npm - @strapi/admin - Versions diffs - 4.4.0-beta.1 → 4.4.0-beta.3 - Mend

@strapi/admin 4.4.0-beta.1 → 4.4.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

package/server/services/api-token.js CHANGED Viewed

@@ -1,13 +1,9 @@
 'use strict';
 const crypto = require('crypto');
-const { isNil } = require('lodash/fp');
-const { omit, difference, isEmpty, map, isArray, uniq } = require('lodash/fp');
-const { ValidationError, NotFoundError } = require('@strapi/utils').errors;
-const constants = require('./constants');
 /**
- * @typedef {'read-only'|'full-access'|'custom'} TokenType
+ * @typedef {'read-only'|'full-access'} TokenType
  */
 /**
@@ -15,135 +11,20 @@ const constants = require('./constants');
  *
  * @property {number|string} id
  * @property {string} name
- * @property {string} description
+ * @property {string} [description]
  * @property {string} accessKey
- * @property {number} lastUsedAt
- * @property {number} lifespan
- * @property {number} expiresAt
  * @property {TokenType} type
- * @property {(number|ApiTokenPermission)[]} permissions
  */
-/**
- * @typedef ApiTokenPermission
- *
- * @property {number|string} id
- * @property {string} action
- * @property {ApiToken|number} token
- */
-/** @constant {Array<string>} */
-const SELECT_FIELDS = [
-  'id',
-  'name',
-  'description',
-  'lastUsedAt',
-  'type',
-  'lifespan',
-  'expiresAt',
-  'createdAt',
-  'updatedAt',
-];
 /** @constant {Array<string>} */
-const POPULATE_FIELDS = ['permissions'];
-// TODO: we need to ensure the permissions are actually valid registered permissions!
-/**
- * Assert that a token's permissions attribute is valid for its type
- *
- * @param {ApiToken} token
- */
-const assertCustomTokenPermissionsValidity = (attributes) => {
-  // Ensure non-custom tokens doesn't have permissions
-  if (attributes.type !== constants.API_TOKEN_TYPE.CUSTOM && !isEmpty(attributes.permissions)) {
-    throw new ValidationError('Non-custom tokens should not reference permissions');
-  }
-  // Custom type tokens should always have permissions attached to them
-  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM && !isArray(attributes.permissions)) {
-    throw new ValidationError('Missing permissions attribute for custom token');
-  }
-  // Permissions provided for a custom type token should be valid/registered permissions UID
-  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {
-    const validPermissions = strapi.contentAPI.permissions.providers.action.keys();
-    const invalidPermissions = difference(attributes.permissions, validPermissions);
-    if (!isEmpty(invalidPermissions)) {
-      throw new ValidationError(`Unknown permissions provided: ${invalidPermissions.join(', ')}`);
-    }
-  }
-};
-/**
- * Assert that a token's permissions attribute is valid for its type
- *
- * @param {ApiToken} token
- */
-const assertValidLifespan = ({ lifespan }) => {
-  if (isNil(lifespan)) {
-    return;
-  }
-  if (!Object.values(constants.API_TOKEN_LIFESPANS).includes(lifespan)) {
-    throw new ValidationError(
-      `lifespan must be one of the following values:
-      ${Object.values(constants.API_TOKEN_LIFESPANS).join(', ')}`
-    );
-  }
-};
-/**
- * Flatten a token's database permissions objects to an array of strings
- *
- * @param {ApiToken} token
- *
- * @returns {ApiToken}
- */
-const flattenTokenPermissions = (token) => {
-  if (!token) return token;
-  return {
-    ...token,
-    permissions: isArray(token.permissions) ? map('action', token.permissions) : token.permissions,
-  };
-};
+const SELECT_FIELDS = ['id', 'name', 'description', 'type', 'createdAt'];
 /**
- *  Get a token
- *
  * @param {Object} whereParams
- * @param {string|number} whereParams.id
- * @param {string} whereParams.name
- * @param {number} whereParams.lastUsedAt
- * @param {string} whereParams.description
- * @param {string} whereParams.accessKey
- *
- * @returns {Promise<Omit<ApiToken, 'accessKey'> | null>}
- */
-const getBy = async (whereParams = {}) => {
-  if (Object.keys(whereParams).length === 0) {
-    return null;
-  }
-  const token = await strapi
-    .query('admin::api-token')
-    .findOne({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: whereParams });
-  if (!token) return token;
-  return flattenTokenPermissions(token);
-};
-/**
- * Check if token exists
- *
- * @param {Object} whereParams
- * @param {string|number} whereParams.id
