Harden private site access code checks

[ErisDS]

Summary

• Treat private-site authentication as access-code based in middleware naming and user-facing copy.
• Reject empty or missing stored/submitted access codes so blank settings cannot authenticate visitors.
• Add unit coverage for empty-code and terminology cases.

Testing

• pnpm test:single test/unit/frontend/apps/private-blogging/middleware.test.js

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 9fd90fce-b774-4104-b985-0dc0491c8399

📥 Commits

Reviewing files that changed from the base of the PR and between 04ad3b9 and e5547c3.

📒 Files selected for processing (1)

• ghost/core/test/unit/frontend/apps/private-blogging/middleware.test.js

🚧 Files skipped from review as they are similar to previous changes (1)

• ghost/core/test/unit/frontend/apps/private-blogging/middleware.test.js

---

Walkthrough

This pull request refactors the private blogging middleware authentication from a direct password comparison to a centralized access code mechanism. The implementation introduces helper functions to read and validate the configured access code from settings, updates session hash verification to use the access code with salt for SHA-256 computation, and rewrites the login handler to validate submitted codes using the new helpers. All test coverage is updated to match the new terminology and test scenarios, including negative cases for missing or empty access codes and validation of authenticated sessions when the configured access code is empty.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Harden private site access code checks' clearly and concisely describes the main change: improving validation/security of access code authentication in the private blogging middleware.
Description check	✅ Passed	The description is directly related to the changeset, outlining the three main objectives: access-code terminology, rejection of empty codes, and test coverage additions.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch trial-private-site-middleware-cleanup

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

ghost/core/test/unit/frontend/apps/private-blogging/middleware.test.js (1)

251-254: ⚡ Quick win

Isolate the stored-empty condition with a non-empty submitted code.

On Line 253, using password: '' overlaps with the submitted-empty case (Line 262 onward), so this test does not uniquely prove the stored-empty guard.

🔧 Minimal test tweak

 it('doLoginToPrivateSite should return next if stored access code is empty', function () {
     settingsStub.withArgs('password').returns('');
-    req.body = {password: ''};
+    req.body = {password: 'rightpassword'};

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ghost/core/test/unit/frontend/apps/private-blogging/middleware.test.js`
around lines 251 - 254, The test for doLoginToPrivateSite currently sets both
the stored access code and the submitted code to empty, so it doesn't isolate
the "stored-empty" branch; change the submitted payload to a non-empty value
(e.g., set req.body = {password: 'submitted-code'} or similar) while keeping
settingsStub.withArgs('password').returns('') so the test uniquely verifies the
stored-empty guard in doLoginToPrivateSite.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ghost/core/test/unit/frontend/apps/private-blogging/middleware.test.js`:
- Around line 251-254: The test for doLoginToPrivateSite currently sets both the
stored access code and the submitted code to empty, so it doesn't isolate the
"stored-empty" branch; change the submitted payload to a non-empty value (e.g.,
set req.body = {password: 'submitted-code'} or similar) while keeping
settingsStub.withArgs('password').returns('') so the test uniquely verifies the
stored-empty guard in doLoginToPrivateSite.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e6344d5b-57fd-4682-814c-01d45d2fe76d

📥 Commits

Reviewing files that changed from the base of the PR and between e88ae30 and c7db482.

📒 Files selected for processing (2)

• ghost/core/core/frontend/apps/private-blogging/lib/middleware.js
• ghost/core/test/unit/frontend/apps/private-blogging/middleware.test.js

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ghost/core/test/unit/frontend/apps/private-blogging/middleware.test.js`:
- Around line 251-260: Add explicit unit tests for the missing stored access
code cases in the private-blogging middleware: create new specs that call
privateBlogging.doLoginToPrivateSite with
settingsStub.withArgs('password').returns(undefined) (and another with
returns(null)) and assert the same failure path as the empty-string test — i.e.,
res.error exists and res.error.message === 'Incorrect access code.',
res.redirect is not called, and next is called; use the same req.body =
{password: 'rightpassword'} setup and sinon assertions to mirror the existing
test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 46d79ab3-0e58-49ad-8e93-5050bd9227a3

📥 Commits

Reviewing files that changed from the base of the PR and between c7db482 and 04ad3b9.

📒 Files selected for processing (1)

• ghost/core/test/unit/frontend/apps/private-blogging/middleware.test.js