RSS feeds for private blogs

At the moment, private blogs serve an RSS feed at /rss/. This only works if you already logged in such that your browser provides a cookie, and is basically useless for anything RSS might be used for 😁 .

Meanwhile, we’ve seen a few times that even though a site is private, the RSS feed would still be useful to have in some capacity. People with access to the site may wish to subscribe, and the feed is useful for setting up email news letters using things like MailChimp’s RSS-to-email feature.

Problem: we want to provide an RSS feed, but keep it private. That means that we can’t include the passphrase in the url, or use HTTP basic auth, etc.

Solution: to work around this, we will instead expose the RSS feed on a private, unguessable URL e.g. blogdomain.com/<unguessable string>/rss/.

Some requirements:

• The string used should be:
  • an unguessable set of characters
  • stored in the settings table along with other private blogging info
• The old blogdomain.com/rss/URL should cease to exist on private blogs (e.g. require auth and THEN 404).
• The new private rss route should not require the passphrase.
• The private blogging UI in the admin needs to be updated to display the URL:

Some small things to think about:

• Does it makes sense to also use the same pattern for our tag rss feeds? e.g. blogdomain.com/tag/tag-name/<unguessable string>/rss/ or blogdomain.com/<unguessable string>/tag/tag-name/rss/.
• Do we need a way to force regenerate the string? (I think no to start, can be manually changed in the DB if needed, if we get requests, add this feature later).
• Bonus: can we disable the generation of sitemaps for private blogs?

Extra background info

Previously, when you enabled private blogging, the sitemap & rss feed were set to 404. We recently realised this can expose some information about your blog (because themes can pull data into the 404 template) and changed it so that these redirect to the passphrase screen, as every other part of the site does (Raised in #8990, fixed in #8999).

The original intention of the private blogging feature was that RSS and sitemaps should be fully disabled for private blogs, as they create unnecessary overhead. Sitemaps in particular, never need to be generated, as the site is not going to be indexed.

• use settings cache in private blogging app (https://github.com/TryGhost/Ghost/pull/9086)
• 404 for all rss page if private blogging is enabled and session is authenticated
• add a new random public hash to the settings table
• show hash in the admin UI
• be able to serve the rss feed via a public hashed url (for the main rss url for now)
• delegate docs update for help.ghost.org