- * @param {string} whereParams.name
- * @param {number} whereParams.lastUsedAt
- * @param {string} whereParams.description
- * @param {string} whereParams.accessKey
+ * @param {string|number} [whereParams.id]
+ * @param {string} [whereParams.name]
+ * @param {string} [whereParams.description]
+ * @param {string} [whereParams.accessKey]
  *
  * @returns {Promise<boolean>}
  */
@@ -154,8 +35,6 @@ const exists = async (whereParams = {}) => {
 };
 /**
- * Return a secure sha512 hash of an accessKey
- *
  * @param {string} accessKey
  *
  * @returns {string}
@@ -168,103 +47,24 @@ const hash = (accessKey) => {
 };
 /**
- * @param {number} lifespan
- *
- * @returns { { lifespan: null | number, expiresAt: null | number } }
- */
-const getExpirationFields = (lifespan) => {
-  // it must be nil or a finite number >= 0
-  const isValidNumber = Number.isFinite(lifespan) && lifespan > 0;
-  if (!isValidNumber && !isNil(lifespan)) {
-    throw new ValidationError('lifespan must be a positive number or null');
-  }
-  return {
-    lifespan: lifespan || null,
-    expiresAt: lifespan ? Date.now() + lifespan : null,
-  };
-};
-/**
- * Create a token and its permissions
- *
  * @param {Object} attributes
  * @param {TokenType} attributes.type
  * @param {string} attributes.name
- * @param {number} attributes.lifespan
- * @param {string[]} attributes.permissions
- * @param {string} attributes.description
+ * @param {string} [attributes.description]
  *
  * @returns {Promise<ApiToken>}
  */
 const create = async (attributes) => {
   const accessKey = crypto.randomBytes(128).toString('hex');
-  assertCustomTokenPermissionsValidity(attributes);
-  assertValidLifespan(attributes);
-  // Create the token
   const apiToken = await strapi.query('admin::api-token').create({
     select: SELECT_FIELDS,
-    populate: POPULATE_FIELDS,
-    data: {
-      ...omit('permissions', attributes),
-      accessKey: hash(accessKey),
-      ...getExpirationFields(attributes.lifespan),
-    },
-  });
-  const result = { ...apiToken, accessKey };
-  // If this is a custom type token, create and the related permissions
-  if (attributes.type === constants.API_TOKEN_TYPE.CUSTOM) {
-    // TODO: createMany doesn't seem to create relation properly, implement a better way rather than a ton of queries
-    // const permissionsCount = await strapi.query('admin::api-token-permission').createMany({
-    //   populate: POPULATE_FIELDS,
-    //   data: attributes.permissions.map(action => ({ action, token: apiToken })),
-    // });
-    await Promise.all(
-      uniq(attributes.permissions).map((action) =>
-        strapi.query('admin::api-token-permission').create({
-          data: { action, token: apiToken },
-        })
-      )
-    );
-    const currentPermissions = await strapi.entityService.load(
-      'admin::api-token',
-      apiToken,
-      'permissions'
-    );
-    if (currentPermissions) {
-      Object.assign(result, { permissions: map('action', currentPermissions) });
-    }
-  }
-  return result;
-};
-/**
- * @param {string|number} id
- *
- * @returns {Promise<ApiToken>}
- */
-const regenerate = async (id) => {
-  const accessKey = crypto.randomBytes(128).toString('hex');
-  const apiToken = await strapi.query('admin::api-token').update({
-    select: ['id', 'accessKey'],
-    where: { id },
     data: {
+      ...attributes,
       accessKey: hash(accessKey),
     },
   });
-  if (!apiToken) {
-    throw new NotFoundError('The provided token id does not exist');
-  }
   return {
     ...apiToken,
     accessKey,
@@ -292,37 +92,25 @@ For security reasons, prefer storing the secret in an environment variable and r
 };
 /**
- * Return a list of all tokens and their permissions
- *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
  */
 const list = async () => {
-  const tokens = await strapi.query('admin::api-token').findMany({
+  return strapi.query('admin::api-token').findMany({
     select: SELECT_FIELDS,
-    populate: POPULATE_FIELDS,
     orderBy: { name: 'ASC' },
   });
-  if (!tokens) return tokens;
-  return tokens.map((token) => flattenTokenPermissions(token));
 };
 /**
- * Revoke (delete) a token
- *
  * @param {string|number} id
  *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
  */
 const revoke = async (id) => {
-  return strapi
-    .query('admin::api-token')
-    .delete({ select: SELECT_FIELDS, populate: POPULATE_FIELDS, where: { id } });
