions, let us know. Don't hesitate to ask :)

kirrg001 picture kirrg001 on 15 Sep 2017

Ah cool - sounds even more achievable then. I was just lifting the above from something else I wrote.

Happy to take this on then.

jxhn picture jxhn on 15 Sep 2017
👍1

I just noticed something on Bitbucket and thought I'd mention the concept here.

What about having. /rss?token=$randomstring

The idea being that the token is generated per user so that a user's token can be invalidated and as a result not have access to the feed anymore.

nuclearpengy picture nuclearpengy on 19 Sep 2017

@nuclearpengy We don't have a concept of users for the content part of the site - so there cannot be a user-specific token at this time.

@jomahoney let us know if there are any problems getting this implemented 馃槉

ErisDS picture ErisDS on 19 Sep 2017
👍3

@jomahoney Hey. Do you have any update? The Ghost team would like to take this feature over if it's not finished till next Monday. Just wanted to let you know 馃檭

kirrg001 picture kirrg001 on 27 Sep 2017

@kirrg001 No update unfortunately. Got crazy busy with work so haven't had the time. Could certainly spend time at the weekend implementing but feel free to take over

jxhn picture jxhn on 27 Sep 2017
👍1

@ErisDS Do you want me to raise an issue for

Bonus: can we disable the generation of sitemaps for private blogs?

kirrg001 picture kirrg001 on 5 Oct 2017

I have this on a separate todo as part of a general revisit of sitemaps, so will add it to that issue when I raise it.

ErisDS picture ErisDS on 5 Oct 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kevinansfield picture kevinansfield  路  3Comments
kirrg001 picture kirrg001  路  3Comments
ghost picture ghost  路  3Comments
hjzheng picture hjzheng  路  4Comments
marcuspoehls picture marcuspoehls  路  4Comments