Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[Feature] Password protected blogs #4993
One feature that is in high demand, is an easy way to password protect the frontend of a blog. This could act as an under construction type page, or as a way to only circulate your content amongst a certain group of people.
The proposal is to provide a simple configuration option in the settings panel:
Note that the structure and labels here may change.
Once a password is filled out in the password box on this page, visiting any page of the blog should result in a temporary redirect to a new page served at
Entering the password into the box should provide access to the original page requested.
The password should only need to be entered once a month, so that users are free to browse around once they have entered the password.
The RSS feed and sitemap should probably simply return a 404 for these blogs?
The message field should probably accept HTML and/or markdown.
Ghost is all about solving problems for 90% of our users. This solves the use case which has been in high demand, and is currently only possible with advanced nginx configurations using http basic auth, which is pretty ugly and requires you to self-host. This feature will likely get moved out to an app in future.
If you want to lock down specific pages, use the user accounts & permissions from the admin, build a paywall, exclude people by IP or any of the other more advanced versions of this sort of feature, you'll need to wait for apps ;)
@ErisDS I see that and its a great feature I just wanted to suggest two things which I most commonly see wordpress users ask for regarding this (with the notice that they have one-page password protection only in the cms and ask for whole-page locdown :) )
One question I do have initially: how would this be implemented in terms of session? The backend would need to return some sort of token most likely, and it would also need to handle expiration time. And I don't want to mess up the simple auth stuff by adding this to it...
Hi @acburdine, the simple auth package lives in the admin client, and is completely separate to the server part of Ghost which deals with the frontend of the blog, therefore this would need to be implemented completely separately, probably as middleware for express.
My recommended implementation would be to generate a token based on a hash of the current password (and maybe also the expiry date), and store that in a cookie. This could then be used to invalidate the user's session if the password in the admin panel is changed (or the expiry date has passed).
I have updated this issue with a couple more details where it used to say TBD, and raised a separate issue for the design aspects. As mentioned in IRC, the best thing to do is hide the feature behind a feature flag for the time being and implement it without style/design and the design can be layered over the top afterwards.
For more info on adding 'feature' flags (controlled by config.js or a checkbox in labs) this PR should help: https://github.com/TryGhost/Ghost/pull/4754/files.