+  return strapi.query('admin::api-token').delete({ select: SELECT_FIELDS, where: { id } });
 };
 /**
- * Retrieve a token by id
- *
  * @param {string|number} id
  *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
@@ -332,8 +120,6 @@ const getById = async (id) => {
 };
 /**
- * Retrieve a token by name
- *
  * @param {string} name
  *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
@@ -343,106 +129,39 @@ const getByName = async (name) => {
 };
 /**
- * Update a token and its permissions
- *
  * @param {string|number} id
  * @param {Object} attributes
  * @param {TokenType} attributes.type
  * @param {string} attributes.name
- * @param {number} attributes.lastUsedAt
- * @param {string[]} attributes.permissions
- * @param {string} attributes.description
+ * @param {string} [attributes.description]
  *
  * @returns {Promise<Omit<ApiToken, 'accessKey'>>}
  */
 const update = async (id, attributes) => {
-  // retrieve token without permissions
-  const originalToken = await strapi.query('admin::api-token').findOne({ where: { id } });
-  if (!originalToken) {
-    throw new NotFoundError('Token not found');
-  }
-  const changingTypeToCustom =
-    attributes.type === constants.API_TOKEN_TYPE.CUSTOM &&
-    originalToken.type !== constants.API_TOKEN_TYPE.CUSTOM;
-  // if we're updating the permissions on any token type, or changing from non-custom to custom, ensure they're still valid
-  // if neither type nor permissions are changing, we don't need to validate again or else we can't allow partial update
-  if (attributes.permissions || changingTypeToCustom) {
-    assertCustomTokenPermissionsValidity({
-      ...originalToken,
-      ...attributes,
-      type: attributes.type || originalToken.type,
-    });
-  }
-  assertValidLifespan(attributes);
-  const updatedToken = await strapi.query('admin::api-token').update({
-    select: SELECT_FIELDS,
-    populate: POPULATE_FIELDS,
-    where: { id },
-    data: omit('permissions', attributes),
-  });
-  // custom tokens need to have their permissions updated as well
-  if (updatedToken.type === constants.API_TOKEN_TYPE.CUSTOM && attributes.permissions) {
-    const currentPermissionsResult = await strapi.entityService.load(
-      'admin::api-token',
-      updatedToken,
-      'permissions'
-    );
-    const currentPermissions = map('action', currentPermissionsResult || []);
-    const newPermissions = uniq(attributes.permissions);
-    const actionsToDelete = difference(currentPermissions, newPermissions);
-    const actionsToAdd = difference(newPermissions, currentPermissions);
-    // TODO: improve efficiency here
-    // method using a loop -- works but very inefficient
-    await Promise.all(
-      actionsToDelete.map((action) =>
-        strapi.query('admin::api-token-permission').delete({
-          where: { action, token: id },
-        })
-      )
-    );
+  return strapi
+    .query('admin::api-token')
+    .update({ where: { id }, data: attributes, select: SELECT_FIELDS });
+};
-    // TODO: improve efficiency here
-    // using a loop -- works but very inefficient
-    await Promise.all(
-      actionsToAdd.map((action) =>
-        strapi.query('admin::api-token-permission').create({
-          data: { action, token: id },
-        })
-      )
-    );
-  }
-  // if type is not custom, make sure any old permissions get removed
-  else if (updatedToken.type !== constants.API_TOKEN_TYPE.CUSTOM) {
-    await strapi.query('admin::api-token-permission').delete({
-      where: { token: id },
-    });
+/**
+ * @param {Object} whereParams
+ * @param {string|number} [whereParams.id]
+ * @param {string} [whereParams.name]
+ * @param {string} [whereParams.description]
+ * @param {string} [whereParams.accessKey]
+ *
+ * @returns {Promise<Omit<ApiToken, 'accessKey'> | null>}
+ */
+const getBy = async (whereParams = {}) => {
+  if (Object.keys(whereParams).length === 0) {
+    return null;
   }
-  // retrieve permissions
-  const permissionsFromDb = await strapi.entityService.load(
-    'admin::api-token',
-    updatedToken,
-    'permissions'
-  );
-  return {
-    ...updatedToken,
-    permissions: permissionsFromDb ? permissionsFromDb.map((p) => p.action) : undefined,
-  };
+  return strapi.query('admin::api-token').findOne({ select: SELECT_FIELDS, where: whereParams });
 };
 module.exports = {
   create,
-  regenerate,
   exists,
   checkSaltIsDefined,
   hash,

