RSS feeds for private blogs

[ErisDS]

At the moment, private blogs serve an RSS feed at /rss/. This only works if you already logged in
such that your browser provides a cookie, and is basically useless for anything RSS might be used for 😁 .

Meanwhile, we've seen a few times that even though a site is private, the RSS feed would still be useful to have in some capacity. People with access to the site may wish to subscribe, and the feed is useful for setting up email news letters using things like MailChimp's RSS-to-email feature.

Problem: we want to provide an RSS feed, but keep it private. That means that we can't include the passphrase in the url, or use HTTP basic auth, etc.

Solution: to work around this, we will instead expose the RSS feed on a private, unguessable URL e.g. blogdomain.com/<unguessable string>/rss/.

Some requirements:

• The string used should be:
  • an unguessable set of characters
  • stored in the settings table along with other private blogging info
• The old blogdomain.com/rss/URL should cease to exist on private blogs (e.g. require auth and THEN 404).
• The new private rss route should not require the passphrase.
• The private blogging UI in the admin needs to be updated to display the URL:

Some small things to think about:

• Does it makes sense to also use the same pattern for our tag rss feeds? e.g. blogdomain.com/tag/tag-name/<unguessable string>/rss/ or blogdomain.com/<unguessable string>/tag/tag-name/rss/.
• Do we need a way to force regenerate the string? (I think no to start, can be manually changed in the DB if needed, if we get requests, add this feature later).
• Bonus: can we disable the generation of sitemaps for private blogs?

---

Extra background info

Previously, when you enabled private blogging, the sitemap & rss feed were set to 404. We recently realised this can expose some information about your blog (because themes can pull data into the 404 template) and changed it so that these redirect to the passphrase screen, as every other part of the site does (Raised in #8990, fixed in #8999).

The original intention of the private blogging feature was that RSS and sitemaps should be fully disabled for private blogs, as they create unnecessary overhead. Sitemaps in particular, never need to be generated, as the site is not going to be indexed.

• use settings cache in private blogging app (Refactored private blogging app: use settings cache #9086)
• 404 for all rss page if private blogging is enabled and session is authenticated
• add a new random public hash to the settings table
• show hash in the admin UI
• be able to serve the rss feed via a public hashed url (for the main rss url for now)
• delegate docs update for help.ghost.org

[jxhn]

If you're happy to have the <unguessable string> as a product of something like

crypto.randomBytes(20, function(err, buf) {
  var unguessable = buf.toString('hex');
  . . .
});

then I'm sure I could achieve this.

[kirrg001]

@jomahoney Thanks for your interest.

There are many ways to generate an unguessable string. I think if private blogging is enabled, the requirements for the string are:

• contains uppercase/lowercase letters
• contains numbers
• is minimum 12 characters

We have a utility which generates a random string (in core/server/utils/index e.g. utils.uid(12)), which you could use.

See also http://password-checker.online-domain-tools.com/.

If you have any questions, let us know. Don't hesitate to ask :)

[jxhn]

Ah cool - sounds even more achievable then. I was just lifting the above from something else I wrote.

Happy to take this on then.

[nuclearpengy]

I just noticed something on Bitbucket and thought I'd mention the concept here.

What about having. /rss?token=$randomstring

The idea being that the token is generated per user so that a user's token can be invalidated and as a result not have access to the feed anymore.

[ErisDS]

@nuclearpengy We don't have a concept of users for the content part of the site - so there cannot be a user-specific token at this time.

@jomahoney let us know if there are any problems getting this implemented 😊

[kirrg001]

@jomahoney Hey. Do you have any update? The Ghost team would like to take this feature over if it's not finished till next Monday. Just wanted to let you know 🙃

[jxhn]

@kirrg001 No update unfortunately. Got crazy busy with work so haven't had the time. Could certainly spend time at the weekend implementing but feel free to take over

[kirrg001]

@ErisDS Do you want me to raise an issue for

Bonus: can we disable the generation of sitemaps for private blogs?

[ErisDS]

I have this on a separate todo as part of a general revisit of sitemaps, so will add it to that issue when I raise it.