package/server/services/constants.js CHANGED Viewed

@@ -1,7 +1,5 @@
 'use strict';
-const DAY_IN_MS = 24 * 60 * 60 * 1000;
 module.exports = {
   CONTENT_TYPE_SECTION: 'contentTypes',
   SUPER_ADMIN_CODE: 'strapi-super-admin',
@@ -15,13 +13,5 @@ module.exports = {
   API_TOKEN_TYPE: {
     READ_ONLY: 'read-only',
     FULL_ACCESS: 'full-access',
-    CUSTOM: 'custom',
-  },
-  // The front-end only displays these values
-  API_TOKEN_LIFESPANS: {
-    UNLIMITED: null,
-    DAYS_7: 7 * DAY_IN_MS,
-    DAYS_30: 30 * DAY_IN_MS,
-    DAYS_90: 90 * DAY_IN_MS,
   },
 };

package/server/services/permission/engine-hooks.js ADDED Viewed

@@ -0,0 +1,82 @@
+'use strict';
+const { cloneDeep, has } = require('lodash/fp');
+const { hooks } = require('@strapi/utils');
+const permissionDomain = require('../../domain/permission');
+/**
+ * Create a hook map used by the permission Engine
+ */
+const createEngineHooks = () => ({
+  willEvaluatePermission: hooks.createAsyncSeriesHook(),
+  willRegisterPermission: hooks.createAsyncSeriesHook(),
+});
+/**
+ * Create a context from a domain {@link Permission} used by the WillEvaluate hook
+ * @param {Permission} permission
+ * @return {{readonly permission: Permission, addCondition(string): this}}
+ */
+const createWillEvaluateContext = (permission) => ({
+  get permission() {
+    return cloneDeep(permission);
+  },
+  addCondition(condition) {
+    Object.assign(permission, permissionDomain.addCondition(condition, permission));
+    return this;
+  },
+});
+/**
+ * Create a context from a casl Permission & some options
+ * @param caslPermission
+ * @param {object} options
+ * @param {Permission} options.permission
+ * @param {object} options.user
+ */
+const createWillRegisterContext = (caslPermission, { permission, user }) => ({
+  get permission() {
+    return cloneDeep(permission);
+  },
+  get user() {
+    return cloneDeep(user);
+  },
+  condition: {
+    and(rawConditionObject) {
+      if (!caslPermission.condition) {
+        Object.assign(caslPermission, { condition: { $and: [] } });
+      }
+      caslPermission.condition.$and.push(rawConditionObject);
+      return this;
+    },
+    or(rawConditionObject) {
+      if (!caslPermission.condition) {
+        Object.assign(caslPermission, { condition: { $and: [] } });
+      }
+      const orClause = caslPermission.condition.$and.find(has('$or'));
+      if (orClause) {
+        orClause.$or.push(rawConditionObject);
+      } else {
+        caslPermission.condition.$and.push({ $or: [rawConditionObject] });
+      }
+      return this;
+    },
+  },
+});
+module.exports = {
+  createEngineHooks,
+  createWillEvaluateContext,
+  createWillRegisterContext,
+};